Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ergotherego
Contributor II

Created on ‎04-12-2018 10:16 PM

Remote User Sync rule error - "did not contain Username attribute: sAMAccountName"

Ran into this error recently with a remote user sync rule continually failing:

 

User list returned did not contain Username attribute: sAMAccountName on remote LDAP server MYDOMAIN.COM (10.10.10.20) for sync rule MYDOMAIN-VPNUSERS

 

In this case the LDAP filter specified a recursive query, that looks at a "master" security group whose members are various departmental security groups, which in turn have the user accounts to be sync'd by the FAC.

 

The issue was a Contact object was within the specified OU path, and ultimately a member of that master group. After removing it from the incorrect security group the rule synced fine.

 

The easiest way I found to tell where/what the offending object is:

[ol]
  • Open the Remote User Sync Rule in question.
  • Click the Test Filter button.
  • Manually expand every OU and sub-OU until you find an object that is greyed out - this object is being matched by your filter but cannot be synced. In this case, because it's not actually a user account object and thus has no account name field.
  • Inside the domain, adjust that account to no longer be a member of that user group hierarchy.
  • Manually Sync the rule and check the logs to ensure it now succeeds.[/ol]

    Alternatively, you would have to adjust your Base DN path and select each OU one at a time, running a manual sync and checking logs to find the sub-OU(s) that are failing and investigate.

     

    Note: There are probably better filters you can use as well to prevent this from happening. I am searching against 'objectClass=person' and was still pulling in that Contact object.

    • 3165
    0 Kudos
    1 REPLY 1
    Jeremy_Browne_FTNT
    Staff
    Staff

    Created on ‎04-16-2018 03:16 PM

    That's a good description of how to troubleshoot and fix this problem where an AD entry missing a required attribute has caused the sync rule to fail.

     

    FYI, the "entire sync operation fails for the rule" behaviour was recently changed / improved. Starting from FAC 5.2.1, we now skip the affected entries and emit log entries with the user, server, and sync rule that encountered the missing attribute.

     

    1422
    0 Kudos
    Announcements
    Check out our Community Chatter Blog! Click here to get involved
    Labels
    Top Kudoed Authors
    View all
    Broad. Integrated. Automated.

    The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

    Social Media
    Security Research
    Company
    News & Articles
    Contact Us

    Copyright 2025 Fortinet, Inc. All Rights Reserved.