Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ergotherego
Contributor II

Remote User Sync rule error - "did not contain Username attribute: sAMAccountName"

Ran into this error recently with a remote user sync rule continually failing:

 

User list returned did not contain Username attribute: sAMAccountName on remote LDAP server MYDOMAIN.COM (10.10.10.20) for sync rule MYDOMAIN-VPNUSERS

 

In this case the LDAP filter specified a recursive query, that looks at a "master" security group whose members are various departmental security groups, which in turn have the user accounts to be sync'd by the FAC.

 

The issue was a Contact object was within the specified OU path, and ultimately a member of that master group. After removing it from the incorrect security group the rule synced fine.

 

The easiest way I found to tell where/what the offending object is:

[ol]
  • Open the Remote User Sync Rule in question.
  • Click the Test Filter button.
  • Manually expand every OU and sub-OU until you find an object that is greyed out - this object is being matched by your filter but cannot be synced. In this case, because it's not actually a user account object and thus has no account name field.
  • Inside the domain, adjust that account to no longer be a member of that user group hierarchy.
  • Manually Sync the rule and check the logs to ensure it now succeeds.[/ol]

    Alternatively, you would have to adjust your Base DN path and select each OU one at a time, running a manual sync and checking logs to find the sub-OU(s) that are failing and investigate.

     

    Note: There are probably better filters you can use as well to prevent this from happening. I am searching against 'objectClass=person' and was still pulling in that Contact object.

  • 1 REPLY 1
    Jeremy_Browne_FTNT

    That's a good description of how to troubleshoot and fix this problem where an AD entry missing a required attribute has caused the sync rule to fail.

     

    FYI, the "entire sync operation fails for the rule" behaviour was recently changed / improved. Starting from FAC 5.2.1, we now skip the affected entries and emit log entries with the user, server, and sync rule that encountered the missing attribute.

     

    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors