Ran into this error recently with a remote user sync rule continually failing:
User list returned did not contain Username attribute: sAMAccountName on remote LDAP server MYDOMAIN.COM (10.10.10.20) for sync rule MYDOMAIN-VPNUSERS
In this case the LDAP filter specified a recursive query, that looks at a "master" security group whose members are various departmental security groups, which in turn have the user accounts to be sync'd by the FAC.
The issue was a Contact object was within the specified OU path, and ultimately a member of that master group. After removing it from the incorrect security group the rule synced fine.
The easiest way I found to tell where/what the offending object is:
[ol]Alternatively, you would have to adjust your Base DN path and select each OU one at a time, running a manual sync and checking logs to find the sub-OU(s) that are failing and investigate.
Note: There are probably better filters you can use as well to prevent this from happening. I am searching against 'objectClass=person' and was still pulling in that Contact object.
That's a good description of how to troubleshoot and fix this problem where an AD entry missing a required attribute has caused the sync rule to fail.
FYI, the "entire sync operation fails for the rule" behaviour was recently changed / improved. Starting from FAC 5.2.1, we now skip the affected entries and emit log entries with the user, server, and sync rule that encountered the missing attribute.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.