Troubleshooting Tip: Explaining the 'Sync rule was aborted' message in a FortiAuthenticator device

tino_p · ‎03-17-2024

Description

This article describes a solution for the error in FortiAuthenticator: '…Sync rule ... was aborted because LDAP server '...' returned an empty result and enforced empty response is disabled. It is not clear whether this is an expected result or a misconfiguration. Please check your configuration...'

Scope

FortiAuthenticator, LDAP, Authentication.

Solution

In normal conditions, the remote sync rule in FAC will check the LDAP group (which was configured as an LDAP filter) to sync users periodically.

If the LDAP group has a new member (user), FortiAuthenticator will sync to its database:

The FortiAuthenticator log will show messages of 'Retrieved users from remote LDAP server...'

When FortiAuthenticator shows the message '…Sync rule ... was aborted because LDAP server '...' returned an empty result and enforced empty response is disabled. It is not clear whether this is an expected result or a misconfiguration. Please check your configuration…', it usually indicates that the LDAP group is empty (or has no members).

The FortiAuthenticator will also show that the sync rule had failed to do its task:

In conclusion, if there is an error message like the one described in this article, the customer should check the LDAP groups in the AD server.

Workaround:

There is a possible workaround to enable the option 'Proceed with rule even when response empty' which enforces the synchronization rule even when the LDAP response is empty.

Use this option with caution, for more information check the admin guide:

Related document:
Remote user sync rules