AWA LDAPSync tool fails with LDAP group could not be found

Document ID : KB000103402
Last Modified Date : 26/06/2018
Show Technical Document Details
Issue:
LDAPSync tools fails with error:
LDAP group '<LDAP_GROUP>' could not be found. Please check spelling and schema settings, or check user permissions of the user used to search LDAP. If the group was deleted from LDAP, remove the mapping. 

Investigation
Run the LDAPSync with option -I TRACE to verify what request is being sent to LDAP group '<LDAP_GROUP>'.

Example:
java -jar ldap-sync-2.1.1.jar -I TRACE -cl "100"

The output shows:
2018-06-25 12:18:21.900 [main] c.a.s.l.s.BaseSynchronizationStep        INFO   Load group mapping from the client config file:

2018-06-25 12:18:21.908 [main] c.a.s.l.s.BaseSynchronizationStep        INFO   | LDAP_ADMINS -> AE_ADMINS
2018-06-25 12:18:21.908 [main] c.a.s.l.s.AESynchronizationStep          INFO   ===== Start sync LDAP_ADMINS -> AE_ADMINS
2018-06-25 12:18:21.908 [main] c.a.s.l.l.LDAPService                    DEBUG  Validate LDAP group exsiting LDAP_ADMINS
2018-06-25 12:18:21.910 [main] c.a.s.l.l.LDAPService                    TRACE  LDAP, isGroupExist MessageType : SEARCH_REQUEST
Message ID : -1
    SearchRequest
        baseDn : 'dc=yournet,dc=global,dc=company,dc=com,dc=yournet,dc=global,dc=company,dc=com'
        filter : '(&(objectclass=group)(cn=LDAP_ADMINS))'
        scope : whole subtree
        typesOnly : false
        Size Limit : no limit
        Time Limit : 30
        Deref Aliases : deref Always
        attributes : 'cn'
org.apache.directory.api.ldap.model.message.SearchRequestImpl@cab700f4
2018-06-25 12:18:21.910 [main] c.a.s.l.l.LDAPService                    DEBUG  Send request to LDAP server
2018-06-25 12:18:21.910 [main] o.a.d.l.c.a.LdapNetworkConnection        DEBUG  Sending request
MessageType : SEARCH_REQUEST
Message ID : 6
    SearchRequest
        baseDn : 'dc=yournet,dc=global,dc=company,dc=com,dc=yournet,dc=global,dc=company,dc=com'
        filter : '(&(cn=LDAP_ADMINS)(objectclass=group))'
        scope : whole subtree
        typesOnly : false
        Size Limit : no limit
        Time Limit : 30
        Deref Aliases : deref Always
        attributes : 'cn'
org.apache.directory.api.ldap.model.message.SearchRequestImpl@cab7874b
2018-06-25 12:18:21.910 [main] o.a.d.l.c.a.LdapNetworkConnection        DEBUG  Adding <6, org.apache.directory.ldap.client.api.future.SearchFuture>
2018-06-25 12:18:21.947 [NioProcessor-2] o.a.d.l.c.a.LdapNetworkConnection        DEBUG  -------> MessageType : SEARCH_RESULT_DONE
Message ID : 6
    Search Result Done
        Ldap Result
            Result code : (NO_SUCH_OBJECT) noSuchObject
            Matched Dn : 'DC=adobenet,DC=global,DC=adobe,DC=com'
            Diagnostic message : '0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
       'DC=yournet,DC=global,DC=company,DC=com'
'
Message received <-------
2018-06-25 12:18:21.947 [NioProcessor-2] o.a.d.l.c.a.LdapNetworkConnection        DEBUG  Getting <6, org.apache.directory.ldap.client.api.future.SearchFuture>
2018-06-25 12:18:21.947 [NioProcessor-2] o.a.d.l.c.a.LdapNetworkConnection        DEBUG  Search failed : MessageType : SEARCH_RESULT_DONE
Message ID : 6
    Search Result Done
        Ldap Result
            Result code : (NO_SUCH_OBJECT) noSuchObject
            Matched Dn : 'DC=yournet,DC=global,DC=company,DC=com'
            Diagnostic message : '0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
       'DC=yournet,DC=global,DC=company,DC=com'
'
2018-06-25 12:18:21.947 [NioProcessor-2] o.a.d.l.c.a.LdapNetworkConnection        DEBUG  Removing <6, org.apache.directory.ldap.client.api.future.SearchFuture>
2018-06-25 12:18:21.947 [main] c.a.s.l.l.LDAPService                    WARN   LDAP group 'LDAP_ADMINS' could not be found. Please check spelling and schema settings, or check user permissions of the user used to search LDAP. If the group was deleted from LDAP, remove the mapping.
 
Cause:
The trace output shows duplicate baseDn, where the userDN and groupDN are configured the same as the baseDn in the client_clientnumber.xml.
baseDn : 'dc=adobenet,dc=global,dc=adobe,dc=com,dc=adobenet,dc=global,dc=adobe,dc=com'
filter : '(&(objectclass=group)(cn=BAO_ADMINS))'

The userDN and groupDN are only configured to retrieve specific data within these nodes and the node located UNDER baseDN. 
Resolution:
Remove the values from the userDN and groupDN in the client_clientnumber.xml (i.e. client_100.xml):

<?xml version="1.0" encoding="UTF-8"?>
<Configuration>
                <Schema baseDN="dc=yournet,dc=global,dc=company,dc=com"
                                userDN=""
                                groupDN=""
                                updateDn=""/>
 
                <AE userDomain="ADOBENET"
                                autoDeactivateUsers="false"
                />
                               
                <GroupMappings> <map ae="AE_ADMINS" ldap="LDAP_ADMINS"/> </GroupMappings>
</Configuration>