Troubleshooting User/Group Sync with LDAP

This article discusses some of the issues customers have reported when configuring PaperCut to synchronize users from an LDAP (Lightweight Directory Access Protocol) source, as documented on our page Synchronize user and group details with LDAP .

PaperCut NG and MF can use LDAP to synchronize user and group details from different types of directory servers such as Apple Open Directory, Novell eDirectory, OpenLDAP and even Windows Active Directory. Because of how varied those environments can be, we haven’t documented every possible error you might run into but to help you out we’ve collected a few of the scenarios in this manual page.

PaperCut performs an LDAP lookup when…

• Performing a manual user/group sync
• Performing the automatic overnight new user import and user details update
• Creating a new user “on the fly”
• Adding a new group to PaperCut

LDAP synchronization and lookups are slow

Some slowness is expected, but there have been reported cases where the LDAP sync takes so long that it turns into a major issue. If this is the case, you may notice these symptoms:

• Running a manual sync takes a long time
• The first print job for a user being created “on the fly” takes a long time

The biggest cause we know of is a large number of LDAP Aliases.

PaperCut will de-reference LDAP aliases in case those aliases are for users. In most cases this is the desired behavior. In some cases where there are large numbers of aliases (e.g. 5,000+) this may cause a noticeable slowdown. If these aliases are not for users then it is possible to disable dereferencing of LDAP aliases, which will speed up the sync.

To resolve:

1. In the admin interface navigate to Options → Actions → Config editor (advanced).
2. Find the config key ldap.dereference-aliases.
3. The default value is always. Change the value to never and press Update.
4. Test the sync again. Ensure that the correct list of users are imported (i.e. that aliases didn’t need to be de-referenced to retrieve the right users).

Users are imported successfully but not groups

Some customers have report that after synchronizing users on the Options → User/Group Sync page, users are being imported successfully but no groups appear for import via Groups → Add/Remove Groups.

There are a couple of different reasons why you might encounter this issue.

• Mismatching LDAP schemas. PaperCut looks up groups by finding objects that contain “members”. One implication of this is that if your group does not have any members yet, it will not be displayed by PaperCut. Different LDAP servers / schemas use define group membership in different ways. For example, some servers list members in the “member” field, others the “memberUid” field. If PaperCut is looking for a field different to your LDAP server no groups will be returned. The field PaperCut uses can be changed with the ldap.schema.group-member-field advanced config key. Another difference is how users are stored in the member field. It can be either the user’s full DN or their username. This can be changed with ldap.schema.posix-groups setting. For more information on these advanced configuration keys see Advanced LDAP configuration .

   

• Too restrictive Base DN. Another reason for why groups may not be imported is that the Base DN configured in Options → User/Group Sync is too restrictive. The base DN is used to limit LDAP searches to items underneath it. LDAP searches are used to find both users and groups. So when using the Base DN “CN=Users,DC=myorg,DC=edu” then only items under the object ‘Users’ will be found. If groups are stored at: “CN=Groups,DC=myorg,DC=edu” they will be ignored because “Groups” does not exist beneath “Users” - it is stored under “myorg”. In this situation a valid base DN would be: “DC=myorg,DC=edu”. Configuring the User/Group Sync options to sync with this Base DN will allow PaperCut to find both the users and groups. Once a base DN has been defined you may still limit the users that are imported to one particular group by clicking Change Group under the Import users from option.

   

Disabled users are being imported

When syncing with Active Directory using the LDAP connector, PaperCut may inadvertently import user accounts that are disabled.

This tip will allow you to prevent disabled users from being imported into PaperCut. Caveats:

• The option Import users from must be set to [All Users]. This tip will not work if importing from a given LDAP group.
• This tip only applies to using LDAP to sync to AD (i.e. Sync Source = LDAP and LDAP Server Type = Active Directory). The option to not import disabled users from Active Directory is standard when using Sync Source = Active Directory (there is a checkbox on the User/Group Sync page).

1. See the user manual appendix Advanced LDAP Configuration for information about the default AD sync parameters.

2. See the following MS KB article for information about LDAP bitwise filters and how disabled users are represented in AD: http://support.microsoft.com/kb/305144

3. Set the advanced config key ldap.schema.user-name-search to the following (one line, no spaces):
(&(sAMAccountName={0})(objectCategory=person)(objectClass=user)(sAMAccountType=805306368)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

Error code 49 - Invalid Credentials

This error may be seen in the synchronization window or in the server.log file and indicates that the admin DN authentication details entered in the LDAP sync options on the Options → User/Group Sync page are not accurate.

Possible causes for this error are:

• The admin password had been entered incorrectly.
• The admin password had been entered incorrectly on the PaperCut Service Accounts when using a Multi-Domain configuration with PaperCut NG/MF.
• The admin password has expired.
• The admin DN is not a valid user.

This error may be accompanied by a data value that might give additional insight.

2022-08-16 08:03:13,869 WARN LdapUserDirectory - Unable to retrieve user details for user: t.howes. Error: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580 ] [http-44] javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580 ]

In this example, you can see in the below table that the 52e value means Invalid Credentials. Below you can refer to other common data values and their meanings: