During the LDAP Directory synchronization operation, some of the user records are deleted from the VIP Service.
Impacted Platform: Windows and Linux
Sometimes, during synchronization of user or administrator records from the user store to the VIP Service, the LDAP Directory synchronization service logs a “NamingException” error. Improper response from the LDAP Directory causes this error and this can result in the deletion of some user records from the VIP Service by the LDAP Directory synchronization service.
The probability of the occurrence of this issue increases when the VIP Enterprise Gateway server has large number of referrals and some of the referring servers are not reachable.
The AD user store configured with the base DN as the root domain (for example, DC=domain,DC=com) is prone to this issue.
To address this issue, you can upgrade the VIP Enterprise Gateway to version 9.4. Then, the LDAP Directory synchronization service skips the synchronization operation for an instance of VIP Enterprise Gateway if it logs the “NamingException” error and avoids the probability of the deletion of user records from the VIP Service. The LDAP Directory synchronization service will try to synchronize the user records from the VIP Enterprise Gateway in the next LDAP Directory synchronization cycle.
Note: The VIP Administrator must check the LDAP Directory synchronization logs to ensure that the LDAP Directory synchronization has run successfully.
Additionally, to avoid the occurrence of this issue, you can ensure the following
Ensure that VIP Enterprise Gateway server can reach all the domain servers.
Ensure that Domain Naming System (DNS) is functioning properly.
Ensure that there are no connectivity issues due to firewall.
Configure user stores based on sub-domains (for example, cn=Users, DC=domain, DC=com) rather than configuring them using the highest level of the domain tree (for example, DC=domain, DC=com).
Configure separate user stores for each OU if the users are available across multiple OUs. Such a configuration avoids the possibility of searching users over an external LDAP referral server.
-With the VIP 2014-1 release, any users which got deleted in the last 90 days due to LDAP Sync issue will get restored via LDAP Sync.
Imported Document ID: SO24418
Subscribing will provide email updates when this Article is updated. Login is required.