Skip to main content
Code42 Support

LDAP Sync Incorrectly Deactivates Users

Applies to:
  • CrashPlan PROe

Overview

In Code42 environments that use LDAP and use version 4.2.0 through 4.3.2 of the Code42 platform, users can be incorrectly deactivated during LDAP synchronization, which places their archives in cold storage. If cold storage and expired archive retention settings are shorter than the default settings, users' archives are at increased risk of being permanently deleted.

To resolve this issue:

  1. Upgrade to 4.3.4 or later (recommended), or disable LDAP sync.
  2. Verify your retention settings.
  3. Preserve the data of any affected users.

Affects

This issue affects Code42 environments that meet all the following conditions:

  • Use version 4.2.0 through 4.3.2 of the Code42 platform
  • Use LDAP sync to manage users

This issue occurs only when your master server has a communication issue with your LDAP infrastructure while performing an LDAP sync.

Diagnosing

This issue appears in the following scenario for affected Code42 environments:

  1. The master server attempts an LDAP sync.
  2. The LDAP server is inaccessible or loses connectivity at any time during the sync.
  3. The master server deactivates users, which sends the users' archives to cold storage.
  4. If the settings for retention periods of cold storage and expired archives are set to very low values, such as 0, the enterprise servers permanently remove the archives when they perform archive maintenance.

By default, the cold storage retention period is 365 days, with an additional 20-day grace period. However, if you changed these defaults for your Code42 environment to a shorter time period and you do not manually reactivate affected users and reattach the user's archives before the retention period ends, users' archives will be permanently deleted.

Preventing this issue

Recommended solution

To resolve the issue, upgrade to version 4.3.4 or later of the Code42 platform as soon as possible.

Alternative solution

Until you are able to upgrade to version 4.3.4 or later, you can temporarily prevent this issue by disabling LDAP sync:

  1. Sign in to the administration console on your master server.
  2. Go to Settings > Security > LDAP.
  3. Near Synchronization, select Never.
Considerations for disabling LDAP
If you disable LDAP sync, changes to LDAP attributes of existing users, such as deactivations, moves between organizational units (OUs), and password updates, will not be reflected in your Code42 environment. However, existing users can continue to sign in to the CrashPlan app and the administration console without issue.

Reducing the risk of data loss

If your retention periods for cold storage and expired archives are set to very low values, data can be automatically purged from your Code42 environment before you have time to troubleshoot affected users.

To avoid this risk, we recommend using the default settings for archive retention in cold storage (365 days) and expired archives (20 days). If you cannot use the default settings due to storage limitations, we recommend setting retention periods that allow you enough time to troubleshoot affected users as needed.

Increasing the cold storage retention period

To increase the cold storage retention setting for the top level of your Code42 environment:

  1. Sign in to the administration console.
  2. Go to Settings > Organization.
  3. Enter a higher value in Move deactivated archives to cold storage for, such as 365 days.
  4. Click Save.

To increase the cold storage retention setting for a specific organization:

  1. Sign in to the administration console.
  2. Go to Organizations and select the organization you would like to modify.
  3. From the action menu in the upper-right corner, select Edit.
  4. Enter a higher value in Move deactivated archives to cold storage for, such as 365 days.
  5. Click Save.
Organizations that do not inherit settings
If inheritance is disabled for an organization, that organization is not affected by changes to its parent organization. This means it will not inherit settings, including changes to cold storage retention.

Increasing the expired archive retention period

To increase the expired archive setting for your entire Code42 environment:

  1. Sign in to the administration console.
  2. Go to Settings > Server.
  3. Change the value of Keep expired cold storage archives for to a larger value, such as 20.
  4. Click Save.

Troubleshooting affected users

Identifying affected users can be difficult, because communication issues between the LDAP server and Code42 master server are typically intermittent. This means that if a user is incorrectly deactivated due to a failed sync attempt, the user is likely reactivated the next time a scheduled sync succeeds. However, the users' devices and archives are not reactivated, which means you must follow the steps below to reattach users' archives in order to prevent potential data loss.

Identifying affected users
The presence of Directory Sync Deactivate or LDAP Connection Problem alerts in the administration console may indicate you have experienced this issue. If you suspect you have impacted users, searching for users in your Code42 environment with zero devices may help identify anyone who was deactivated due to a failed sync and later reactivated the next time sync succeeded.

If users have already been incorrectly deactivated, you must reactivate the users and devices, then reattach their archives:

  1. Sign in to the administration console.
  2. Activate the user account that owns the backup archive.
  3. If the user will be using the same device, activate the device associated with the backup archive.
  4. Reattach the backup archive:
    1. Select Devices
    2. Locate and select the user's device.
    3. From the action menu, select Edit.
    4. Select Backup (or Backup Sets, if configured).
    5. From Destinations, select the destinations holding the device's backup archive.
    6. Click Save.
Users can be affected repeatedly
These steps fix a symptom of this issue, not the root cause. This issue can affect your users repeatedly until you prevent the issue by either upgrading to version 4.3.4 or later or disabling LDAP sync.