Skip to main content
Code42 Support

How LDAP Syncing Works

Applies to:
  • Code42 CrashPlan (previously CrashPlan PROe)

Overview

After integrating your Code42 environment with LDAP, your master server will periodically sync with your LDAP infrastructure. This article examines the LDAP syncing process in detail.

For general information on the LDAP options in your Code42 environment, see the LDAP reference.

Before you begin

You should be familiar with LDAP and the LDAP basics within the Code42 environment in order to fully leverage the information in this article.

LDAP sync basics

General overview

Your Code42 environment's master server regularly syncs with your configured LDAP server(s). You can configure the sync interval in the Code42 administration console at Settings > Security > LDAP. You can also manually trigger a sync from the administration console by clicking Settings > Security > LDAP > Synchronize Now.

LDAP History

LDAP sync - what it does

When your master server syncs with an LDAP server, the master server performs the following actions:

  • Initiates communication with the LDAP server
  • Authenticates (binds) with the LDAP server
  • Makes an LDAP query for each user in the Code42 environment
  • Operates in read-only mode on the LDAP server
  • Performs Code42 environment LDAP actions to your Code42 environment based on LDAP information:
  • Changes the following user information in your Code42 environment if the corresponding fields have changed in the LDAP directory:
    • Email
    • First name
    • Last name

LDAP sync - what it does not do

There are certain actions that a master server will never perform as part of LDAP syncing:

  • Add new users to LDAP or to your Code42 environment
  • Create new entries in the LDAP database
  • Modify the LDAP database
  • Modify user info within the Code42 environment based on changes to entries in the LDAP server, other than the fields mentioned above.
No changes logged in LDAP sync history
If there have been no changes to users, organizations, or roles, the Code42 environment will not display anything in LDAP Sync History and will not send out a synchronization email.

History

You can view the results of past LDAP syncs in your administration console at Settings > Security > LDAP > History. For more details, refer to the LDAP Overview reference.

LDAP history

Simulate synchronize

You can view the potential results of an LDAP sync using Settings > Security > LDAP > Simulate. For more details, refer to the LDAP Overview reference.

Directory Sync entry in administration console

Simulated synchronization results will also be emailed to the email addresses configured in Settings > Notifications:

Simulate Sync notification email

The results will also be stored in the master server's log files. You can review these results by searching for DIRSYNC in the log files. For example, on Linux:

root@omega:~# tail -f /var/log/proserver/com_backup42_app.log.0 | grep DIRSYNC
[07.10.14 13:27:33.207 INFO    jetty-web-3217       ore.directory.impl.sync.DirectorySyncCmd] DIRSYNC:: Submitting for orgs: , [2,3]
[07.10.14 13:27:33.217 INFO    jetty-web-3217       .directory.impl.sync.DirectorySyncOrgCmd] DIRSYNC:: Running for org:2/Default
[07.10.14 13:27:33.270 INFO    jetty-web-3217       .directory.impl.sync.DirectorySyncOrgCmd] DIRSYNC:: Completed for org:2/Default users:2, deactivated:1, activated:0, moved:0, rolesChanged:0
[07.10.14 13:27:33.271 INFO    jetty-web-3217       ore.directory.impl.sync.DirectorySyncCmd] DIRSYNC:: Summary for orgIds:, [2,3], users:2, deactivated:1, activated:0, moved:0, roleChanges:0, simulated:true
[07.10.14 13:27:33.271 INFO    jetty-web-3217       com.backup42.history.CpcHistoryLogger   ] HISTORY:: Subject[1/admin, orgId:1] DIRSYNC:: Blocking and deactivating user:5/jdoe@code42.com in org:2/Default simulated:true
[07.10.14 13:27:33.412 INFO    jetty-web-3217       ore.directory.impl.sync.DirectorySyncCmd] DIRSYNC:: summary email sent to:[todd+vm@code42.com], users:2, deactivated:1, simulated:true

LDAP logs

LDAP activity appears in com_backup42_app.log.[0-9], which is located in the Code42 server log directory:

  • Linux: /var/log/proserver
    Applies to Code42 servers installed as root on Ubuntu
  • Windows: C:\Program Files\CrashPlan PROe Server\logs
  • OS X: /Library/Logs/PROServer

Using your favorite text editor or textual search tool (e.g., grep in Linux/Unix), search for the keyword "DIRSYNC".

For example, from a terminal window in the Linux operating system, you could enter the following command to find all LDAP related entries in the latest log file:

root@omega:/var/log/proserver# grep DIRSYNC com_backup42_app.log.0
[07.07.14 16:50:50.567 INFO    jetty-web-665        .directory.impl.sync.DirectorySyncOrgCmd] DIRSYNC:: Running for org:2/Default
[07.07.14 16:50:50.579 INFO    jetty-web-665        .directory.impl.sync.DirectorySyncOrgCmd] DIRSYNC:: Completed for org:2/Default users:2, deactivated:0, activated:1, moved:0, rolesChanged:0
[07.07.14 16:50:50.580 INFO    jetty-web-665        ore.directory.impl.sync.DirectorySyncCmd] DIRSYNC:: Summary for orgIds:, [2,3], users:2, deactivated:0, activated:1, moved:0, roleChanges:0, simulated:false
[07.07.14 16:50:50.580 INFO    jetty-web-665        com.backup42.history.CpcHistoryLogger   ] HISTORY:: Subject[1/admin, orgId:1] DIRSYNC:: Unblocking and activating user:5/jdoe@code42.com in org:2/Default simulated:false
[07.07.14 16:50:50.661 INFO    jetty-web-665        ore.directory.impl.sync.DirectorySyncCmd] DIRSYNC:: summary email sent to:[todd+vm@code42.com], users:2, deactivated:0, simulated:false
[07.07.14 16:52:24.008 INFO    jetty-web-666        ore.directory.impl.sync.DirectorySyncCmd] DIRSYNC:: Submitting for orgs: , [2,3]
[07.07.14 16:52:24.012 INFO    jetty-web-666        .directory.impl.sync.DirectorySyncOrgCmd] DIRSYNC:: Running for org:2/Default
[07.07.14 16:52:24.017 INFO    jetty-web-666        .directory.impl.sync.DirectorySyncOrgCmd] DIRSYNC:: Error synchronizing 2/toddojala, SYSTEM com.code42.core.directory.DirectoryException: Exception while attempting to search LDAP
[07.07.14 16:52:24.026 INFO    jetty-web-666        .directory.impl.sync.DirectorySyncOrgCmd] DIRSYNC:: Error synchronizing 5/jdoe@code42.com, SYSTEM com.code42.core.directory.DirectoryException: Exception while attempting to search LDAP
[07.07.14 16:52:24.027 INFO    jetty-web-666        .directory.impl.sync.DirectorySyncOrgCmd] DIRSYNC:: Completed for org:2/Default users:2, deactivated:0, activated:0, moved:0, rolesChanged:0
[07.07.14 16:52:24.027 INFO    jetty-web-666        ore.directory.impl.sync.DirectorySyncCmd] DIRSYNC:: Summary for orgIds:, [2,3], users:2, deactivated:0, activated:0, moved:0, roleChanges:0, simulated:false
[07.08.14 05:39:37.658 INFO    GuiceCoreRuntime 13  ore.directory.impl.sync.DirectorySyncCmd] DIRSYNC:: Submitting for orgs: , [2,3]
[07.08.14 05:39:37.663 INFO    GuiceCoreRuntime 13  .directory.impl.sync.DirectorySyncOrgCmd] DIRSYNC:: Running for org:2/Default
[07.08.14 05:39:37.678 INFO    GuiceCoreRuntime 13  .directory.impl.sync.DirectorySyncOrgCmd] DIRSYNC:: Completed for org:2/Default users:2, deactivated:0, activated:0, moved:0, rolesChanged:0
[07.08.14 05:39:37.678 INFO    GuiceCoreRuntime 13  ore.directory.impl.sync.DirectorySyncCmd] DIRSYNC:: Summary for orgIds:, [2,3], users:2, deactivated:0, activated:0, moved:0, roleChanges:0, simulated:false

The actual messages you see in your log files will depend on the LDAP settings and activity in your Code42 environment.

Log files
Your Code42 environment rotates log files when they reach certain size. The current application log is com_backup42_app.log.0. Older logs are signified by com_backup42_app.log.1, and so on.

Changing the logging level

You can change the logging level of the LDAP activity of your master server in order to help gather information when troubleshooting.

To change the logging level to include the most detailed information, enter the following command in the administration console CLI:

log com.code42.core.ldap trace

The logging levels will return to the default level (info) when the Code42 server restarts. You can manually change the LDAP logging levels back to default without a server reboot by entering the following command in the administration console CLI:

log com.code42.core.ldap info

For more information on the log command, see the Administration console Command-Line Interface reference.

External resources

In order to fully take advantage of a Code42 environment integrated with LDAP, learn more about LDAP from other resources, such as: