How LDAP sync works
Who is this article for?
Instructor, no.
Incydr Professional, Enterprise, Gov F2, and Horizon, no.
Incydr Basic, Advanced, and Gov F1, no.
CrashPlan Cloud, no.
Retired product plans, yes.
CrashPlan for Small Business, no.
Overview
When your Code42 environment integrates with LDAP, your authority server periodically syncs with your LDAP infrastructure. This article describes the LDAP syncing process in detail.
For general information on the LDAP options in your Code42 environment, see the LDAP reference.
Before you begin
You should be familiar with LDAP and the LDAP basics within the Code42 environment in order to fully leverage the information in this article.
LDAP sync basics
General overview
Your Code42 environment's authority server regularly syncs with your configured LDAP server(s). You can configure the sync interval in the Code42 console at Settings > Security > LDAP. You can also manually trigger a sync from the Code42 console:
- Click Settings.
- Choose Security.
- Select LDAP.
- Under the Synchronization section, click Synchronize Now.
LDAP sync: What it does
When your authority server syncs with an LDAP server, the authority server performs the following actions:
- Initiates communication with the LDAP server
- Authenticates (binds) with the LDAP server
- Makes an LDAP query for each user in the Code42 environment
- Operates in read-only mode on the LDAP server
- Adjusts user data in your Code42 environment to match your LDAP data:
- Activates or deactivates users based on the Active script
- Moves users to appropriate organizations based on the Org Name script
- Applies roles to users based on the Role script
- Changes the following user information in your Code42 environment if the corresponding fields have changed in the LDAP directory:
- First name
- Last name
LDAP sync: What it does not do
Certain actions that an authority server will never perform as part of LDAP syncing:
- Add new users to LDAP or to your Code42 environment
- Create new entries in the LDAP database
- Modify the LDAP database
- Modify user info within the Code42 environment based on changes to entries in the LDAP server, other than the fields mentioned above.
If there have been no changes to users, organizations, or roles, the Code42 environment does not display anything in LDAP Sync History and does not send out a synchronization email.
History
You can view the results of past LDAP syncs in your Code42 console at Settings > Security > LDAP > History. For more details, refer to the LDAP Overview reference.
Simulate synchronize
You can view the potential results of an LDAP sync using Settings > Security > LDAP > Simulate Synchronize. For more details, refer to the LDAP Overview reference.
Simulated synchronization results are emailed to the addresses configured in Settings > Notifications.
The results are also stored in the authority server's log files. Review these results by searching for DIRSYNC in the log files. For example, on Linux:
root@omega:~# tail -f /var/log/proserver/com_backup42_app.log.0 | grep DIRSYNC [07.10.14 13:27:33.207 INFO jetty-web-3217 ore.directory.impl.sync.DirectorySyncCmd] DIRSYNC:: Submitting for orgs: , [2,3] [07.10.14 13:27:33.217 INFO jetty-web-3217 .directory.impl.sync.DirectorySyncOrgCmd] DIRSYNC:: Running for org:2/Default [07.10.14 13:27:33.270 INFO jetty-web-3217 .directory.impl.sync.DirectorySyncOrgCmd] DIRSYNC:: Completed for org:2/Default users:2, deactivated:1, activated:0, moved:0, rolesChanged:0 [07.10.14 13:27:33.271 INFO jetty-web-3217 ore.directory.impl.sync.DirectorySyncCmd] DIRSYNC:: Summary for orgIds:, [2,3], users:2, deactivated:1, activated:0, moved:0, roleChanges:0, simulated:true [07.10.14 13:27:33.271 INFO jetty-web-3217 com.backup42.history.CpcHistoryLogger ] HISTORY:: Subject[1/admin, orgId:1] DIRSYNC:: Blocking and deactivating user:5/jdoe@code42.com in org:2/Default simulated:true [07.10.14 13:27:33.412 INFO jetty-web-3217 ore.directory.impl.sync.DirectorySyncCmd] DIRSYNC:: summary email sent to:[todd+vm@code42.com], users:2, deactivated:1, simulated:true
LDAP activity logs
LDAP activity appears in com_backup42_app.log.[0-9], which is located in the Code42 server log directory:
- Linux: /var/log/proserver
Applies to Code42 servers installed as root on Ubuntu - Windows: C:\Program Files\CrashPlan PROe Server\logs
Using your favorite text editor or textual search tool (e.g., grep in Linux/Unix), search for the keyword "DIRSYNC".
For example, from a terminal window in the Linux operating system, you could enter the following command to find all LDAP related entries in the latest log file:
root@omega:/var/log/proserver# grep DIRSYNC com_backup42_app.log.0 [07.07.14 16:50:50.567 INFO jetty-web-665 .directory.impl.sync.DirectorySyncOrgCmd] DIRSYNC:: Running for org:2/Default [07.07.14 16:50:50.579 INFO jetty-web-665 .directory.impl.sync.DirectorySyncOrgCmd] DIRSYNC:: Completed for org:2/Default users:2, deactivated:0, activated:1, moved:0, rolesChanged:0 [07.07.14 16:50:50.580 INFO jetty-web-665 ore.directory.impl.sync.DirectorySyncCmd] DIRSYNC:: Summary for orgIds:, [2,3], users:2, deactivated:0, activated:1, moved:0, roleChanges:0, simulated:false [07.07.14 16:50:50.580 INFO jetty-web-665 com.backup42.history.CpcHistoryLogger ] HISTORY:: Subject[1/admin, orgId:1] DIRSYNC:: Unblocking and activating user:5/jdoe@code42.com in org:2/Default simulated:false [07.07.14 16:50:50.661 INFO jetty-web-665 ore.directory.impl.sync.DirectorySyncCmd] DIRSYNC:: summary email sent to:[todd+vm@code42.com], users:2, deactivated:0, simulated:false [07.07.14 16:52:24.008 INFO jetty-web-666 ore.directory.impl.sync.DirectorySyncCmd] DIRSYNC:: Submitting for orgs: , [2,3] [07.07.14 16:52:24.012 INFO jetty-web-666 .directory.impl.sync.DirectorySyncOrgCmd] DIRSYNC:: Running for org:2/Default [07.07.14 16:52:24.017 INFO jetty-web-666 .directory.impl.sync.DirectorySyncOrgCmd] DIRSYNC:: Error synchronizing 2/toddojala, SYSTEM com.code42.core.directory.DirectoryException: Exception while attempting to search LDAP [07.07.14 16:52:24.026 INFO jetty-web-666 .directory.impl.sync.DirectorySyncOrgCmd] DIRSYNC:: Error synchronizing 5/jdoe@code42.com, SYSTEM com.code42.core.directory.DirectoryException: Exception while attempting to search LDAP [07.07.14 16:52:24.027 INFO jetty-web-666 .directory.impl.sync.DirectorySyncOrgCmd] DIRSYNC:: Completed for org:2/Default users:2, deactivated:0, activated:0, moved:0, rolesChanged:0 [07.07.14 16:52:24.027 INFO jetty-web-666 ore.directory.impl.sync.DirectorySyncCmd] DIRSYNC:: Summary for orgIds:, [2,3], users:2, deactivated:0, activated:0, moved:0, roleChanges:0, simulated:false [07.08.14 05:39:37.658 INFO GuiceCoreRuntime 13 ore.directory.impl.sync.DirectorySyncCmd] DIRSYNC:: Submitting for orgs: , [2,3] [07.08.14 05:39:37.663 INFO GuiceCoreRuntime 13 .directory.impl.sync.DirectorySyncOrgCmd] DIRSYNC:: Running for org:2/Default [07.08.14 05:39:37.678 INFO GuiceCoreRuntime 13 .directory.impl.sync.DirectorySyncOrgCmd] DIRSYNC:: Completed for org:2/Default users:2, deactivated:0, activated:0, moved:0, rolesChanged:0 [07.08.14 05:39:37.678 INFO GuiceCoreRuntime 13 ore.directory.impl.sync.DirectorySyncCmd] DIRSYNC:: Summary for orgIds:, [2,3], users:2, deactivated:0, activated:0, moved:0, roleChanges:0, simulated:false
The actual messages you see in your log files depend on the LDAP settings and activity in your Code42 environment.
Your Code42 environment rotates log files when they reach a certain size. The current application log is com_backup42_app.log.0. Older logs are signified by com_backup42_app.log.1, and so on.
Change the logging level
You can change the logging level for LDAP activity in your authority server in order to gather troubleshooting information.
To log the most detailed information, enter the following command in the Code42 console CLI:
log com.code42.core.ldap trace
The logging level returns to the default level (info) when the Code42 server restarts. You can manually change the LDAP logging level back to default with the following command in the Code42 console CLI:
log com.code42.core.ldap info
For more information on the log
command, see the Code42 console command-line interface reference.
External resources
In order to fully take advantage of a Code42 environment integrated with LDAP, learn more about LDAP from other resources, such as: