How LDAP sync works

Last updated
Save as PDF

Who is this article for?

CrashPlan Cloud

CrashPlan for Small Business

CrashPlan On-Premises

Find your product plan in the Code42 console on the Account menu.
Not a CrashPlan On-Premises customer? Search or browse Incydr and Instructor, CrashPlan Cloud, or CrashPlan for Small Business.

Instructor, no.

Incydr Professional, Enterprise, Gov F2, and Horizon, no.

Incydr Basic, Advanced, and Gov F1, no.

CrashPlan Cloud, no.

Retired product plans, yes.

CrashPlan for Small Business, no.

Overview

When your Code42 environment integrates with LDAP, your authority server periodically syncs with your LDAP infrastructure. This article describes the LDAP syncing process in detail.

For general information on the LDAP options in your Code42 environment, see the LDAP reference.

Before you begin

You should be familiar with LDAP and the LDAP basics within the Code42 environment in order to fully leverage the information in this article.

LDAP sync basics

General overview

Your Code42 environment's authority server regularly syncs with your configured LDAP server(s). You can configure the sync interval in the Code42 console at Settings > Security > LDAP. You can also manually trigger a sync from the Code42 console:

Click Settings.
Choose Security.
Select LDAP.
Under the Synchronization section, click Synchronize Now.

LDAP settings

LDAP sync: What it does

When your authority server syncs with an LDAP server, the authority server performs the following actions:

Initiates communication with the LDAP server
Authenticates (binds) with the LDAP server
Makes an LDAP query for each user in the Code42 environment
Operates in read-only mode on the LDAP server
Adjusts user data in your Code42 environment to match your LDAP data:
- Activates or deactivates users based on the Active script
- Moves users to appropriate organizations based on the Org Name script
- Applies roles to users based on the Role script
Changes the following user information in your Code42 environment if the corresponding fields have changed in the LDAP directory:
- Email
- First name
- Last name

LDAP sync: What it does not do

Certain actions that an authority server will never perform as part of LDAP syncing:

Add new users to LDAP or to your Code42 environment
Create new entries in the LDAP database
Modify the LDAP database
Modify user info within the Code42 environment based on changes to entries in the LDAP server, other than the fields mentioned above.

No changes logged in LDAP sync history
If there have been no changes to users, organizations, or roles, the Code42 environment does not display anything in LDAP Sync History and does not send out a synchronization email.

History

You can view the results of past LDAP syncs in your Code42 console at Settings > Security > LDAP > History. For more details, refer to the LDAP Overview reference.
directory sync history

Simulate synchronize

You can view the potential results of an LDAP sync using Settings > Security > LDAP > Simulate Synchronize. For more details, refer to the LDAP Overview reference.

directory sync entry example

Simulated synchronization results are emailed to the addresses configured in Settings > Notifications.

The results are also stored in the authority server's log files. Review these results by searching for DIRSYNC in the log files. For example, on Linux:

root@omega:~# tail -f /var/log/proserver/com_backup42_app.log.0 | grep DIRSYNC
[07.10.14 13:27:33.207 INFO    jetty-web-3217       ore.directory.impl.sync.DirectorySyncCmd] DIRSYNC:: Submitting for orgs: , [2,3]
[07.10.14 13:27:33.217 INFO    jetty-web-3217       .directory.impl.sync.DirectorySyncOrgCmd] DIRSYNC:: Running for org:2/Default
[07.10.14 13:27:33.270 INFO    jetty-web-3217       .directory.impl.sync.DirectorySyncOrgCmd] DIRSYNC:: Completed for org:2/Default users:2, deactivated:1, activated:0, moved:0, rolesChanged:0
[07.10.14 13:27:33.271 INFO    jetty-web-3217       ore.directory.impl.sync.DirectorySyncCmd] DIRSYNC:: Summary for orgIds:, [2,3], users:2, deactivated:1, activated:0, moved:0, roleChanges:0, simulated:true
[07.10.14 13:27:33.271 INFO    jetty-web-3217       com.backup42.history.CpcHistoryLogger   ] HISTORY:: Subject[1/admin, orgId:1] DIRSYNC:: Blocking and deactivating user:5/jdoe@code42.com in org:2/Default simulated:true
[07.10.14 13:27:33.412 INFO    jetty-web-3217       ore.directory.impl.sync.DirectorySyncCmd] DIRSYNC:: summary email sent to:[todd+vm@code42.com], users:2, deactivated:1, simulated:true

LDAP activity logs

LDAP activity appears in com_backup42_app.log.[0-9], which is located in the Code42 server log directory:

Linux: /var/log/proserver
Applies to Code42 servers installed as root on Ubuntu
Windows: C:\Program Files\CrashPlan PROe Server\logs

Using your favorite text editor or textual search tool (e.g., grep in Linux/Unix), search for the keyword "DIRSYNC".

For example, from a terminal window in the Linux operating system, you could enter the following command to find all LDAP related entries in the latest log file:

root@omega:/var/log/proserver# grep DIRSYNC com_backup42_app.log.0
[07.07.14 16:50:50.567 INFO    jetty-web-665        .directory.impl.sync.DirectorySyncOrgCmd] DIRSYNC:: Running for org:2/Default
[07.07.14 16:50:50.579 INFO    jetty-web-665        .directory.impl.sync.DirectorySyncOrgCmd] DIRSYNC:: Completed for org:2/Default users:2, deactivated:0, activated:1, moved:0, rolesChanged:0
[07.07.14 16:50:50.580 INFO    jetty-web-665        ore.directory.impl.sync.DirectorySyncCmd] DIRSYNC:: Summary for orgIds:, [2,3], users:2, deactivated:0, activated:1, moved:0, roleChanges:0, simulated:false
[07.07.14 16:50:50.580 INFO    jetty-web-665        com.backup42.history.CpcHistoryLogger   ] HISTORY:: Subject[1/admin, orgId:1] DIRSYNC:: Unblocking and activating user:5/jdoe@code42.com in org:2/Default simulated:false
[07.07.14 16:50:50.661 INFO    jetty-web-665        ore.directory.impl.sync.DirectorySyncCmd] DIRSYNC:: summary email sent to:[todd+vm@code42.com], users:2, deactivated:0, simulated:false
[07.07.14 16:52:24.008 INFO    jetty-web-666        ore.directory.impl.sync.DirectorySyncCmd] DIRSYNC:: Submitting for orgs: , [2,3]
[07.07.14 16:52:24.012 INFO    jetty-web-666        .directory.impl.sync.DirectorySyncOrgCmd] DIRSYNC:: Running for org:2/Default
[07.07.14 16:52:24.017 INFO    jetty-web-666        .directory.impl.sync.DirectorySyncOrgCmd] DIRSYNC:: Error synchronizing 2/toddojala, SYSTEM com.code42.core.directory.DirectoryException: Exception while attempting to search LDAP
[07.07.14 16:52:24.026 INFO    jetty-web-666        .directory.impl.sync.DirectorySyncOrgCmd] DIRSYNC:: Error synchronizing 5/jdoe@code42.com, SYSTEM com.code42.core.directory.DirectoryException: Exception while attempting to search LDAP
[07.07.14 16:52:24.027 INFO    jetty-web-666        .directory.impl.sync.DirectorySyncOrgCmd] DIRSYNC:: Completed for org:2/Default users:2, deactivated:0, activated:0, moved:0, rolesChanged:0
[07.07.14 16:52:24.027 INFO    jetty-web-666        ore.directory.impl.sync.DirectorySyncCmd] DIRSYNC:: Summary for orgIds:, [2,3], users:2, deactivated:0, activated:0, moved:0, roleChanges:0, simulated:false
[07.08.14 05:39:37.658 INFO    GuiceCoreRuntime 13  ore.directory.impl.sync.DirectorySyncCmd] DIRSYNC:: Submitting for orgs: , [2,3]
[07.08.14 05:39:37.663 INFO    GuiceCoreRuntime 13  .directory.impl.sync.DirectorySyncOrgCmd] DIRSYNC:: Running for org:2/Default
[07.08.14 05:39:37.678 INFO    GuiceCoreRuntime 13  .directory.impl.sync.DirectorySyncOrgCmd] DIRSYNC:: Completed for org:2/Default users:2, deactivated:0, activated:0, moved:0, rolesChanged:0
[07.08.14 05:39:37.678 INFO    GuiceCoreRuntime 13  ore.directory.impl.sync.DirectorySyncCmd] DIRSYNC:: Summary for orgIds:, [2,3], users:2, deactivated:0, activated:0, moved:0, roleChanges:0, simulated:false

The actual messages you see in your log files depend on the LDAP settings and activity in your Code42 environment.

Log files
Your Code42 environment rotates log files when they reach a certain size. The current application log is com_backup42_app.log.0. Older logs are signified by com_backup42_app.log.1, and so on.

Change the logging level

You can change the logging level for LDAP activity in your authority server in order to gather troubleshooting information.

To log the most detailed information, enter the following command in the Code42 console CLI:

log com.code42.core.ldap trace

The logging level returns to the default level (info) when the Code42 server restarts. You can manually change the LDAP logging level back to default with the following command in the Code42 console CLI:

log com.code42.core.ldap info

For more information on the log command, see the Code42 console command-line interface reference.

External resources

In order to fully take advantage of a Code42 environment integrated with LDAP, learn more about LDAP from other resources, such as: