LDAP sync problem causes domain account can't login.

Publication Date:  2012-09-13 Views:  215 Downloads:  0
Issue Description
In a company Secospace system, the client uses domain account authentication mode. The operation is good prophase, suddenly domain account can't pass through the authentication and error for "account does not exist password mistake".
Alarm Information
None.
Handling Process
1 Service open problem, check if SM, ED services are all opened normally;
2 Equipment linkage problems, dis right - manager server – group, the linkage is normal;
3 AD server problem, customer has four sets of AD server and other business (need to AD server) normal, eliminate AD server problem;
4 Through testing we found that by ordinary account in client login can be successful, so we can judge Secospace system itself does not exist problem. Further testing found that part of the domain account login, some may not and can’t be landing domain accounts are concentrated in a, b and c three departments. Doubt synchronization problem, direct 'configuration LDAP sync "find article 0 successful.
Add a new domain account In department A, to correlation LDAP organization unit, add DN value, synchronous (nine successful), find new account can log in, then other domain accounts in department A can also log in. The problem of department will be resolved trough associated with LDAP organization unit, add DN value, synchronized methods. 
Root Cause
1 service open problem;
2 equipment linkage problem;
3  AD server problem;
4 ldap sync problem.
Suggestions
Through analyzing we find the problem has nothing to do with the customer restarted AD server, but in operation AD server process exists false operation: log  showed the presence of account to be deleted
2008-09-18 15:54:11,831 INFO  [com.huawei.secospace.server.manager.synch.impl.SynchronizeDstToSrc] successs to sychronize delete object: ssAccountRdn=admin_hanslaser_com,
ssPersonRdn=S121445429828652602,ssUuid=13,ssUuid=6,ssUuid=5,ssUuid=4,ssUuid=rootorg,ou=Organization
To avoid this problem, we propose open LDAP automatic data synchronous. 

END