LDAP sync fails for ECN Management users, causing unexpected lockouts after password change

After recent password changes in Active Directory, ECN Management module users are getting locked out. LDAP sync appears to fail for these specific users while other modules work fine.

The error in ldap_sync.log:

LDAP sync failed for user: jsmith
Cause: javax.naming.AuthenticationException
DN: CN=John Smith,OU=Engineering,DC=company,DC=com

Our LDAP configuration uses user DN mapping with base DN pointing to OU=Engineering. The sync worked perfectly before AD password policy was updated to require 90-day rotation. Now when passwords change in AD, those credentials don’t propagate to Agile for ECN users specifically.

Other users in Change Management and Document Management sync without issues. Is there something specific about ECN Management module’s credential handling?

That’s definitely the issue. By default, Agile’s LDAP connector doesn’t do recursive OU searches for credential propagation. It only searches the exact base DN specified.

You have two options:

1. Add multiple base DNs in the LDAP configuration (supports comma-separated list)
2. Move ECN users to the parent OU in Active Directory

Option 1 is less disruptive. Update your LDAP config to:

Base DN: OU=Engineering,DC=company,DC=com;OU=ECN,OU=Engineering,DC=company,DC=com

But there might be a better solution with user DN mapping attributes.

The root cause is how LDAP sync configuration handles user DN mapping when credentials change. Let me break down what’s happening and provide the complete solution.

LDAP Sync Configuration Issue: Agile’s LDAP connector performs two distinct operations:

1. User authentication (login validation)
2. Credential synchronization (password propagation from AD)

Authentication works recursively by default - it searches the entire directory tree from the base DN. That’s why ECN users can initially log in.

Credential propagation does NOT search recursively - it expects an exact DN match based on the configured mapping. When AD passwords change, the sync process:

• Queries base DN for user accounts
• Builds DN string using mapping template
• Attempts to bind with new credentials
• Updates Agile user record if successful

For nested OUs, the DN construction fails because the mapping template doesn’t include the intermediate OU.

User DN Mapping Fix: Instead of adding multiple base DNs, configure the DN mapping to search dynamically:

1. Admin Console > System Settings > LDAP Configuration

2. Locate ‘User DN Mapping’ section

3. Current setting likely shows:

   
   DN Template: CN={username},OU=Engineering,DC=company,DC=com
   

4. Change to dynamic search mapping:

   
   DN Search Base: DC=company,DC=com
   DN Search Filter: (sAMAccountName={username})
   DN Search Scope: subtree
   

This makes the connector search the entire directory tree to find the user’s actual DN, regardless of OU structure.

Credential Propagation Configuration: Verify these settings are enabled:

• ‘Sync passwords on change’ = true
• ‘Password sync interval’ = 300 seconds (5 min)
• ‘Enable recursive search’ = true (if available in 9.3.5)

In ldap_connector.properties, add:

ldap.sync.recursive=true
ldap.dn.resolution=dynamic
ldap.auth.fallback=true

Module-Specific Consideration: ECN Management has stricter authentication requirements due to compliance tracking. The module caches credentials differently than others. After fixing the DN mapping, force a credential refresh:

1. Clear cached credentials: Admin > User Management > Bulk Operations > ‘Reset Authentication Cache’
2. Force immediate sync: Admin > LDAP Configuration > ‘Sync Now’ button
3. Monitor ldap_sync.log for successful DN resolution

Testing Steps:

1. Have an ECN user change their AD password

2. Wait 5 minutes for sync interval

3. Check ldap_sync.log - should show:

   
   DN resolved: CN=John Smith,OU=ECN,OU=Engineering,DC=company,DC=com
   Credential sync successful for user: jsmith
   

4. User should be able to log into ECN Management with new password

Why This Affects ECN Specifically: ECN Management module enforces stricter audit trails for engineering changes. It validates credentials on every operation, not just at login. When credential propagation fails, the cached password becomes stale, causing lockouts during ECN operations even if initial login succeeded.

After implementing dynamic DN mapping, all users regardless of OU structure will sync properly when passwords change in Active Directory.

Ran the ldapsearch and found something interesting. The ECN users ARE in a nested OU structure: OU=ECN,OU=Engineering,DC=company,DC=com. But other Engineering users who sync fine are directly in OU=Engineering.

Our base DN configuration only specifies OU=Engineering,DC=company,DC=com. Does the LDAP connector search recursively or do we need to add the nested OU explicitly?

Checked the LDAP configuration - there’s only one global realm defined, no module-specific overrides. All modules point to the same AD server and base DN. The ECN Management module doesn’t have separate authentication settings that I can find.

I’ve seen this when the LDAP connector’s bind credentials expire. If your sync service account password changed in AD, the connector can’t authenticate to perform the sync. But that would affect all modules, not just ECN.

Check if ECN users have special characters in their DNs that might need escaping. The AuthenticationException suggests the DN format isn’t matching what AD expects during credential propagation.

Look at your user DN mapping configuration more carefully. ECN Management users might be in a different OU structure. If the base DN is OU=Engineering but ECN users are actually in OU=Engineering,OU=ECN, the mapping won’t resolve correctly.

Run this LDAP query to verify actual user locations:

ldapsearch -x -H ldap://your-dc -D bind_user -W -b "DC=company,DC=com" "(sAMAccountName=jsmith)" dn

Compare the returned DN with what Agile is using in the sync log.

ECN Management might be using a different authentication realm. Check Admin > System Settings > LDAP Configuration. Look for module-specific authentication settings. Some modules can override the global LDAP config.