Click HERE to see how Saviynt Intelligence is transforming the industry. |
08/09/2024 06:12 AM - edited 08/09/2024 06:12 AM
Hi,
We configured an ADSI connection in Production environment, after proper POC in the non-Prod without any issues. However, in the Production environment, we find that the ADSI access import job is fetching only 20,000 AD groups into Saviynt while there are actually 71K+ groups available in AD under the defined search filter.
Please note that the ADSI account import job is able to fetch 124K+ account records without an issue, but the access import job is unable to fetch all records, and on each run, it sticks to 20,000 groups only. The configuration is same between non-Prod and Prod, but the non-Prod access import job works fine, bringing all 71K+ groups from non-Prod AD.
We tested with changing the AD DC hostname, and also we updated the timeout value from 300 to 3000, but the results were same in all the cases. Also, we checked with the client AD team to enquire on possible ldap search limitation, but they ensured that there is no such limitation.
PFA the Connection configuration, Security System config, Endpoint config, Saviynt access import job logs, ADSI logs data for the Production ADSI setup.
Kindly suggest.
Solved! Go to Solution.
08/09/2024 06:15 AM
Validate resource allocation in prod vs dev with Saviynt support
08/09/2024 10:08 AM
This issue is resolved now. There was a search limit of 20,000 found on the base DN for searching groups (DC=AM,DC=MDS,DC=XXX,DC=COM):-
When we updated the search base DN to one level up (OU=XXX,DC=AM,DC=MDS,DC=XXX,DC=COM), with confirmation from client AD team that all the AD groups reside under this container, we saw it was returning totalRecord as the actual count of AD groups in Prod:-
With this new search base DN, we executed the ADSI access import job in Prod again, and this time, it brought all 71K+ AD groups.