Unable to Import Users
Discover how Pleasant Password Server will enhance KeePass for business
(Version 7+)
Problems with Importing Users are usually categorized undermost often related to problems with:
- The user has already imported
- The email address is already being used by another account
- Specific Error Messages - look these up with AD/LDAP messages
- Problems with the username/password connecting to the AD/LDAP directory
- Problems with the Directory scope, defined in the Directory settings or Import Search filter
- The Directory definitions affect the Search, unless a new location is specified
- When importing, the Relative Search field should contain the exact location of the users (not the under a subtree in the directory)
Related topic:
- Quick AD/LDAP Guide - Import Settings / Import Instructions
Troubleshooting steps
Check Connection to the Directory
-
For bind errors, or, not seeing ANY users:
- First check your connection (bind) to the directory: LDAP/AD Bind
Getting Error Messages
-
"Directory Search Failed: The size limit was exceeded"
-
Please see the note here regarding maximum 1000 objects and take the steps to limit your directory search results or increase the AD option limit
-
-
"Directory Search Failed: The object does not exist"
- There is very likely a problem with the specification of the AD Directory location
- A common mistake is to repeat the location of the Base DN in the User Relative field or Group Relative field
- A Correct Example:
- Base Distinguished Name: DC=CORP,DC=SPRING,DC=LAN
-
User Relative DN: OU=Employees
- A Correct Example:
- Ensure you have the proper syntax and the locations are correct
- Send us a screenshot of your location or search filter settings if you are still not sure.
- "Unable to access user directory. Permission denied."
- A restart of the machine running Password Server should resolve this particular issue.
- If not contact us at Support
Increase Your Logging details
-
Follow instructions for viewing logs (Server & Web) here: increase logging details
- What is showing in your logs after increasing the logging detail and trying again?
- Don't forget to change the logging levels back again once you are done troubleshooting
Cannot See Users in the List
If you are getting an error, see the sections above.
If you are expecting to see more users, then add/modify these settings:
-
Directory settings:
- Base Distinguished Name (BDN)
- User Relative Domain Name (URDN)
-
Group Relative Domain Name (GRDN)
-
Search Filter (Import Users page):
- When importing/searching, it helps to narrow the scope right down to the container where you user(s) are located.
- Relative Search DN (same as the URDN above), or,
-
Use other Search Filters (see the next examples, below)...
- Correct Example:
- Base Distinguished Name: DC=CORP,DC=SPRING,DC=LAN
-
Relative Search DN: OU=Employees
- Incorrect Examples:
- Relative Search DN: OU=Employees,DC=CORP,DC=SPRING,DC=LAN
-
Relative Search DN: CN=Dept1,OU=Employees,DC=CORP,DC=SPRING,DC=LAN
- When importing/searching, it helps to narrow the scope right down to the container where you user(s) are located.
-
Advanced User filter (Recommended):
- add an Advanced User filter, for examples, see Directory Search Filters
-
This has shown to be very effective in importing/managing users in Password Server
-
AD Advanced Attribute: If you cannot see the user in AD, along with the other users, check if this attribute has been set to TRUE (and change it to FALSE)
- View > Advanced Features
- Find the user > Right-click user > Properties > Attribute Editor tab
- Set showInAdvancedViewOnly = FALSE
Search Nested Groups
- It is possible to add an Additional User Filter (in the Edit Directory) to search through nested groups:
memberOf:1.2.840.113556.1.4.1941: is <DN of the group>-
Note: this does not include users' Primary Group
-
- For more information: Search Nested Groups
Auto-Importing Problems
- Auto-Import needs to be checked on
- Auto-Import only works first-time using the Web Application (in 7.9.5+, all clients now auto-import)
- When the users attempt a login, the system can automatically import them from:
- The User Relative DN,
- The Base Distinguished Name, or
- The Directory root
Restart Pleasant Password Server Service
- Sometimes just restarting the Pleasant Password Server Service may be all that’s needed
Still experiencing problems?
Please:
- Include screenshots of your Diretory setup settings (including Advanced) and Import Users pages
-
Forward your detailed logs to us at Support
If necessary we can also schedule a screen-sharing time with you.