GCDS error messages

You may encounter the following error messages when using Google Cloud Directory Sync (GCDS). For complete information on using GCDS, see the GCDS Help Center.

Error message Description and solution
org.jdom.input.JDOMParseException: Error on line 1: Content is not allowed in prolog

GCDS is trying to load a configuration file with an unsupported character encoding.

GCDS uses UTF-8 as default character encoding. It is encouraged that you use the same encoding for your configuration files, although other encodings are compatible.

To resolve this issue:

  1. Change the encoding of your configuration file to UTF-8. This can be done with most of the popular text editors opening the file and saving it with a different encoding.
  2. Verify that the content of your configuration file is correct.
  3. Try to load configuration file on GCDS again.

Most common unsupported encodings:

  • UTF-7
  • UTF-8 BOM
Can have at most one primary
organization

GCDS is attempting to update a Google user profile that matches at least one exclusion rule. Exclusion rules should match only users that are present in your Google domain but not in your LDAP server. In Configuration Manager, go to Google Domain Configuration Exclusion rules and make sure there are no rules that exclude users on your LDAP server.

More information: Use exclusion rules with GCDS.

javax.net.ssl.SSLHandshakeException:
connection during handshake

A network connection issue prevented GCDS from completing a Secure Sockets Layer (SSL) handshake with the Google server. This may be caused by a machine routing a packet too slowly, or your ISP losing service temporarily.

GCDS automatically attempts to complete the SSL handshake up to 3 times. If you see the following message in the logs, GCDS completed the handshake successfully on the second or third attempt, and no further action is needed:
[2011-12-14 14:20:44,494] [main] [INFO] [usersyncapp.sync.FullSyncAgent] No differences detected, no changes necessary.

Work with your local network administrator to see what might be causing network timeouts.

Quota exceeded for the current request GCDS is temporarily blocked from using Google APIs because of overuse. Wait 24 hours before attempting to sync again, as you may have reached an API quota limit.

If you see this error message again, check the final sync summary. If no users failed to sync, GCDS automatically retried the blocked request and succeeded, and no further action is needed.

Google API limits should be sufficient for day-to-day use. However, you may reach a limit if you simulate multiple syncs or sync all of your users' passwords with GCDS. If you run sync-cmd command with an automated script, try running it less often per day.

If this is a critical issue, try using a different Google administrator account to authenticate to GCDS, or use OAuth authentication.
java.lang.RuntimeException:
Unknown LDAP search rule scope "null"
A rule in one of the following sections of Configuration Manager is empty:
  • LDAP Settings > Org Units > Search Rules
  • LDAP Settings > Users > User Sync
  • LDAP Settings > Groups > Group Search Rules
  • LDAP Settings > User Profiles > User Profiles Sync
  • LDAP Settings > Shared Contacts > Contacts Sync

More information: Set up your sync with Configuration Manager

InvalidHashDigestLength(1405)

The password encryption method for syncing passwords has not been correctly configured in Configuration Manager, or your LDAP server uses an encryption method that isn't supported by GCDS. Plaintext, Base64, MD5, and SHA1 are the supported methods. To sync passwords with Microsoft® Active Directory®, use G Suite Password Sync.

If you're using a version of GCDS earlier than version 3.1.3, you might see this error: Upgrade to the latest version of GCDS.

More information: How will you synchronize passwords? and What's New in Google Cloud Directory Sync.

0 nested group(s) GCDS isn't correctly distinguishing between users and nested groups on your LDAP server.

To resolve this issue:
  1. Add the following line to your configuration file, in the <features> section:
    <optional>GROUP_NESTED_GROUPS_AS_USERS
    </optional>
  2. Save your configuration file and sync.
Suspend user

This can occur if you perform a sync with a configuration file that was duplicated outside of Configuration Manager. The new configuration file is accessing the same cache as the original configuration file, and inconsistencies between the 2 can cause users to be suspended.

To duplicate a GCDS configuration file, always use the Save As option in Configuration Manager. This ensures that the new configuration file has its own cache.

More information: Work with configuration files

Skipping unknown member

You are using an older GCDS XML configuration file, and GCDS encountered a group member that isn't included in your configuration's user search rules. You should include all group members and owners in your user search rules, even if you don't want to sync those users to the Google domain. GCDS needs to extract the email addresses for these users to process groups properly.

Alternatively, create a new, blank XML configuration file. GCDS then enables independent group sync, which forces GCDS to resolve group members regardless of user sync rules. If you're not sure, this is probably the best option.

When making any configuration changes or creating a new configuration file, make sure you run a simulation and review the results before running a full sync.

More information: Define your user list.

com.google.gdata.client.
GoogleService$InvalidCredentials
Exception:
Invalid credentials

The Google domain administrator account you specified in Configuration Manager isn't an administrator or the username and password is incorrect.

In Configuration Manager, go to Google Domain > Settings and verify the administrator account information specified in Admin Email Address.

More information: Define your Google Domain settings

com.google.gdata.util.
ResourceNotFoundException:
The sync key attribute specified in the Shared Contacts section of Configuration Manager returns empty values from your LDAP server. Select an attribute from the LDAP server that contains the sync key value for every resource and never returns a null or empty string.
Computed differences exceed
configured deletion limits,
not applying changes

The deletion or suspension limit set in GCDS has been reached. Change the Delete Limits setting in GCDS to avoid this error, or see the sync log for more details on what would have been deleted or suspended and decide if you need to change the limit.

EntityExists(1301) The sync tool is unable to add users or groups. If an administrator creates an account manually or through an API on the Google domain, the GCDS may try to create it anyway, because it caches Google accounts locally to improve performance.

To resolve this issue, flush the GCDS cache by adding the -f argument to sync-cmd command or remove the cache folder (syncState) in one of the following directories:
  • For Windows: %USERPROFILE%\syncState 
  • For Linux: ~/syncState
EntityNameNotValid(1303) This error is caused by one of the following:

1. GCDS is attempting to create a user or email alias that exists in a domain that is not part of your Google account.
Solutions:

  • In Configuration Manager, go to  LDAP Settings > Users > User Sync > Exclusion Rules and create user exclusion rules that exclude users in external domains.
  • Change your user search rules so that users in external domains are not returned.
  • Add the missing domain to your Google account as a secondary domain.

2. GCDS is syncing more users than your account is provisioned for.
Solutions:

  • In Configuration Manager, go to LDAP Settings > User > User Sync and limit the scope of your user search to return fewer users.
  • In Configuration Manager, make sure you've specified the proper base distinguished name (DN) that points to the root containing only users that need to be imported into the Google domain.
java.lang.RuntimeException:
javax.naming.InvalidNameException:
[LDAP: error code 34 - invalid DN]
A base DN specified in Configuration Manager may be pointing to an object that doesn't exist on your LDAP server. Check the base DN specified in your LDAP connection, user, group, profile, and shared contacts filter sections, and ensure that you use an existing object as the base DN for each.
java.security.cert.CertPathValidator
Exception:
revocation status check failed:
no CRL found

Another service or network device is preventing GCDS from contacting the certificate authority for the HTTPS certificate used for APIs. Check for firewall or proxy rules that would restrict connections from the machine running GCDS.

If a proxy is required to access the the web from the machine running GCDS, it must be configured properly.

You can work around this behavior by disabling the certificate revocation list check. However, this is not recommended for security reasons. If you decide to make the change anyway, you disable the certificate revocation list check by adding the following lines to the config-manager.vmoptions and sync-cmd.vmoptions files in the GCDS installation directory:
-Dcom.sun.net.ssl.checkRevocation=false
-Dcom.sun.security.enableCRLDP=false

More information: How does GCDS check certificate revocation lists?

javax.naming.directory.
InvalidSearchFilterException:
Unbalanced parenthesis; remaining name
The queries specified in one or more of the following pages of Configuration Manager don't have balanced parentheses:
  • LDAP Settings > Org Units > Search Rules
  • LDAP Settings > Users > User Sync
  • LDAP Settings > Groups > Group Search Rules
  • LDAP Settings > User Profiles > User Profiles Sync
  • LDAP Settings > Shared Contacts > Contacts Sync
Root exception is javax.naming.
CommunicationException:
servername:389
GCDS was unable to resolve the given LDAP server name. Make sure you enter a fully qualified domain name for the LDAP server, and make sure that the computer running GCDS is able to resolve it.

Note: When using Active Directory, you should always use your domain's fully qualified domain name as the server name.
SSL peer shut down incorrectly

This issue is usually due to traffic being forced through a proxy. If you're using a proxy you need to configure the GCDS proxy settings.

Ensure that GCDS can connect to these specific URLs/ports.

It is possible that security software on the local computer is creating connection problems. Ask your administrator to disable any security software on the client machine and try again.

You are not authorized to access this API

Confirm that you have enabled to required Google APIs.

More information: Prepare your Google domain.

Domain user limit exceeded You have attempted to add more users than you have licensed seats. Contact your sales representative to purchase more user licenses, or change your LDAP queries to synchronize fewer users.
java.lang.RuntimeException: Failed to execute query because the object at Base DN: "DC=domain,DC=com" is missing or inaccessible Start by checking the DN in both the LDAP Configuration tab and in any of search rules where you've defined a base DN override.

If that does not resolve the issue, and you're certain that the DN is valid, the issue may be with DNS resolution. You may see additional error information in the log such as:

  • javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: domain.com:389 [Root exception is java.net.ConnectException: Connection refused: connect]]
  • javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: domain.com:389 [Root exception is java.net.ConnectException: Connection timed out: connect]]

These errors identify that the hostname is refusing the connection or timing out. Try running a DNS lookup on this hostname, and make sure that all of the addresses being returned are valid and allow connections on the port you've configured.

Note: These errors can occur even if you've specified a valid hostname/IP address in the GCDS configuration. Active Directory may issue an LDAP referral response, directing GCDS to connect via a hostname. This referral may ultimately be to the hostname which is failing to resolve. You can avoid these referrals by connecting to your Active Directory server using the Global Catalog port which defaults to 3268. For details, see Global Catalog and LDAP Searches.

Character is invalid at location

Some of the information in the custom schema is not valid.
See here for the current limits that apply to custom schema. 

If you have trace-level logs enabled, you can also see the full HTTP request for the custom schema.

java.util.concurrent.ExecutionException: java.lang.OutOfMemoryError: GC 
overhead limit exceeded 

The defined memory limit was exceeded which caused the sync to fail.

See What if I am seeing memory-related errors to resolve the issue. 

Failed trying to connect to the specified LDAP server

GCDS is unable to connect to the LDAP server. Make sure: 

  • You’re using the correct communication protocol. If the LDAP server requires a secure protocol, use LDAP + SSL.
  • The LDAP server is up, running, and doesn’t have any other connection issues.
Network problem: Unable to connect to the specified LDAP server

GCDS is unable to find the LDAP server. Make sure that the computer running GCDS has access to the specified host and port.

Authentication problem: Unable to connect using the credentials supplied

The LDAP server is rejecting GCDS requests due to an authentication issue.

Make sure that the authorized user and their password are correct. The authorized user should be added using their complete distinguished name (DN). For details on adding the authorized user, see LDAP connection settings

Failed to execute query at Base DN <base-dn>

GCDS is unable to connect to the base distinguished name (DN). Make sure: 

  • The base DN exists in the LDAP server.
  • The authorized user has permissions for the base DN.
Failed to execute query at Base DN <base-dn> for attribute: <attribute>, reason: NameNotFoundException

GCDS is failing to retrieve information from the LDAP server. Make sure: 

  • The <base-dn> object exists and is accessible to the authorized user
  • The <attribute> exists for the <base-dn> object in the LDAP server.
Was this helpful?
How can we improve it?