search cancel

APSExpire error when using UserDirectory Name

book

Article ID: 134099

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

We're running an APSExpire job and this one fails when we use

Directory Name for the Directory Host. The process reports :

  [APS Version 12.8.0200.1992 - APSExpire Rev 12.8.0200.1992] June 19,

  2019 at 4:34:17 PM GMT+2-T-APS: Requesting Enhanced Referral

  Handling June 19, 2019 at 4:34:17 PM GMT+2-T-APSExpire: ENTRY

  6/19/19, 4:34 PM-E-[SM-APS-07331] Unable to locate Directory Object

  for host "MY_USER_DIRECTORY" 6/19/19, 4:34 PM-E-[SM-APS-07332] This host

  does not match any User Directories defined in the Policy Store

  6/19/19, 4:34 PM-E-[SM-APS-05503] Unable to initialize directory

  "MY_USER_DIRECTORY"

We've configured APS.cfg that way giving the User Directory name. The

User Directory has 3 ldap instance. So we want to use the User

Directory name in order to insure high availability of the User

Directory :

[APSExpire]

  MYNEWJOB=MY_USER_DIRECTORY BASE(ou=myusers,o=directory,c=us)

  SCOPE(sub) ;;JOBONE=127.0.0.1

How can we fix this ?


Environment

Release : 12.8

Component : SITEMINDER -POLICY SERVER

Resolution

The error is expected.

By design :

- We must give directory server name/IP address in JOBNAME but not

  the User Directory name that is created in Policy Server.

  - For LDAP directories, we should give IP address/hostname of

    directory server with port number.

  - For ODBC directories, we should give DSN name that is given during

    creation of directory.

As per design and code implementation, it works only if you give directory

server name or IP address in JOBNAME.

As per documentation, failover is not implemented in configuration of

APSExpire :

  APSExpire

  https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/advanced-password-services-configuration/aps-configuration-file/apsexpire

We don't suggest you to create 3 times the same job. The LDAP User

Stores should be replicated, and as such, only 1 execution of the job

is needed to 1 IP.