We're running an APSExpire job and this one fails when we use
Directory Name for the Directory Host. The process reports :
[APS Version 12.8.0200.1992 - APSExpire Rev 12.8.0200.1992] June 19,
2019 at 4:34:17 PM GMT+2-T-APS: Requesting Enhanced Referral
Handling June 19, 2019 at 4:34:17 PM GMT+2-T-APSExpire: ENTRY
6/19/19, 4:34 PM-E-[SM-APS-07331] Unable to locate Directory Object
for host "MY_USER_DIRECTORY" 6/19/19, 4:34 PM-E-[SM-APS-07332] This host
does not match any User Directories defined in the Policy Store
6/19/19, 4:34 PM-E-[SM-APS-05503] Unable to initialize directory
"MY_USER_DIRECTORY"
We've configured APS.cfg that way giving the User Directory name. The
User Directory has 3 ldap instance. So we want to use the User
Directory name in order to insure high availability of the User
Directory :
[APSExpire]
MYNEWJOB=MY_USER_DIRECTORY BASE(ou=myusers,o=directory,c=us)
SCOPE(sub) ;;JOBONE=127.0.0.1
How can we fix this ?
Release : 12.8
Component : SITEMINDER -POLICY SERVER
The error is expected.
By design :
- We must give directory server name/IP address in JOBNAME but not
the User Directory name that is created in Policy Server.
- For LDAP directories, we should give IP address/hostname of
directory server with port number.
- For ODBC directories, we should give DSN name that is given during
creation of directory.
As per design and code implementation, it works only if you give directory
server name or IP address in JOBNAME.
As per documentation, failover is not implemented in configuration of
APSExpire :
APSExpire
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/advanced-password-services-configuration/aps-configuration-file/apsexpire.html
We don't suggest you to create 3 times the same job. The LDAP User
Stores should be replicated, and as such, only 1 execution of the job
is needed to 1 IP.