We're running a Policy Server and sometime a corrupted object appears
in the Policy Store which leads to raise in the amount of agent
commands and Policy Server reports error :
[6528/1184][Fri Jun 26 2020
15:22:30][SmPolicyServer.cpp:1883][ERROR][sm-Server-00620] Exception
in JournalThread. Text: Policy store failed operation 'CleanAgentCmds'
for object type 'Policy store provider'. LDAP Error Deleting
AgentCommand object: 32: No such object
We needed to clean all AgentCommands manually. How can we prevent this
to happen ?
The issue comes from a duplicated agent command object object :
smAgentCommandOID4=14-a9c01c2d-9c7d-4444-bf17-fd4cbc7f889f\0ACNF:6126a9af-9afc-4ba8-829a-s4ebew4s6f71,OU=PolicySvr4,OU=SiteMinder,OU=Netegrity,dc=training,dc=com
dn: smAgentCommandOID4=14-a9c01c2d-9c7d-4444-bf17-fd4cbc7f889f\0ACNF:6126a9a
f-9afc-4ba8-829a-s4ebew4s6f71,OU=PolicySvr4,OU=SiteMinder,OU=Netegrity,dc=training,dc=com
objectClass: smAgentCommand4
objectClass: top
instanceType: 4
objectCategory: CN=smAgentCommand4,CN=Schema,CN=Configuration,CN={ECEBF945-F
74D-4442-WW144-1EB8C10D5527
smAgentCommandOID4:: MTQtYTjMDFjMmQtOWDASDE8sETgxLWJmMTctZmQ0Y2JjN2Y4ODlmCkN
ORjo2MTI2YTlhZi05YWZjLTRiYTgtODI5YS1iZjhiZTQ3YZmNzE=
smCommand4: 4
smTimeStamp4: 159340000
distinguishedName: smAgentCommandOID4=14-a9c01c2d-9c7d-4444-bf17-fd4cbc7f889f\0ACNF:
6126a9af-9afc-4ba8-829a-s4ebew4s6f71,OU=PolicySvr4,OU=SiteMinder,OU=Netegrity,dc=training,dc=com
dSCorePropagationData: 1601010100141100.0Z
name:: MTQtYTljMDFjMmQtOWM3ZC00MTgsadsJmMTctZmQ0Y2JjN2Y4ODlmCkNORjo2MTI2YTlhZ
i05YWZjLTRiYTgtODI5YS1iZjhiASDSADTZmNzE=
objectGUID:: r6kmYfyaqEuCmr+as454pvcQ==
smCommandData4: {RC2}0GpXaPg22dasDSSG8b8eg9BDLRpVY2IDsZ1V/NiizFzJVeShIZ9CKQN
1GzSTaW+8rA5GTnEmCcU9pYMT1duRMJOH8hrvdASD414dJZJGe+VtGsjSe5/Y/VGIAfaVPQCBjZ
RLbDsWJ9GyqLbSXYe9zCA5M0j5IcxUuqAgjCoJ4n8=
uSNChanged: 762445608
uSNCreated: 762244131
whenChanged: 20200530001741.0Z
whenCreated: 20200530001545.0Z
This is due to know internal ADLDS (AD) processing problem :
Active Directory: Duplicate Object Name Resolution
https://social.technet.microsoft.com/wiki/contents/articles/15435.active-directory-duplicate-object-name-resolution.aspx
We've analysed the .ldif file and we've found no corruption, which
means that duplicate data seems to come from replication issue or
problem with the ldap service itself.
Policy Store on Active Directory and ADLDS;
Investigate the LDAP service replication and run time to understand
the cause of the duplicated object.
1. For environment tuning and implementation, please refer to
documentation here :
Data Tier Performance
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/implementing/implementing-ca-single-sign-on/performance-tuning/data-tier-performance.html
and for the all environment :
Performance Tuning
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/implementing/implementing-ca-single-sign-on/performance-tuning.html
2. No version of Policy Server will be able to handle duplicated
objects in Policy Store as they are unexpected;
You have to investigate the ADLDS service and the replication
between both instances.