Policy Server : Failover problem when LDAP User Directory returns errors

book

Article ID: 223102

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

 

When running a Policy Server, when one of the LDAP User Store started
returning errors continuously, then the users can't login to
application anymore. The failover seems to not working.

 

Cause

 

The problem before 08:22:22 is that the LDAP 10.1.1.6 is responding
continuously with an error. This is the reason why the Policy Server
didn't falled back to the next LDAP Instance in the first bank. And as
it replies with an error, we can expect it probably replied fast. As
loadbalancing between the LDAP banks is based on the response time, so
that's the reason that a majority of connections were still sent to
the 10.1.1.6.

The culprit LDAP host was 10.1.1.6 which is the first LDAP instance on
the first loadbalanced bank.

  myLdapUserDirectory

  Namespace LDAP:

  10.1.1.6:636 10.1.2.6:636 10.1.2.7:636 10.1.1.7:636 10.1.1.4:636 10.1.2.4:636,
  10.1.2.6:636 10.1.2.7:636 10.1.1.7:636 10.1.1.4:636 10.1.2.4:636 10.1.1.6:636,
  10.1.2.7:636 10.1.1.7:636 10.1.1.4:636 10.1.2.4:636 10.1.1.6:636 10.1.2.6:636,
  10.1.1.7:636 10.1.1.4:636 10.1.2.4:636 10.1.1.6:636 10.1.2.6:636 10.1.2.7:636,
  10.1.1.4:636 10.1.2.4:636 10.1.1.6:636 10.1.2.6:636 10.1.2.7:636 10.1.1.7:636,
  10.1.2.4:636 10.1.1.6:636 10.1.2.6:636 10.1.2.7:636 10.1.1.7:636 10.1.1.4:636

Policy Servers report errors until 08:20:31 :

myMonitoringLog :
  
  "[2832/140446654490368][Wed Aug 18 2021 08:20:31][SmDsLdapConnMgr.cpp:1201][ERROR]
   [sm-Ldap-02230] Error# '1' during search: 'error: Operations error extended error: 
   000020EF: SvcErr: DSID-020802CD, problem 5012 (DIR_ERROR), data -1090' 
   Search Query = 'objectclass=*' for server '10.1.1.6:636'"
  
  "[1411/140551504512768][Wed Aug 18 2021 08:20:31][SmDsLdapFunctionImpl.cpp:1264]
   [ERROR][sm-Ldap-00830] (GetUserProp) DN: 'CN=jsmith,OU=Users,DC=training,DC=com', 
   Filter: 'myAttr1=*' . Status: Error 1 . Operations error"
  
  "[1411/140551504512768][Wed Aug 18 2021 08:20:31][SmDsLdapConnMgr.cpp:1201][ERROR]
   [sm-Ldap-02230] Error# '1' during search: 'error: Operations error extended error: 
   000020EF: SvcErr: DSID-020802CD, problem 5012 (DIR_ERROR), data -1090' 
   Search Query = 'myAttr1=*' for server '10.1.1.6:636'"
  
  "[1411/140551504512768][Wed Aug 18 2021 08:20:31][SmDsLdapFunctionImpl.cpp:1264]
   [ERROR][sm-Ldap-00830] (GetUserProp) DN: 'CN=jsmith,OU=Users,DC=training,DC=com', 
   Filter: 'myAttr2=*' . Status: Error 1 . Operations error",
  
  "[1411/140551504512768][Wed Aug 18 2021 08:20:31][SmDsLdapConnMgr.cpp:1201][ERROR]
   [sm-Ldap-02230] Error# '1' during search: 'error: Operations error extended error: 
   000020EF: SvcErr: DSID-020802CD, problem 5012 (DIR_ERROR), data -1090' 
   Search Query = 'myAttr2=*' for server '10.1.1.6:636'",

When you shutdown the LDAP User Store 10.1.1.6:636, Policy Server reports it
down for 30 seconds.

      
  [884/139843757647616][Wed Aug 18 2021 08:22:22][SmDsLdapConnMgr.cpp:645][ERROR]
  [sm-Ldap-01280] SmDsLdapConnMgr (ldap_search_ext_s) in PingServer :
  Can't contact LDAP server at 10.1.1.6:636

  [...]

  [884/139843766040320][Wed Aug 18 2021 08:22:52][SmDsLdapConnMgr.cpp:917][ERROR]
  [sm-Ldap-01370] SmDsLdapConnMgr Bind. Server 10.1.1.6 : 636.
  Error 91-Can't connect to the LDAP server

  [...]

and no error are seen anymore after, users can login as expected in
the Web Sites.

 

Environment

 

Policy Server 12.8SP3 on Redhat 6;

 

Resolution

 

In order to make the failover working between the ldap groups,
shutdown or make off line the failing LDAP User Store instance to
solve the issue.