SiteMinder policy server connects to an decommissioned LDAP user store

book

Article ID: 224585

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

Customer decommissioned a LDAP user store, then added a new type of LDAP user store.

However, LDAP admin reports that they are seeing socket connection from policy server to the already decommissioned LDAP user store.

Customer tried reboot policy server, did not resolve the issue.

Cause

Initially, the suspicion is that maybe there are still objects left in policy store, that is referencing decommissioned LDAP user store.

run  "dxdumpdb -f filename.lidf dsaname"

filename.ldif file will be generated from CA directory policy store.

However, there is no reference to the decommissioned LDAP user store.

Checked admin ui for any configuration reference, also no matching for decommissioned LDAP user store.

Netstat from policy server shows it is in deed connected:

TCP    policy server ip:53277   decommissioned_hostname:ldaps  ESTABLISHED
TCP    policy server ip:53278   decommissioned_hostname:ldaps  ESTABLISHED

Next, we found from policy server trace.log, when Authenticate call made to a legit user store, at the exact same second, the same thread triggered another Bind call to decommissioned LDAP user store too.  LDAP Bind call continues in every 30 seconds after that.

[08/23/2021][06:35:11][06:35:11.090][][][][][WUxxxxxxxxxxxxx=][6940][2828][][][][][][][][][][SmAuthUser.cpp:5448][CSmAuthUser::Authenticate][][][][][][][authscheme][][][][userstore][][uid][uid=...........com][][][][][][][][][][LDAP://new_LDAP_hostname:636/uid=....com][][][Authenticating user by the auth scheme][][][][][][][][][]
[08/23/2021][06:35:11][06:35:11.106][][][][][][6940][2828][][][][][][][][][][SmDsLdapFunctionImpl.cpp:504][][][][][][][][][][][][][][][][][][][][][][][][][][][][LogMessage:ERROR:[sm-Ldap-00770] (AuthenticateUser) DN: 'uid=..............com' . Status: Error 49 . Invalid credentials][][][][][][][][][]
[08/23/2021][06:35:11][06:35:11.106][][][][][][6940][2828][][][][][][][][][][SmDsLdapConnMgr.cpp:917][][][][][][][][][][][][][][][][][][][][][][][][][][][][LogMessage:ERROR:[sm-Ldap-01370] SmDsLdapConnMgr Bind. Server decommissioned_LDAP : 389. Error 49-Invalid credentials][][][][][][][][][]


[08/23/2021][06:35:11][06:35:11.137][][][][][][6940][2508][][][][][][][][][][SmDsLdapConnMgr.cpp:917][][][][][][][][][][][][][][][][][][][][][][][][][][][][LogMessage:ERROR:[sm-Ldap-01370] SmDsLdapConnMgr Bind. Server decommissioned_LDAP : 389. Error 49-Invalid credentials][][][][][][][][][]
[08/23/2021][06:36:11][06:36:11.946][][][][][][6940][2508][][][][][][][][][][SmDsLdapConnMgr.cpp:917][][][][][][][][][][][][][][][][][][][][][][][][][][][][LogMessage:ERROR:[sm-Ldap-01370] SmDsLdapConnMgr Bind. Server decommissioned_LDAP : 389. Error 49-Invalid credentials][][][][][][][][][]
[08/23/2021][06:36:42][06:36:42.356][][][][][][6940][2508][][][][][][][][][][SmDsLdapConnMgr.cpp:917][][][][][][][][][][][][][][][][][][][][][][][][][][][][LogMessage:ERROR:[sm-Ldap-01370] SmDsLdapConnMgr Bind. Server decommissioned_LDAP : 389. Error 49-Invalid credentials][][][][][][][][][]

Environment

Release : 12.8.03

Component : SITEMINDER -POLICY SERVER

Resolution

SiteMinder by default will have LDAP referral enabled, and it will chase LDAP referral for fault tolerance purpose.

The LDAP referral error won't come in until there is first LDAP call failure to the main LDAP.

There is no configuration in SiteMinder side pointing to the decommissioned LDAP user store.

The referral link must be stopped from LDAP side configuration.