LDAP Sync Service is Failing After Following LDAP Referral to Another LDAP Server
search cancel

LDAP Sync Service is Failing After Following LDAP Referral to Another LDAP Server

book

Article ID: 227832

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

The ldapsync service stops updating/syncing administrator users up to the VIP Management portal. 

Symantec VIP Enterprise Gateway service.out log:

ERROR "2021-10-27 00:09:01.903 GMT+1100" 10.140.30.180 LDAPSync 0 0 0  "actor=LDAPSyncService,text=Job (Ldap_Sync_Group.ServiceDelayed_Job threw an exception.,op=Synchronization
org.quartz.SchedulerException: Job threw an unhandled exception. [See nested exception: java.lang.NoClassDefFoundError: javax/mail/MessagingException]
 at org.quartz.core.JobRunShell.run(JobRunShell.java:213)
 at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
Caused by: java.lang.NoClassDefFoundError: javax/mail/MessagingException
 at com.verisign.ldapSync.client.LDAPSyncMgr.startLDAPSync(LDAPSyncMgr.java:280)
 at com.verisign.ldapSync.client.LDAPSyncMgr.run(LDAPSyncMgr.java:164)
 at com.verisign.ldapSync.scheduler.LDAPSyncJob.execute(LDAPSyncJob.java:151)
 at org.quartz.core.JobRunShell.run(JobRunShell.java:202)

Symantec VIP Enterprise Gateway service.log log:

INFO  "2022-01-06 14:40:03.329 GMT-0800" 10.132.7.24 LDAPSync 0 0 0  "actor=LDAPSyncService,text=[LDAPStore:fetchAdminRecords] Following referral: ldaps://this.ldap.server/DC=int\,DC=ldap,DC=server,op=Synchronization"
ERROR "2022-01-06 14:40:03.368 GMT-0800" 10.132.7.24 LDAPSync 0 0 0  "actor=LDAPSyncService,text=[LDAPStore:fetchAdminRecords] Error while creating referral context.,op=Synchronization"
ERROR "2022-01-06 14:40:03.368 GMT-0800" 10.132.7.24 LDAPSync 0 0 0  "actor=LDAPSyncService,text=[LDAPStore:fetchAdminRecords] NamingException. Error: simple bind failed: this.ldap.server:636,op=Synchronization"
ERROR "2022-01-06 14:40:03.368 GMT-0800" 10.132.7.24 LDAPSync 0 0 0  "actor=LDAPSyncService,text=[LDAPStore:fetchAdminRecords] Please refer to the LDAPSync service.out file in logs folder for the complete stack trace.,op=Synchronization"
ERROR "2022-01-06 14:40:03.369 GMT-0800" 10.132.7.24 LDAPSync 0 0 0  "actor=LDAPSyncService,text=[LDAPStore:fetchAdminRecords] Deferring the admin sync operation for this store and marking the store as unreachable for now.,op=Synchronization"
WARN  "2022-01-06 14:40:03.369 GMT-0800" 10.132.7.24 LDAPSync 0 0 0  "actor=LDAPSyncService,text=[LDAPSyncMgr:fetchCloudAndLdapAdminRecords] Ldap Admin records null.,op=Synchronization"
ERROR "2022-01-06 14:40:03.369 GMT-0800" 10.132.7.24 LDAPSync 0 0 0  "actor=LDAPSyncService,text=[LDAPSyncMgr:fetchCloudAndLdapAdminRecords] Admin Store is Unreachable. Deferring Admin Sync operation for this admin store.,op=Synchronization"
WARN  "2022-01-06 14:40:03.369 GMT-0800" 10.132.7.24 LDAPSync 0 0 0  "actor=LDAPSyncService,text=[LDAPSyncMgr:fetchCloudAndLdapAdminRecords] <<WARNING>> Aborting Admin Sync Operation.,op=Synchronization"
ERROR "2022-01-06 14:40:03.370 GMT-0800" 10.132.7.24 LDAPSync 0 0 0  "actor=LDAPSyncService,text=[LDAPSyncMgr:fetchCloudAndLdapAdminRecords] Exception occured while fetching Ldap Admin records. Error: Admin Store is Unreachable. Deferring Admin Sync operation for this admin store.,op=Synchronization"
WARN  "2022-01-06 14:40:03.371 GMT-0800" 10.132.7.24 LDAPSync 0 0 0  "actor=LDAPSyncService,text=[LDAPSyncMgr:fetchCloudAndLdapAdminRecords] <<WARNING>> Aborting Admin Sync Operation.,op=Synchronization"
ERROR "2022-01-06 14:40:03.371 GMT-0800" 10.132.7.24 LDAPSync 0 0 0  "actor=LDAPSyncService,text=[LDAPSyncMgr] <<WARNING>> Admin Synchronization failed. Error: Admin Store is Unreachable. Deferring Admin Sync operation for this admin store.,op=Synchronization"

Cause

VIPEG received an LDAP referral and tries to connect to the referred LDAP server, but fails.

VIPEG is configured to connect to "this.ldap.server:636". The log shows it was trying to reach "another.ldap.server:636" but was unable to connect.

STATUS | wrapper  | 2021/10/27 09:42:17 | Launching a JVM...
INFO   | jvm 1    | 2021/10/27 09:42:17 | Wrapper (Version 3.2.3) http://wrapper.tanukisoftware.org
INFO   | jvm 1    | 2021/10/27 09:42:17 |   Copyright 1999-2006 Tanuki Software, Inc.  All Rights Reserved.
INFO   | jvm 1    | 2021/10/27 09:42:17 | 
INFO   | jvm 1    | 2021/10/27 09:44:40 | javax.naming.CommunicationException: simple bind failed: another.ldap.server:636 [Root exception is java.net.SocketException: Connection reset]

LDAP warnings won't necessarily cause the LDAP operation to fail. If the LDAP referral warnings cause the entire LDAP sync to fail, a message indicating the operation has been aborted will be seen in the logs. Example: <<WARNING>> Aborting Admin Sync Operation.,op=Synchronization". 

Resolution

Resolve the LDAP referral errors. Adjust LDAP permissions and User Store filters if necessary.

Note: The following steps are provided "as-is" to bypass LDAP referral errors and allow the LDAP sync to complete. 

  • Open \VIP_Enterprise_Gateway\LdapSync\services\ldapSync\conf\ldapSyncSettings.properties
  • Locate the line: ldapsync.skipReferralsOnException=false
  • Change the value from false to true, then restart the VIP EG server.
  • If VIPEG encounters a referral exception after connecting to the LDAP referral, it will skip this error and resume the remainder of the LDAP Sync operation. 
Powered by Wolken Software