Description:

In r12.0 SP3, there has been an issue detected when a DSA is performing a very large "memberOf" group modify.

If the maximum operation time "max-op-time" of the DSA is too low, then the DSA may incorrectly terminate the operation before it has time to complete. This knowledge document details the issue, the errors that are generated and the resolution.

Solution:

Issue Summary

The memberOF group modification (as seen in the query log):

[84] 20101128.042257.832 935.93 MODIFY dn="cn=All-Users,OU=Groups,o=Democorp,c=AU"[84] 20101128.042257.833 935.93 SEARCH dn="cn=All-Users,OU=Groups,o=Democorp,c=AU" scope=base-object eis=member uniqueMember[84] 20101128.042257.833 935.93 MODIFY dn="cn=001,OU=Users,o=Democorp,c=AU"[88] 20101128.042257.834 935.93 MODIFY dn="cn=002,OU=Users,o=Democorp,c=AU"[95] 20101128.042257.836 935.93 MODIFY dn="cn=003,OU=Users,o=Democorp,c=AU"[73] 20101128.042257.837 935.93 MODIFY dn="cn=004,OU=Users,o=Democorp,c=AU"[69] 20101128.042257.838 935.93 MODIFY dn="cn=005,OU=Users,o=Democorp,c=AU"[66] 20101128.042257.839 935.93 MODIFY dn="cn=006,OU=Users,o=Democorp,c=AU"[78] 20101128.042257.861 935.93 MODIFY dn="cn=007,OU=Users,o=Democorp,c=AU"[87] 20101128.042257.862 935.93 MODIFY dn="cn=008,OU=Users,o=Democorp,c=AU"......[85] 20101128.042327.992 935.94 MODIFY dn="cn=009,OU=Users,o=Democorp,c=AU"[68] 20101128.042327.997 935.94 MODIFY dn="cn=010,OU=Users,o=Democorp,c=AU"[91] 20101128.042328.001 935.94 MODIFY dn="cn=011,OU=Users,o=Democorp,c=AU"

The above modification is for the group entry "cn=All-Users,OU=Groups,o=Democorp,c=AU".

The LDAP operation is to remove all existing users from the group and replace them with over 4000 new members.

The "memberOf" functionality requires time to:

1. Search the group entry to determine the existing membership
2. Remove the group name from each existing users entry
3. Remove the existing members from the group
4. Add the group name to the new users entries
5. Add the new members to the group entry

If the DSA's maximum operation time is too low (example 10 seconds), the operation will be timed out by the DSA.

The timeout message recorded in the DSAs warn log will read:

[32] 20101128.042328.002 WARN : userOpTimedOut 935/94

And the following error will be recorded in the DSAs query log:

[32] 20101128.042328.014 935.94 RESULT error service 8

In the r12.0 SP3 DSA, this condition is not handled correctly, resulting in the DSA crashing when the "memberOf" operation is timed out.

The error indicating the DSA failure will read:

* [66] 20101128.042328.131 DSA_E1370 Fatal signal received

This DSA crashing issue has been resolved in CA Directory r12.0 Service Pack 5.

Resolution

A workaround for this issue is to increase the max-op-time setting within your DSA to allow the large group modify to complete. Testing will be required in order to determine an optimal max-op-time.
Once a time value has been determined, please add approx 120 seconds to that value to allow for any larger queries to be processed.

If router DSAs is used in the environment, then the same maximum operation time needs to be set on both the router and data DSAs.

The solution is to upgrade to CA Directory r12.0 Service Pack 5 (or later).