error binding roles when user directory is in round robin configuration (Legacy_Onyx KB Id: 129919)
search cancel

error binding roles when user directory is in round robin configuration (Legacy_Onyx KB Id: 129919)


Article ID: 55011


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On



Customer is getting a "Task Failed" error message from IdentityMinder when I attempt to "Create Organization" within IdentityMinder.

16:24:10,349 WARN [ims] Waiting for Primary Events 0f00a8c0-2258-3fa2d2ed-3238-02222694
16:24:10,728 INFO [ims.tasktrack] Executing library method
16:24:10,786 ERROR [ims.[facility=4 severity=2 reason=0 status=38 message=No items found]] Create_Organization: Process_Auto_Access_Roles: Unable to get roles bound to org- exception:
16:24:10,903 ERROR [ims.[facility=4 severity=3 reason=0 status=2 message=SmImsCommand (bindRoleToOrg) Provider call failed
Error Code was: -2147418005
Error Message: Object Not UniqueID:1811]] Create_Organization: Process_Auto_Admin_Roles: Unable to get roles from orgRoleBinding - exception:
16:24:10,903 ERROR [ims] Create_Organization: Errors on provisioning roles to new org: 'ou=123456,ou=x,ou=y,dc=z,dc=company,dc=net'
16:24:10,904 ERROR [ims] Create_Organization: Unable to create organization - exception caught
16:24:10,904 ERROR [ims] Exception Occured during event processing.
16:24:11,239 WARN [ims] Evt 0f00a8c0-2258-3fa2d2ed-3238-02222694 is invalid.
16:24:12,984 INFO [ims.tasktrack] Task performed for session 0f00a8c0-2258-3fa2d2ed-3238-02222694


Appears that this is a situation whereby a roundrobin user directory configuration is causing problems. This theory is based on analysis of the authentication logs. The logs show the same ldap search failing immediately after succeeding moments priot (see log snippet below)

To test this theory, I have asked customer to change user directory configuration from round-robin to failover mode.

----authentication log snippet showing likely error **Look at LDAP SERVER BANK IP ADDRESS**---

[31/Oct/2003:18:08:28 -0500][21-SmDsLdap] Using LDAP server bank # 1 : 'nn.nn.nn.128:389'
[31/Oct/2003:18:08:28 -0500][21-SmImsCommand (createDSObject classID)] 1
[31/Oct/2003:18:08:28 -0500][21-SmImsCommand (createDSObject dirOID)] 27-000e1657-fe71-1f54-869b-832cc85a0000
[31/Oct/2003:18:08:28 -0500][21-SmImsCommand (createDSObject envOID)] 00-
[31/Oct/2003:18:08:28 -0500][21-SmImsCommand (createDSObject orgDN)] ou=x,ou=y,dc=z,dc=company,dc=net
[31/Oct/2003:18:08:28 -0500][21-SmImsCommand (stringListToArray)] Empty List passed in
[31/Oct/2003:18:08:28 -0500][21-SmImsCommand (stringListToArray)] Empty List passed in
[31/Oct/2003:18:08:28 -0500][21-SmImsCommand (createDSObject)] Creating an Organization
[31/Oct/2003:18:08:28 -0500][21-CIMSDsLdapProvider::copyWellknownToAttr] Empty value found. Skipping attribute %ORG_DESCR%
[31/Oct/2003:18:08:28 -0500][21-CIMSDsLdapProvider::copyWellknownToAttr] Empty value found. Skipping attribute reyreyparent
[31/Oct/2003:18:08:28 -0500][21-CIMSDsLdapProvider::ValidateIMSObjectPath] Search root 'ou=123456,ou=x,ou=y,dc=z,dc=company,dc=net'
[31/Oct/2003:18:08:28 -0500][21-SmDsLdap] (Search) Base: 'ou=123456,ou=x,ou=y,dc=z,dc=company,dc=net', Filter: '(objectclass=*)'. Status: 1 entries


[31/Oct/2003:18:08:28 -0500][21-SmDsLdap] Using LDAP server bank # 2 : 'nn.nn.nn.129:389'
[31/Oct/2003:18:08:28 -0500][21-SmImsCommand (enumerateProvOrgRoleBindingsForOrg dirOID)] 27-000e1657-fe71-1f54-869b-832cc85a0000
[31/Oct/2003:18:08:28 -0500][21-SmImsCommand (enumerateProvOrgRoleBindingsForOrg envOID)] 2a-0004e953-048b-1f55-869b-832cc85a0000
[31/Oct/2003:18:08:28 -0500][21-SmImsCommand (enumerateProvOrgRoleBindingsForOrg orgDN)] ou=123456,ou=x,ou=y,dc=z,dc=company,dc=net
[31/Oct/2003:18:08:28 -0500][21-SmImsCommand (enumerateProvOrgRoleBindingsForOrg classID)] 4
[31/Oct/2003:18:08:28 -0500][21-SmObjProvider] Searching for object 'Agent' in domain '0a-00000000-0000-0000-0000-000000000000
[31/Oct/2003:18:08:28 -0500][21-SmObjProvider] Name : '2a-0004e953-048b-1f55-869b-832cc85a0000'
[31/Oct/2003:18:08:28 -0500][21-SmObjProvider] Searching for object 'Agent' in domain '0a-00000000-0000-0000-0000-000000000000
[31/Oct/2003:18:08:28 -0500][21-SmObjProvider] Name : '2a-0004e953-048b-1f55-869b-832cc85a0000'
[31/Oct/2003:18:08:28 -0500][21-SmImsCommand (enumerateProvOrgRoleBindingsForOrg)] Got provider
[31/Oct/2003:18:08:28 -0500][21-SmImsCommand (lookupRoleType)] Looking for ACCESS roles
[31/Oct/2003:18:08:28 -0500][21-CIMSDsLdapProvider::ValidateIMSObjectPath] Search root 'ou=123456,ou=x,ou=y,dc=z,dc=company,dc=net'
[31/Oct/2003:18:08:28 -0500][21-SmDsLdap] (Search) Base: 'ou=123456,ou=x,ou=y,dc=z,dc=company,dc=net', Filter: '(objectclass=*)'. Status: Error 32. No such object

Removing Round robin directory fixes the problem.
---------------------------------------------------------We basically run into transaction processing problems here.

First the round robin operation is outside the scope of IMS. As far as IMS is concerned, when you create an organization and bind roles to it, for example, there are multiple steps that need to be completed:

-Create requested ou
-Create role binding

Now for things to work correctly, this set of operations must be atomic and must all be completed in one user directory. In case of roundrobin, consecutive requests may be sent to different user directories, and due to replication lag (which will uncessesarily be un-coordinated with IMS actions), any dependent steps will fail.


Component: IDMIND