Layer7 Access Management

Tech Tip - CA Single Sign-On: Policy Server logs error 91 against LDAP policy store

By wonsa03 posted 04-20-2016 08:35 PM

  

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 21st April 2016

 

ISSUE:

Policy Server logs “Error 91 - Can't connect to the LDAP server“ against the LDAP policy store, despite success with the following approaches from Policy Server:

  • telnet to the LDAP port (with hostname and IP address)
  • Test Connection via SM Management Console
  • execute the ldapsearch command

 

CAUSE:

The default Ping timeout should be 10 seconds, but with R12.52 SP1 release, somehow Policy Server is reading the value in milliseconds instead of seconds.

 

RESOLUTION:

Fix is incorporated with R12.52 SP1 CR1 release onward. With the fix, Policy Server is reading the LDAPPingTimeout value in seconds.

 

WORKAROUND:

Add/ update the following registry key in sm.registry file on UNIX or through Registry Editor on Windows:

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Debug
LDAPPingTimeout = 10000; REG_DWORD

 

Alternatively, you can define a reasonable ping timeout in milliseconds.

Restart Policy Server after the updates.

1 comment
0 views

Comments

05-22-2018 02:28 AM

Hi Kelly,

We have R12.6 - GA but still we are having this issues with our AD User Directories but not with LDAP User Directory.

we are able to perform view content from User Directories as well as able to connect using JXplorer and perform all operations.

 Issue is connection gets drop for only few minutes then it get reconnected.

Inspite of higher version of Policy Server we did settings suggested by you but still same issue.

 

Any other suggestion will be appreciated.

 

Thanks,

Rakesh