LDAP Error 81 in policy server log SMPS can occur do to connection being closed outside of CA SSO
Addressed in two bugs
Background info for Policy Server User store connections model:
When request is made for user store a new “Connection Manager thread” is started the thread setups 4 connections to services the defined User Store object - labled as LDAP BANK
dir connection - used to bind user
usr connection - used to search for user (disambiguate)
ping connection - Monitor connection used only by connection manager thread
Legacy connection - no longer used (Security Bridge)
Summary of problem:
Policy Server reporting error 81 for the user store causing failing over then back even though the primary user store is healthy
The management thread (ping) is always active and reporting no errors, if no requests are made over one of the other connections of the LDAP_BANK IDLE out from the peer may occur or device in the middle may close the connection. In this scenario only the ping thread connection remains established, the other three go into a close_wait state. They will stay on close_wait until the policy server attempts to use the connection when this occurs error 81 is logged resulting in failover process takes place.
Simple scenario where this occurs: User store is Active Directory authentications method NTLM. NTLM authentication is a trusted authentication scheme meaning IIS performs the authentication, Policy Server trusts the authentication performing authorization – result is the “Dir” connection does not get used - IDLE out.
Summary of Change: To fix the above issue, code was added to check if current server is reachable or not, and if it reachable, trying to reconnect to existing server instead of next server and avoiding failover to next server.FYI: Support and other customers have requested supportability change/enhancement to the User Store Connections model: Changing from LDAP BANK to a pooling type of connections this will allow easier adjusting of connection pool size
VOTE for this change: https://communities.ca.com/ideas/235718429