Layer7 Access Management

Tech Tip: CA Single Sign-On :: Policy Server :: LDAP Error 81

  • 1.  Tech Tip: CA Single Sign-On :: Policy Server :: LDAP Error 81

    Posted 07-21-2015 11:40 AM

    LDAP Error 81 in policy server log SMPS can occur do to connection being closed outside of CA SSO

     

    Addressed in two bugs

    1. 120170 - R12.52 SP1 CR 2  (NOTE: Issue was built previously, not listed in the readme)
    2. 142119 – future release R12.52 SP2

     

    Background info for Policy Server User store connections model:

    When request is made for user store a new “Connection Manager thread” is started the thread setups 4 connections to services the defined User Store object  - labled as LDAP BANK

                   dir connection - used to bind user

                   usr connection - used to search for user (disambiguate)

                   ping connection - Monitor connection used only by connection manager thread

                                  Legacy connection - no longer used (Security Bridge)

     

    Summary of problem:

    Policy Server reporting error 81 for the user store causing failing over then back even though the primary user store is healthy

     

    The management thread (ping) is always active and reporting no errors, if no requests are made over one of the other connections of the LDAP_BANK IDLE out from the peer may occur or device in the middle may close the connection.  In this scenario only the ping thread connection remains established, the other three go into a close_wait state.  They will stay on close_wait until the policy server attempts to use the connection when this occurs error 81 is logged resulting in failover process takes place.

     

    Simple scenario where this occurs:  User store is Active Directory authentications method NTLM.  NTLM authentication is a trusted authentication scheme meaning IIS performs the authentication, Policy Server trusts the authentication performing authorization – result is the “Dir” connection does not get used - IDLE out.

     

    Summary of Change:
    To fix the above issue, code was added to check if current server is reachable or not, and if it reachable, trying to reconnect to existing server instead of next server and avoiding failover to next server.

    FYI: Support and other customers have requested supportability change/enhancement to the User Store Connections model: Changing from LDAP BANK to a pooling type of connections this will allow easier adjusting of connection pool size

     

    VOTE for this change: https://communities.ca.com/ideas/235718429