Symantec Access Management

 View Only
  • 1.  User Store failover error message

    Posted May 20, 2014 03:40 PM

    Hi, we have siteminder 12.52 on linux system. We have configured an LDAP directory as user store but we are seeing the below error if there is no login activity for 15-20m minutes and then user tries to login.

    [32141/3488459632][Tue May 20 2014 14:12:13][SmDsLdapConnMgr.cpp:1180][ERROR][sm-Ldap-02230] Error# '81' during search: 'error: Can't contact LDAP server' Search Query = '(&(uid=userid)(objectclass=*))'
    [32141/3488459632][Tue May 20 2014 14:12:13][SmDsLdapFunctionImpl.cpp:2131][INFO][sm-Server-04380] Failing over to LDAP server 'userstore:389' in LDAP server bank #1.

    Is it something to do with user directory timeout setting?

    Is there any setting in the siteminder registry file that I can use to refresh the connection between siteminder and user directory?



  • 2.  RE: User Store failover error message
    Best Answer

    Posted May 20, 2014 04:04 PM

    No setting  that I know of.   We get this Error 81 message on all our 12.51 and 12.52 policy servers.      According to CA its a new feature where the software goes to use an idle ldap connection that is no longer there (socket has timed out from idleness).   Its easily reproducible in the lab; authenticate and authorize some users, let the server sit idle overnight, login in the next day, the error will appear.   V6 Siteminder will not log this error on the same userstore. 

    We fail to see the purpose of it as it makes it look like there is a connectivity, ldap, or authentication/authorization problem which there is not.  We have not been able to solve it either.

     



  • 3.  RE: User Store failover error message

    Posted May 22, 2014 10:36 AM

    You a right, there is no setting and the policy server is firing this error because it is acting a client of the LDAP server and it is not aware that the connection has been closed.

    After a while, when there is a new authentication attempts, the policy server tries to reuse this connection and it has been closed by the LDAP/firewall due to timeout and generates this error and needs to recreate a set of connections.

    Hope that it helps.

    Julien.



  • 4.  RE: User Store failover error message

    Broadcom Employee
    Posted May 23, 2014 02:48 PM

    As this is CA Directory as a User Store with SiteMinder, also make sure the three parameters (mimic-netscapte-for-siteminder, concurrent-bind-user, hold-ldap-connections) is set properly for the DSA as described at https://support.ca.com/cadocs/0/CA%20SiteMinder%20r12%205-ENU/Bookshelf_Files/HTML/idocs/345743.html#o516498

    Thanks,

    Hitesh



  • 5.  RE: User Store failover error message

    Posted May 29, 2014 11:03 AM

    The problem with these ERROR messages is they imply there is some userstore, authentication or connectivity problem but there is not.  

    If the messages were labled  INFO   then I could see the logic in logging them.    As it is now , we have to explain why our siteminder logs are littered with ERRORs.  It really makes no sense to log an error when the software tries to use an expired/timeout connection/socket.   

     



  • 6.  RE: User Store failover error message

    Posted May 29, 2014 12:51 PM

    This is the exact issue I am facing now - since these are logged as ERROR now in the report I have to justify that these not actual ERROR but expected behavior.



  • 7.  Re: User Store failover error message

    Posted Aug 14, 2014 11:11 AM

    I am facing the same issue (12.51) and would like to remove it from the logs if possible.  Has there been any update to clean this error up ?



  • 8.  RE: User Store failover error message

    Broadcom Employee
    Posted Oct 08, 2019 07:55 AM
    Hi Robert,

    We are now running on V12.7 but we still get the error



  • 9.  Re: User Store failover error message