Symantec Access Management

I am getting error's in smps.log as given below wrt policy store & session store , please advise.

[20075/3771550576][Fri Jun 03 2016 14:30:32][LdapStore.cpp:962][ERROR][sm-Ldap-01600] SmObjLdap failed to bind to LDAP server server.test.com:11189 as cn=sessionstoreadmin,ou=Applications,dc=test,dc=com . LDAP error 89-Bad parameter to an ldap routine

[20075/966757232][Fri Jun 03 2016 15:12:35][smldaputils.cpp:1090][ERROR][sm-Ldap-01600] SmObjLdap failed to bind to LDAP server x.x.x.x:11389 as cn=PolicyStoreAdminUser,ou=SpecialUsers,o=test.com . LDAP error 89-Bad parameter to an ldap routine

[20075/966757232][Fri Jun 03 2016 15:32:35][smldaputils.cpp:1090][ERROR][sm-Ldap-01600] SmObjLdap failed to bind to LDAP server x.x.x.x:11389 as cn=PolicyStoreAdminUser,ou=SpecialUsers,o=test.com . LDAP error 89-Bad parameter to an ldap routine

[20075/2754034544][Fri Jun 03 2016 15:40:37][LdapStore.cpp:962][ERROR][sm-Ldap-01600] SmObjLdap failed to bind to LDAP server server.test.com:11189 as cn=sessionstoreadmin,ou=Applications,dc=test,dc=com . LDAP error 89-Bad parameter to an ldap routine

[20075/3341466480][Fri Jun 03 2016 15:40:37][LdapStore.cpp:962][ERROR][sm-Ldap-01600] SmObjLdap failed to bind to LDAP server server.test.com:11189 as cn=sessionstoreadmin,ou=Applications,dc=test,dc=com . LDAP error 89-Bad parameter to an ldap routine

[20075/966757232][Fri Jun 03 2016 15:57:35][smldaputils.cpp:1090][ERROR][sm-Ldap-01600] SmObjLdap failed to bind to LDAP server x.x.x.x:11389 as cn=PolicyStoreAdminUser,ou=SpecialUsers,o=test.com . LDAP error 89-Bad parameter to an ldap routine.

How can this issue be fixed ?

Thanks in advance,

Ankush

Hi Ankush,

The error :

    LDAP error 89-Bad parameter to an ldap routine

means that the request as an invalid parameter or the

Ldap server cannot process on of the parameters.

That could have many reason. It can be a timeout after

an unsuccesful search.

You might check the Policy Store LDAP server traces to

see when the Policy Server write the error, what the

LDAP server reports.

Do you run several replicated LDAP Policy Stores ?

Best Regards,

Patrick

Hi Patrick,

yes they replicated ldap instances for both session store & policy store.

Thanks,

Ankush

Hi Ankush,

If you run only 1 Policy Store do you still have the errors ? And what says the Policy Store traces ?

Best Regards,

Patrick

Hi Patrick,

Haven't tried with one Policy Store. Trace level is set to error level, so no error as such is getting logged in trace log.

Thanks,

Ankush

Ankush

Looks like you are using instance running on port 11189 as Session Store and instance running on port 11389 as Policy Store. But still both instances are on the same box.

I am assuming this is CA Directory as Policy Store and Session Store. One question that I do have beyond this error message, is have we done capacity planning for Session Store. The Configuration requirements for Policy Store and Session Store are different. This also applies to hardware requirements too. Ideally you want to put Policy Store and Session Store on different hardware. You need to pay serious consideration to this.

As Patrick suggested the first point to investigate is both Policy Server Logs and LDAP Server logs.

Thanks Hubert,

Yes, it's ca directory for both stores, its test env having pretty good ram & cpu on it. I will take look in LDAP log again to see if anything interesting is there to help.

From capacity planning prospective, are you eyeing OS capacity or user sustenance capacity on these servers ?

Regards,

Ankush

Hi Ankush,

If you run CA Directory with a version lower than 12SP17, then set

the CA Directory configuration :

    dxgrid-queue=no

restart the CA Directory instances and see if you still face the

issue.

This will work around an issue on CA Directory for which this LDAP Server

fails to return correctly data in some circumstances. That might be

the problem we face in this thread.

Best Regards,

Patrick

Hi Patrick,

This change needs to go against all stores ( say policy store & session store ) ?

version used is : R12 SP12 with siteminder R12.52 SP1.

Thanks,

Ankush

Hi Ankush,

Yes on all CA Directory instances.

Best Regards,

Patrick

The Hardware requirements and configurations tunings are different for PStore and SStore. Hence it is better to have them isolated. This stems from the fact of request / load pattern (Read-Writes in a PStore Vs Read-Writes in a SStore). This is more of a design and implementation discussion, but it does add value to keep'em separate.

Any luck on the logs from the CA Directory side?

hi Hubert,

Not yet no luck with the ldap logs.

hardware of the server holding these components is quite high. Size allocated is 2 GB each for both session & policy store dsa.

As default design the das occupies same amount of memory as its size, in case of session store does it shoots up and how to correlate these settings  wrt file descriptor , any suggestions.

If you have link / doc that can help in digging the store's performance bit more , please let know that would  be of great help.

Thanks,

Ankush

Two binds both failing, can you bind using JExporer or some with LDAP tool to make sure accounts are setup ok

Also if not SSL get a packet trace to get further details on the LDAP bind call

Does SMCONSOLE Connect ok

[20075/3771550576][Fri Jun 03 2016 14:30:32][LdapStore.cpp:962][ERROR][sm-Ldap-01600] SmObjLdap failed to bind to LDAP server server.test.com:11189 as cn=sessionstoreadmin,ou=Applications,dc=test,dc=com . LDAP error 89-Bad parameter to an ldap routine

[20075/966757232][Fri Jun 03 2016 15:12:35][smldaputils.cpp:1090][ERROR][sm-Ldap-01600] SmObjLdap failed to bind to LDAP server x.x.x.x:11389 as cn=PolicyStoreAdminUser,ou=SpecialUsers,o=test.com . LDAP error 89-Bad parameter to an ldap routine