DaaS connector returned error during collection: Command failure: Type: find+chunked: [Non-DaaS exception: [java.lang.NullPointerException]]

Hi Guys

I am configuring an IDM identity collector on IGA and have a specific account created for this lets say "IDG_Collector".

When I "TEST CONNECTION" I get this error mentioned in the title: 

DaaS connector returned error during collection: Command failure: Type: find+chunked: [Non-DaaS exception: [java.lang.NullPointerException]]

However, when I use the ADMIN account (and it's password) with "Test Connection" it says "connection ok".

After that , I modify the username and password back to the ones for my "IDG_Collector" account and test again, also this works fine.

I was thinking maybe it was still using the cached connection with the Admin account of whatever so I deliberately wrote some unexisting account information in the username and test again. ==> authentication error.

So when I correct back to the info of account "IDG_Collector" ==> connection ok!

You might think now, ok , you solved your issue, no, I have not.

Because after a couple of days the error comes back and I have to re-establish the connection with the admin account to make the collector work again.

And this prevents me from setting up scheduled access review campaigns for my applications. Because they will only work once and the next time I have to intervene again.

OT support takes a long time to even understand my issue hence my desperate attempt to find something some salvation here.

Any help would be greatly appreciated.

  • 0

    Complementing Habip description (as I'm also working on that issue, trying to understand the root cause :)

    1. Within eDir (IDM) we created a non-admin account called "IDG_Collector" with READ permissions on (almost) the whole tree

    2. Configuration for host name, port number (636 LDAPS) and importing certificate --> all OK

    3. Testing the connection with admin credentials --> OK

    4. The testing the connection with "IDG_Collector" credentials --> OK

    5. Collecting data --> OK

    6. After a couple of days --> error in collecting data

    7. Clicking on "Test connection --> fail

    8. Reconfiguring the collector with admin credentials and click "Test connection" --> OK again

    9. Reconfiguring again the collector with IDG_Collector credentials and click "Test connection" --> OK

    Loop to point 5 above once a week...

    Main consequences:

    - we can't use the scheduler for recurrent collection as connection fails after a couple of day

    - we have extra work to manually "reset" connectivity, again and again, and this for each eDir (LDAPS) collectors, and we have more than 1

    Any hint/help appreciated!

    PS: problem reproduced in a LAB --> not related to only that specific IDG instance...

    Jacques Forster (IGA architect)

  • 0   in reply to 

    Hello,

    1) What is the exact version of Identity Governance that you are utilizing?

    2) What O/S is ID Gov installed on?

    3) Are you set-up in a Single Node or Many Nodes (Cluster) for ID Gov?

    4) What is the exact version of eDirectory that you are utilizing?

    5) Which IDM Identity Collector are you using:

    eDirectory Identity Collector
    Identity Manager Identity Collector
    IDM Identity with changes Collector

    6) Do you have a Proxy, Load Balancer, or something similar in front of your LDAP Server?

    7) Do you have a Proxy, Load Balancer, Apache, or someething similar in front of your ID Gov server?

    8) Is there a firewall between ID Gov and eDirectory?

    9) There should be an error in the logs when the error is seen in the UI. The error could be in one of three (3):

    catalina.out
    catalina.%date%.log
    localhost.%date%.log

    What information is there?


    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    OpenText Cybersecurity

  • 0 in reply to   

    Hi Steven, thanks for your prompt reply. Here are the answers I have available (I'm not on site today and can't connect remotely; Habip may bring more details)

    1. IDG version is 3.7

    2. It is installed on Red Hat Linux (I do believe it is RHEL 8.4)

    3. Single node. Everything on one server except dB which sits on a MS-SQL (shared) server/cluster

    4. The eDir version is 9.x (the version included in IDM 4.8.5)

    5. We have the issue on the plain eDirectory collector configured to use LDAPS (port 636)

    6. Direct connection "host-to-host" for the LDAP traffic

    7. No proxy neither LB for the LDAP traffic to/from IDG server. There is a proxy (NAM) and LB for the HTTPS traffic (end-users access).

    8. Yes, but it can't be firewall settings because using 'admin' credentials it all works, and then when using non admin credentials...

    9. I let Habip share info found in the logs Slight smile

    Jacques Forster (IGA architect)

  • 0 in reply to   

    1) What is the exact version of Identity Governance that you are utilizing?

     

    Identity Governance client version 2022.1 - 3.7.0 was built on Wed February 16 2022 4:49 AM from revision efaf466. Pre-release: Development

    Identity Governance server version 2022.1 - 3.7.0-54 was built on Wed February 16 2022 11:44 PM from revision 18c6104f42. Pre-release: Development

    Your Customer license for Identity Governance 3.7 is valid.

     

    2) What O/S is ID Gov installed on?

    NAME="Red Hat Enterprise Linux"

    VERSION="8.4 (Ootpa)"

    ID="rhel"

    ID_LIKE="fedora"

    VERSION_ID="8.4"

    PLATFORM_ID="platform:el8"

    PRETTY_NAME="Red Hat Enterprise Linux 8.4 (Ootpa)"

    ANSI_COLOR="0;31"

    CPE_NAME="cpe:/o:redhat:enterprise_linux:8.4:GA"

    HOME_URL="some redhat url"

    DOCUMENTATION_URL="access.redhat.com/.../”

    BUG_REPORT_URL="somebugzilla url"

    REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"

    REDHAT_BUGZILLA_PRODUCT_VERSION=8.4

    REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"

    REDHAT_SUPPORT_PRODUCT_VERSION="8.4"

     

    3) Are you set-up in a Single Node or Many Nodes (Cluster) for ID Gov?

    Single Node

     

    4) What is the exact version of eDirectory that you are utilizing?

    Product Version: eDirectory for Linux x86_64 v9.2.6.0000 [DS]

     

    5) Which IDM Identity Collector are you using:

    I’m only trying with

    Identity Manager Identity Collector,

    but during tests I tried and had the same problems with

    AD identity and eDir Identity as well

     

     

    6) Do you have a Proxy, Load Balancer, or something similar in front of your LDAP Server?

    Direct connection "host-to-host" for the LDAP traffic

    7) Do you have a Proxy, Load Balancer, Apache, or someething similar in front of your ID Gov server?

     No proxy neither LB for the LDAP traffic to/from IDG server. There is a proxy (NAM) and LB for the HTTPS traffic (end-users access).

    8) Is there a firewall between ID Gov and eDirectory?

    No, they are in the same VLAN

     

    9) There should be an error in the logs when the error is seen in the UI. The error could be in one of three (3):

    • catalina.out

    no recent updates in this file

    I tried uploading the logs for the other 2 but my post was Blocked and flagged as "forbidden words"

  • 0 in reply to 

    [FINEST] 2024-07-12 10:56:32.189 [com.netiq.daas.daaservice.ServiceMap] [DAAS] Received request to unload service: d76627fd-f613-4acd-b050-56afd5cae8a4 [FINEST] 2024-07-12 10:56:32.189 [com.netiq.daas.daaservice.ServiceMap] [DAAS] Decremented load count on service: d76627fd-f613-4acd-b050-56afd5cae8a4, load count: null [ [SEVERE] 2024-07-12 10:56:32.191 [com.netiq.iac.server.rest.ConnectionService] [IG-SERVER] Test Connection error: DaaS connector returned error (500): Connection failed, invalid DaaS error com.netiq.iac.persistence.spi.exception.DaaSServiceException: com.netiq.iac.common.IacException at com.netiq.iac.persistence.dcs.dce.daas.DaaSService.testConnection(DaaSService.java:593) at com.netiq.iac.persistence.service.cum.DataCollectionService.testConnection(DataCollectionService.java:245) at com.netiq.iac.server.rest.ConnectionService.testConnection(ConnectionService.java:95) at sun.reflect.GeneratedMethodAccessor6193.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:76) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:148) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:191) at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:200) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:103) at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:493) at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:415) at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:104) at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:277) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:272) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:268) at org.glassfish.jersey.internal.Errors.process(Errors.java:316) at org.glassfish.jersey.internal.Errors.process(Errors.java:298) at org.glassfish.jersey.internal.Errors.process(Errors.java:268) at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:289) at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:256) at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:703) at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:416) at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:370) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:389) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:342) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:229) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) at com.netiq.iac.common.j2ee.NoCacheFilter.doFilter(NoCacheFilter.java:65) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) at com.netiq.iac.server.common.audit.AuditLogFilter.doFilter(AuditLogFilter.java:133) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) at com.netiq.iac.server.j2ee.RestApiAuthFilter.doFilter(RestApiAuthFilter.java:141) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) at com.netiq.iac.server.j2ee.ExecutionModeFilter.doFilter(ExecutionModeFilter.java:75) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) at com.netiq.iac.server.j2ee.AuthFilter.doFilter(AuthFilter.java:316) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) at com.netiq.iac.server.j2ee.CORSFilter.doFilter(CORSFilter.java:80) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:540) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:895) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1732) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) Caused by: com.netiq.iac.common.IacException at com.netiq.iac.persistence.dcs.dce.daas.DaaSService.testConnection(DaaSService.java:586) ... 67 more

  • 0 in reply to 

    • localhost.%date%.log [SEVERE] 2024-07-12 10:04:30.731 [org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/daas].[daas]] Servlet.service() for servlet [daas] in context with path [/daas] threw exception [java .lang.NullPointerException] with root cause java.lang.NullPointerException at com.microfocus.daas.ldap.edir.NameMap$LdapMapping.(NameMap.java:1251) at com.microfocus.daas.ldap.edir.NameMap$LdapMapping.(NameMap.java:1235) at com.microfocus.daas.ldap.edir.NameMap.(NameMap.java:982) at com.microfocus.daas.ldap.edir.NDAPToLDAP.(NDAPToLDAP.java:56) at com.microfocus.daas.ldap.edir.EDirPagedCollectorBase.(EDirPagedCollectorBase.java:103) at com.microfocus.daas.ldap.edir.EDirPagedCollector.(EDirPagedCollector.java:51) at com.microfocus.daas.ldap.edir.EDirectoryCollectorFactory.newCollector(EDirectoryCollectorFactory.java:54) at com.microfocus.daas.ldap.edir.EDirectoryCollectorFactory.newCollector(EDirectoryCollectorFactory.java:28) at com.microfocus.daas.nativeldapservice.NativeLDAPService.serviceTest(NativeLDAPService.java:254) at com.netiq.daas.daaservice.DaaService.serviceTest(DaaService.java:1039) at sun.reflect.GeneratedMethodAccessor6194.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:76) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:148) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:191) at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:200) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:103) at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:493) at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:415) at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:104) at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:277) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:272) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:268) at org.glassfish.jersey.internal.Errors.process(Errors.java:316) at org.glassfish.jersey.internal.Errors.process(Errors.java:298) at org.glassfish.jersey.internal.Errors.process(Errors.java:268) at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:289) at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:256) at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:703) at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:416) at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:370) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:389) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:342) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:229) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) at com.netiq.iac.server.common.j2ee.ServiceAuthFilter.doFilter(ServiceAuthFilter.java:171) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:540) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:895) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1732) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748)

  • 0 in reply to 

    Don't want to add some fog to the topic but I discovered similar issue reported on some developer's forum, referring to a "Pre-matching" function causing the problem if enabled; problem disappears if disabled --> I guess only IDG source code owners can tell if this could be the root cause or not...

    Looking here the error codes are quite similar !

    jax rs - @NameBinding causes java.lang.NullPointerException at org.glassfish.jersey.server.spring.scope.RequestContextFilter$2.resetAttributes - Stack Overflow

    Jacques Forster (IGA architect)

  • 0

    I have exactly the same problem with an IG_read account in eDir. Strange thing is, due to some reasons we have two IG instances connecting to the same tree. In one of the implementations, the IG_read accounts works fine. In the other one: Non-DaaS exception: [java.lang.NullPointerException].

    So it seems to be related to IG and not eDir. We are still trying to find out what is happening with support. Today I sent some dstrace input.