Anonymous_User Absent Member.
Absent Member.
2628 views

SSPR directory unavailable after password change


Hi,

SSPR is giving an occassional error of "directory is unavailable"
immediately following a password change.

Looking at the logs, it reports "...successfully changed password..."
then "...5017 ERROR_DIRECTORY_UNAVAILABLE...". Any ideas of what is
happening immediately after a successful password change that would
cause this issue?


Code:
--------------------

2015-06-25T15:58:17Z, INFO , operations.PasswordUtility, {8k,test} user 'UserIdentity: {"userDN":"cn=test,o=PEOPLE","ldapProfile":"default"}' successfully changed password [xx.xx.x.xxx]
2015-06-25T15:58:20Z, FATAL, servlet.TopServlet, {8k,test} 5017 ERROR_DIRECTORY_UNAVAILABLE (unable to contact ldap directory: unable to create connection: unable to bind to ldaps://vault.kumc.edu:636 as cn=test,o=PEOPLE reason: [LDAP: error code 49 - NDS error: failed authentication (-669)]) [xx.xx.x.xxx]

--------------------


Currently the configuration is:
SSPR 3.2.0.3.
vault.kumc.edu load balanced by F5.

We have been considering pointing at a single instance of the idvault.
Are there any issues load balancing the idvaults?

Frank Sorio


--
gfsorio
------------------------------------------------------------------------
gfsorio's Profile: https://forums.netiq.com/member.php?userid=10004
View this thread: https://forums.netiq.com/showthread.php?t=53846

0 Likes
3 Replies
Knowledge Partner
Knowledge Partner

Re: SSPR directory unavailable after password change

gfsorio;2399553 wrote:
Hi,

SSPR is giving an occassional error of "directory is unavailable"
immediately following a password change.

Looking at the logs, it reports "...successfully changed password..."
then "...5017 ERROR_DIRECTORY_UNAVAILABLE...". Any ideas of what is
happening immediately after a successful password change that would
cause this issue?


Code:
--------------------

2015-06-25T15:58:17Z, INFO , operations.PasswordUtility, {8k,test} user 'UserIdentity: {"userDN":"cn=test,o=PEOPLE","ldapProfile":"default"}' successfully changed password [xx.xx.x.xxx]
2015-06-25T15:58:20Z, FATAL, servlet.TopServlet, {8k,test} 5017 ERROR_DIRECTORY_UNAVAILABLE (unable to contact ldap directory: unable to create connection: unable to bind to ldaps://vault.kumc.edu:636 as cn=test,o=PEOPLE reason: [LDAP: error code 49 - NDS error: failed authentication (-669)]) [xx.xx.x.xxx]

--------------------


Currently the configuration is:
SSPR 3.2.0.3.
vault.kumc.edu load balanced by F5.

We have been considering pointing at a single instance of the idvault.
Are there any issues load balancing the idvaults?

Frank Sorio


--
gfsorio
------------------------------------------------------------------------
gfsorio's Profile: https://forums.netiq.com/member.php?userid=10004
View this thread: https://forums.netiq.com/showthread.php?t=53846


I was advised a while back to not use a load balancer for SSPR since it's capable of pointing to the LDAP servers directly. So in our case, I have the SSPR config pointing to the 2 LDAP servers rather than the single Load Balancer.

If I had to guess it's that the LDAP connection is being torn down and then another new request built, which is causing the load balancer to maybe move the 2nd request to the other server and replication hasn't finished yet?

Do you have session stickiness enabled (probably via IP?)

But again, I know it works fine if you point to 2 LDAP servers for the same eDirectory tree.

--Kevin
0 Likes
Knowledge Partner
Knowledge Partner

Re: SSPR directory unavailable after password change

During a password change the default SSPR setting, I believe, is to check
the various LDAP Profile servers to ensure the password has replicated to
them, so if you specify multiples then they all get the update before the
user is sent on to the next page.

If you put a load balancer between SSPR and the LDAP server, then SSPR
does not know which box it is hitting and problems can show up when a
replica that should see a password (because it accepted the change without
error) does not for a period of time.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SSPR directory unavailable after password change


Thank you for the input. We added some persistence rules to the F5 and
the issue appears to be resolved. I did some testing with pointing at
multiple idvaults for failover and it also worked. However, the team
liked using the F5 for load balancing instead.

-- Frank


--
gfsorio
------------------------------------------------------------------------
gfsorio's Profile: https://forums.netiq.com/member.php?userid=10004
View this thread: https://forums.netiq.com/showthread.php?t=53846

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.