sushantcap Absent Member.
Absent Member.
673 views

Edirectory Coring Issue

Hi,

We are using [pesudo].members attribute in loopback driver to get member list from dynamic group.
We found that when we enable this policy in loopback and start it edirectory crashes.

Please let me know if there is any another way to fetch members list from dynamic group.

Below is the xml of policy which I'm using:
<actions>
<do-clear-src-attr-value class-name="User" name="Group Membership"/>
<do-set-local-variable name="GroupsThatThisUserIsMemberOf" scope="policy">
<arg-node-set>
<token-query class-name="dynamicGroup" datastore="src">
<arg-dn>
<token-global-variable name="cdsAppGroupBaseOU"/>
</arg-dn>
<arg-match-attr name="[pseudo].Member">
<arg-value type="dn">
<token-src-dn/>
</arg-value>
</arg-match-attr>
</token-query>
</arg-node-set>
</do-set-local-variable>
<do-for-each>
<arg-node-set>
<token-local-variable name="GroupsThatThisUserIsMemberOf"/>
</arg-node-set>
<arg-actions>
<do-set-local-variable name="staticGroupDN" scope="policy">
<arg-string>
<token-replace-all regex="Groups\\" replace-with="">
<token-xpath expression="$current-node/@src-dn"/>
</token-replace-all>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="staticGroupName" scope="policy">
<arg-string>
<token-replace-all regex="Applications" replace-with="Static Groups">
<token-local-variable name="staticGroupDN"/>
</token-replace-all>
</arg-string>
</do-set-local-variable>
<do-add-src-attr-value class-name="User" name="Group Membership">
<arg-value type="dn">
<token-local-variable name="staticGroupName"/>
</arg-value>
</do-add-src-attr-value>
</arg-actions>
</do-for-each>
</actions>

Also same driver is running on other environment but edirectory is not crashing and edirectory version is same in other environment.

Edirectory version:
Binary Version: 40006.33
Root Most Entry Depth: 0
Product Version: eDirectory for Linux x86_64 v9.0.4 [DS]

Thanks,
Sushant
Labels (1)
0 Likes
8 Replies
Knowledge Partner
Knowledge Partner

Re: Edirectory Coring Issue

If you have found a way to cause eDirecory to crash I would probably open
a Service Request (SR) assuming you have confidence that your system is
not really odd for some reason (a reason voiding support or making its
state highly questionable). Applications should not crash; they can throw
errors, or IDM driver config objects can stop, but crashing means
something is not being handled properly.

With that written, your other system works; what differs about the two?
Are they in the same tree? Is one Test and another Prod? Are the group
sizes different? How big are the groups?

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
sushantcap Absent Member.
Absent Member.

Re: Edirectory Coring Issue

Hi Ab,

Thanks for your response.
One environment is Test and other is Prod. Both are having the same driver with same above policy.
But edirectory coring is happening only in test env. and not is prod.

Both are having same IDM version i.e IDM4.5.5 and edirectory version 9.04.

We have approx 800+ dynamic groups and member list on each differs from 100 to 50000.


Thanks,
Sushant
0 Likes
Knowledge Partner
Knowledge Partner

Re: Edirectory Coring Issue

It may be useful to know if you can duplicate this in an clone of your
test environment, and if so if you can still duplicate it after upgrading
to 4.7.

It may also be useful to post a trace of the operation that eventually
cores eDirectory. There are valid reasons for that, such as running out
of memory, in which case system sizing (prod may be bigger than test) may
impact the ability to handle the query or not. If memory is the
limitation then alternate query methods (e.g. via LDAP) will probably not
help you, so I think first we need to figure out if this is a product
problem or a system/environment problem.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
sushantcap Absent Member.
Absent Member.

Re: Edirectory Coring Issue

Hi Ab,

We have 24 GB RAM in Test env. and 64GB RAM in Prod.

I don't think system sizing is the issue, as same driver used to work before in Test Env. as well.
Now we are not able to find what went wrong.

Thanks,
Sushant
0 Likes
Knowledge Partner
Knowledge Partner

Re: Edirectory Coring Issue

We definitely found a coring issue in eDir 9.1 (Oddly in nmaslib.so of
all things) that NTS has a fix for. I did ask them to check and see if
9.04 would suffer from it as well.

But an SR can help. If you can reproduce the crash, and set the
MALLOC_CHECK_ properly, NTS can look at the stack during the crash and
get a pretty good feel for where the crash happened.


On 6/8/2018 7:34 AM, sushantcap wrote:
>
> Hi,
>
> We are using [pesudo].members attribute in loopback driver to get member
> list from dynamic group.
> We found that when we enable this policy in loopback and start it
> edirectory crashes.
>
> Please let me know if there is any another way to fetch members list
> from dynamic group.
>
> Below is the xml of policy which I'm using:
> <actions>
> <do-clear-src-attr-value class-name="User" name="Group Membership"/>
> <do-set-local-variable name="GroupsThatThisUserIsMemberOf"
> scope="policy">
> <arg-node-set>
> <token-query class-name="dynamicGroup" datastore="src">
> <arg-dn>
> <token-global-variable name="cdsAppGroupBaseOU"/>
> </arg-dn>
> <arg-match-attr name="[pseudo].Member">
> <arg-value type="dn">
> <token-src-dn/>
> </arg-value>
> </arg-match-attr>
> </token-query>
> </arg-node-set>
> </do-set-local-variable>
> <do-for-each>
> <arg-node-set>
> <token-local-variable name="GroupsThatThisUserIsMemberOf"/>
> </arg-node-set>
> <arg-actions>
> <do-set-local-variable name="staticGroupDN" scope="policy">
> <arg-string>
> <token-replace-all regex="Groups\\" replace-with="">
> <token-xpath expression="$current-node/@src-dn"/>
> </token-replace-all>
> </arg-string>
> </do-set-local-variable>
> <do-set-local-variable name="staticGroupName" scope="policy">
> <arg-string>
> <token-replace-all regex="Applications" replace-with="Static
> Groups">
> <token-local-variable name="staticGroupDN"/>
> </token-replace-all>
> </arg-string>
> </do-set-local-variable>
> <do-add-src-attr-value class-name="User" name="Group Membership">
> <arg-value type="dn">
> <token-local-variable name="staticGroupName"/>
> </arg-value>
> </do-add-src-attr-value>
> </arg-actions>
> </do-for-each>
> </actions>
>
> Also same driver is running on other environment but edirectory is not
> crashing and edirectory version is same in other environment.
>
> Edirectory version:
> Binary Version: 40006.33
> Root Most Entry Depth: 0
> Product Version: eDirectory for Linux x86_64 v9.0.4 [DS]
>
> Thanks,
> Sushant
>
>


0 Likes
sushantcap Absent Member.
Absent Member.

Re: Edirectory Coring Issue

Hi Geoffc,

We did a ndstrace and found that edirectory is crashing when performing query from edirectory.
Below are the logs:
2083960576 DVRS: [2018/06/11 12:14:08.748] DYNAMIC-STATIC-GROUP ST: arg-dn(token-global-variable("cdsAppGroupBaseOU"))
2083960576 DVRS: [2018/06/11 12:14:08.748] DYNAMIC-STATIC-GROUP ST: token-global-variable("cdsAppGroupBaseOU")
2083960576 DVRS: [2018/06/11 12:14:08.748] DYNAMIC-STATIC-GROUP ST: Token Value: "ACME\Meta\Applications".
2083960576 DVRS: [2018/06/11 12:14:08.749] DYNAMIC-STATIC-GROUP ST: Arg Value: "ACME\Meta\Applications".
2083960576 DVRS: [2018/06/11 12:14:08.749] DYNAMIC-STATIC-GROUP ST: arg-match-attr("[pseudo].Member",token-src-dn())
2083960576 DVRS: [2018/06/11 12:14:08.749] DYNAMIC-STATIC-GROUP ST: arg-string(token-src-dn())
2083960576 DVRS: [2018/06/11 12:14:08.749] DYNAMIC-STATIC-GROUP ST: token-src-dn()
2083960576 DVRS: [2018/06/11 12:14:08.749] DYNAMIC-STATIC-GROUP ST: Token Value: "\ACME-CDS-DEV\ACME\Meta\Identities\Active\Employees\TUSER79".
2083960576 DVRS: [2018/06/11 12:14:08.749] DYNAMIC-STATIC-GROUP ST: Arg Value: "\ACME-CDS-DEV\ACME\Meta\Identities\Active\Employees\TUSER79".
2083960576 DVRS: [2018/06/11 12:14:08.749] DYNAMIC-STATIC-GROUP ST: Query from policy
2083960576 DVRS: [2018/06/11 12:14:08.750] DYNAMIC-STATIC-GROUP ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.5.6.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<query class-name="dynamicGroup" dest-dn="ACME\Meta\Applications" scope="subtree">
<search-class class-name="dynamicGroup"/>
<search-attr attr-name="[pseudo].Member">
<value type="dn">\ACME-CDS-DEV\ACME\Meta\Identities\Active\Employees\TUSER79</value>
</search-attr>
<read-attr/>
</query>
</input>
</nds>
2083960576 DVRS: [2018/06/11 12:14:08.750] DYNAMIC-STATIC-GROUP ST: Pumping XDS to eDirectory.
2083960576 DVRS: [2018/06/11 12:14:08.750] DYNAMIC-STATIC-GROUP ST: Performing operation query for ACME\Meta\Applications.
2083960576 DVRS: [2018/06/11 12:14:08.750] DYNAMIC-STATIC-GROUP ST: --JCLNT-- \ACME-CDS-DEV\ACME\System\DriverSet\DYNAMIC-STATIC-GROUP : Duplicating : context = 1242956044, tempContext = 1242956023
2083960576 DBG : [2018/06/11 12:14:08.751] iterator: In DSAIterator
2083960576 DBG : [2018/06/11 12:14:08.751] iterator: In DSAIterator baseID=36201, scope=2, uIteratorID=0, infoType=3, connid=0, taskid=0
2083960576 DBG : [2018/06/11 12:14:08.751] iterator: buffer
0000 04 00 00 00 10 00 00 00 02 00 00 00 02 00 00 00 ................
0010 00 00 00 00 07 00 00 00 0E 00 00 00 4D 00 65 00 ............M.e.
0020 6D 00 62 00 65 00 72 00 00 00 00 00 74 00 00 00 m.b.e.r.....t...

It is shutting down in middle of the query.

Thanks,
Sushant
0 Likes
Knowledge Partner
Knowledge Partner

Re: Edirectory Coring Issue

On 6/12/2018 8:04 AM, sushantcap wrote:
>
> Hi Geoffc,
>
> We did a ndstrace and found that edirectory is crashing when performing
> query from edirectory.
> Below are the logs:
> 2083960576 DVRS: [2018/06/11 12:14:08.748] DYNAMIC-STATIC-GROUP ST:
> arg-dn(token-global-variable("cdsAppGroupBaseOU"))
> 2083960576 DVRS: [2018/06/11 12:14:08.748] DYNAMIC-STATIC-GROUP ST:
> token-global-variable("cdsAppGroupBaseOU")
> 2083960576 DVRS: [2018/06/11 12:14:08.748] DYNAMIC-STATIC-GROUP ST:
> Token Value: "ACME\Meta\Applications".
> 2083960576 DVRS: [2018/06/11 12:14:08.749] DYNAMIC-STATIC-GROUP ST:
> Arg Value: "ACME\Meta\Applications".
> 2083960576 DVRS: [2018/06/11 12:14:08.749] DYNAMIC-STATIC-GROUP ST:
> arg-match-attr("[pseudo].Member",token-src-dn())
> 2083960576 DVRS: [2018/06/11 12:14:08.749] DYNAMIC-STATIC-GROUP ST:
> arg-string(token-src-dn())
> 2083960576 DVRS: [2018/06/11 12:14:08.749] DYNAMIC-STATIC-GROUP ST:
> token-src-dn()
> 2083960576 DVRS: [2018/06/11 12:14:08.749] DYNAMIC-STATIC-GROUP ST:
> Token Value:
> "\ACME-CDS-DEV\ACME\Meta\Identities\Active\Employees\TUSER79".
> 2083960576 DVRS: [2018/06/11 12:14:08.749] DYNAMIC-STATIC-GROUP ST:
> Arg Value:
> "\ACME-CDS-DEV\ACME\Meta\Identities\Active\Employees\TUSER79".
> 2083960576 DVRS: [2018/06/11 12:14:08.749] DYNAMIC-STATIC-GROUP ST:
> Query from policy
> 2083960576 DVRS: [2018/06/11 12:14:08.750] DYNAMIC-STATIC-GROUP ST:
>
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.5.6.0">DirXML</product>
> <contact>NetIQ Corporation</contact>
> </source>
> <input>
> <query class-name="dynamicGroup" dest-dn="ACME\Meta\Applications"
> scope="subtree">
> <search-class class-name="dynamicGroup"/>
> <search-attr attr-name="[pseudo].Member">
> <value
> type="dn">\ACME-CDS-DEV\ACME\Meta\Identities\Active\Employees\TUSER79</value>
> </search-attr>
> <read-attr/>
> </query>
> </input>
> </nds>
> 2083960576 DVRS: [2018/06/11 12:14:08.750] DYNAMIC-STATIC-GROUP ST:
> Pumping XDS to eDirectory.
> 2083960576 DVRS: [2018/06/11 12:14:08.750] DYNAMIC-STATIC-GROUP ST:
> Performing operation query for ACME\Meta\Applications.
> 2083960576 DVRS: [2018/06/11 12:14:08.750] DYNAMIC-STATIC-GROUP ST:
> --JCLNT-- \ACME-CDS-DEV\ACME\System\DriverSet\DYNAMIC-STATIC-GROUP
> : Duplicating : context = 1242956044, tempContext = 1242956023
> 2083960576 DBG : [2018/06/11 12:14:08.751] iterator: In DSAIterator
> 2083960576 DBG : [2018/06/11 12:14:08.751] iterator: In DSAIterator
> baseID=36201, scope=2, uIteratorID=0, infoType=3, connid=0, taskid=0
> 2083960576 DBG : [2018/06/11 12:14:08.751] iterator: buffer
> 0000 04 00 00 00 10 00 00 00 02 00 00 00 02 00 00 00 ................
> 0010 00 00 00 00 07 00 00 00 0E 00 00 00 4D 00 65 00 ............M.e.
> 0020 6D 00 62 00 65 00 72 00 00 00 00 00 74 00 00 00 m.b.e.r.....t...
>
> It is shutting down in middle of the query.


I would get a core for NTS to examine and open an SR. We got a patch
for our coring issue from them once we did that.


0 Likes
Knowledge Partner
Knowledge Partner

Re: Edirectory Coring Issue

And how does one do that properly, you may ask? There is a TID:

https://www.novell.com/support/kb/doc.php?id=3113982

You may also need to configure systemd to allow a big-enough core file,
and I do not see that in this TID, but if I find it I'll forward that
along too. The exact steps will also be provided when you open the
Service Request (SR) with Micro Focus.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.