000012387 - LDAP referral error in ClearTrust Debug Output

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000012387
Applies ToAccess Manager 5.5.3
SunOne Directory Server 5.2
IssueLDAP referral error in ClearTrust Debug Output

The following error is shown in the aserver debug output:

15:24:50:302 [*] [MUXWORKER-12] - LDAPReferralRebind:  binding to host: ldap.server.com with port: 389
15:24:50:304 [*] [MUXWORKER-12] - LDAPReferralRebind:  binding anonymously
netscape.ldap.LDAPException: exceed hop limit (10); Referral received

Cause

A referral message is only generated by the LDAP server when a request is made for a specific LDAP DN and that DN does not exist on the LDAP server that was called.  If referrals are enabled the LDAP server should respond with a location that does contain the specified DN.  A hop limit exceeded message means that all LDAP severs in the referral list were tried and none contained the specified DN.  This error may also occur In situations where the specified DN was supposed to exist in the datastore but it was missing because it was deleted or because a replication event failed to replicate the DN to the particular server. 

Note that the LDAP exception is interpreted by the aserver as a failure of the LDAP datastore.  If there are no fail-over LDAP connections defined the connection will be abandoned.  Since the aserver cannot return a result to the agent this will cause the agent to time out as well.  The agent will naturally fail over to an alternate aserver, but if all aservers are using the same datastore no recovery is possible.   The failure will present itself at the agents as a continuing series of fail-over events.  Due to the agents abandoning connections the aserver logs will also so a large number of "unable to send data to receiver" messages.

ResolutionEnsure the LDAP datastore is not corrupted and the expected data structure still exists.   This error may occur when one or more members of the LDAP replica are not replicating.
Legacy Article IDa45044

Attachments

    Outcomes