on Jun 14, 2016Article Content
| Article Number | 000030664 | ||||||||
| Applies To | RSA Product Set: Identity Management and Governance RSA Product/Service Type: Enterprise Software RSA Version/Condition: 6.8.1, 6.9, 6.9.1 Platform: Linux Platform (Other): null O/S Version: Red Hat Enterprise Linux 6.x Product Name: RSA-0018000 Product Description: Access Certification Manager | ||||||||
| Issue | The AD (Active Directory) Account Data Collector (ADC) fails when attempting to collect account data from some AD domain controllers. This issue is present only in the native AD collector and does not occur when using the generic LDAP ADC collector. The failure is characterized by the following exception in the IMG server log that references a failure to connect to the referral server: 2015-06-22 17:01:03,662 INFO [com.aveksa.collector.accountdata.LdapAccountDataReader] Naming Exception happened : javax.naming.CommunicationException: Dohmen.com:389 [Root exception is java.net.ConnectException: Connection timed out] at com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java:92) This leads to a failure of the collector with the following exception in the IMG server log: 2015-06-22 17:01:03,664 ERROR [com.aveksa.client.datacollector.framework.DataCollectorManager] FAILED method=Collect CollectionMetaInfo[{ID=98, run_id=1435010400534, collector_id=68, test-run=true, collector_name=Restat.net - ADC, data_file=/home/oracle/jboss-4.2.2.GA/server/default/./deploy/aveksa.ear/aveksa.war/WEB-INF/LocalAgent/collected_data/98.data}] java.lang.RuntimeException And the observed failure in the IMG console during the test phase of the collection connection: Collector test failed: com.aveksa.server.runtime.ServerException: Test request failed with response: com.aveksa.server.runtime.ServerException: java.lang.RuntimeException | ||||||||
| Cause | This issue may occur if the connector attempts to follow an LDAP referral but cannot connect to the referral server. An LDAP referral is an (optional) feature of the LDAP protocol that allows for an LDAP server that is unable to locate the desired LDAP record, to redirect the client to a different LDAP source that is more likely to hold the result. In Microsoft Active Directory (AD) LDAP the referral response may direct the client to a different domain controller in the forest. Not all AD domains will return referral information and this is why this issue may occur on some AD domains and not on others. It is also possible for only certain LDAP queries to generate a referral which can make this issue appear intermittently. The failure occurs if the IMG ADC cannot bind successfully to the Microsoft AD domain controller returned in the referral request. The failure to bind may be because the domain controller returned in the referral is not reachable from the IMG servers location, or because the bind information used for the secondary domain controller does not match the primary. | ||||||||
| Resolution | Most often the intent is to bind to a single domain controller, and only return results from that domain. The attempt to follow referrals is unintended and undesired. In order to successfully follow referrals in an AD domain the bind account used for the LDAP connection must be the same for all domains, which typically is not practicable. If the following of LDAP referrals is not desired then the IMG ADC should be configured to ignore referrals. Under the configuration for the AD Account Data Collector select the "Ignore Referral" checkbox.  Note that the feature to ignore referrals is not available on older builds of IMG. The following table indicates the minimum patch level of IMG server that supports this feature.
| ||||||||
| Workaround | The Microsoft AD domain controller may be configured not to return referral information. Contact Microsoft for more information on how to disable this feature. Note that disabling referrals is not recommended as it may affect other applications that use Microsoft AD LDAP. |