000025945 - ClearTrust Entitlements Server and Authorization Server fail to start if ldap.conf is configured to use the same LDAP host and port for both CT-store and aux-store

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025945
Applies ToRSA ClearTrust 5.0.1 Authorization Server (AServer)
Red Hat Linux 7.3
IssueClearTrust Entitlements Server and Authorization Server fail to start if ldap.conf is configured to use the same LDAP host and port for both CT-store and aux-store
ClearTrust Entitlements Server and Authorization Server show the following exception in debug output when attempting to startup:

  sirrus.da.exception.ConfigurationException: Duplicate pools for server "host.domain.com:389" enabled for referrals.
    at sirrus.da.ldap.util.LDAPConfiguration.loadConnectionData(LDAPConfiguration.java:211)
    at sirrus.da.ldap.util.LDAPConfiguration.<init>(LDAPConfiguration.java:137)
    at sirrus.da.ldap.auth.factory.LDAPFactory.<init>(LDAPFactory.java:110)
    at java.lang.reflect.Constructor.newInstance(Native Method)
    at sirrus.da.auth.AuthDA.<init>(AuthDA.java:95)
    at sirrus.da.auth.AuthDA.initialize(AuthDA.java:141)
    at sirrus.authserver.AuthorizationServer.initializeDataSource(AuthorizationServer.java:566)
    at sirrus.authserver.AuthorizationServer.<init>(AuthorizationServer.java:256)
    at sirrus.authserver.AuthorizationServer.main(AuthorizationServer.java:844)
CauseIf the same store (same hostname:port) is defined more than once in ldap.conf, a parameter "cleartrust.data.ldap.directory.<directory-name>.referto" should be set to "false" on all but the first instance. The default for this parameter is "true". The .referto parameter controls whether or not the store can be used to resolve ldap referrals. When the same store is listed twice with the parameter set to true, the ldap initialization code rejects it, shows the above exception, and terminates.
Resolution
On all but the first instance of repeated LDAP configurations in ldap.conf, add the following parameter:
 
    cleartrust.data.ldap.directory.<directory-name>.referto  :false
 
Then restart ClearTrust Servers.
WorkaroundConfigured ldap.conf for ClearTrust Servers to use an auxiliary store
Legacy Article IDa19692

Attachments

    Outcomes