SecurID® Governance & Lifecycle Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID Governance & Lifecycle experts.
Article Number
000030664
Applies To
RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: All
RSA Version/Condition: All
Issue
The Active Directory (AD) Account Collector fails intermittently when attempting to collect account data from certain AD domain controllers. This issue is present only in the native Active Directory Account Collector (Data Source Type: Active Directory) and does not occur when using the generic LDAP Account Collector (Data Source Type: Ldap). The Data Source Type setting is under Collectors > Account Collectors > Create Account Collector.
A test of the collector fails as follows:
The following error is logged to the aveksaServer.log file. Note this error references a failure to connect to the referral server.
Please refer to RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycleto find the location of the aveksaServer.log file for your specific deployment. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs.)
A test of the collector fails as follows:
Collector test failed:
com.aveksa.server.runtime.ServerException: Test request failed with response: com.aveksa.server.runtime.ServerException: java.lang.RuntimeException
com.aveksa.server.runtime.ServerException: Test request failed with response: com.aveksa.server.runtime.ServerException: java.lang.RuntimeException
The following error is logged to the aveksaServer.log file. Note this error references a failure to connect to the referral server.
2015-06-22 17:01:03,662 INFO [com.aveksa.collector.accountdata.LdapAccountDataReader]
Naming Exception happened :
javax.naming.CommunicationException: Dohmen.com:389
[Root exception is java.net.ConnectException: Connection timed out]
at com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java:92)
followed by:
2015-06-22 17:01:03,664 ERROR [com.aveksa.client.datacollector.framework.DataCollectorManager]
FAILED method=Collect
CollectionMetaInfo[{ID=98, run_id=1435010400534, collector_id=68, test-run=true, collector_name=Restat.net - ADC,
data_file=/home/oracle/jboss-4.2.2.GA/server/default/./deploy/aveksa.ear/aveksa.war/WEB-INF/LocalAgent/collected_data/98.data}]
java.lang.RuntimeException
Please refer to RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycleto find the location of the aveksaServer.log file for your specific deployment. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs.)
Cause
An LDAP referral is an (optional) feature of the LDAP protocol that allows for an LDAP server that is unable to locate the desired LDAP record, to redirect the client to a different LDAP source that is more likely to hold the result.
This failure occurs if the Account Collector attempts to follow an LDAP referral and one of the following occurs:
This failure occurs if the Account Collector attempts to follow an LDAP referral and one of the following occurs:
- The Account Collector cannot bind successfully (connect) to the Microsoft AD domain controller (referral server) returned in the referral request. The failure to bind may be because the domain controller returned in the referral is not reachable from the RSA Identity Governance & Lifecycle server location, or because the bind information used for the secondary domain controller (referral server) does not match the bind information used for the primary.
- Not all AD domains will return referral information which is why this issue may occur on some AD domains and not on others.
- It is also possible for only certain LDAP queries to generate a referral.
Resolution
This issue is configurable in the following RSA Identity Governance & Lifecycle versions and/or patch levels:
Image description
Most often the intent is to bind to a single domain controller, and only return results from that domain. The attempt to follow referrals is unintended and undesired. In order to successfully follow referrals in an AD domain, the bind account used for the LDAP connection must be the same for all domains, which typically is not practical.
To prevent LDAP referrals, configure the RSA Identity Governance & Lifecycle Account Collector to ignore referrals. In the user interface go to Collectors > Account Collectors > {AD Collector name} > General tab > Edit > Next (Connection information). Check the Ignore Referral checkbox.
- RSA Identity Governance & Lifecycle 6.8.1 P10
- RSA Identity Governance & Lifecycle 6.9.0 P02
- RSA Identity Governance & Lifecycle 6.9.1 P02
- RSA Identity Governance & Lifecycle 7.0.0
Image descriptionMost often the intent is to bind to a single domain controller, and only return results from that domain. The attempt to follow referrals is unintended and undesired. In order to successfully follow referrals in an AD domain, the bind account used for the LDAP connection must be the same for all domains, which typically is not practical.
To prevent LDAP referrals, configure the RSA Identity Governance & Lifecycle Account Collector to ignore referrals. In the user interface go to Collectors > Account Collectors > {AD Collector name} > General tab > Edit > Next (Connection information). Check the Ignore Referral checkbox.
Workaround
Configure the Microsoft AD domain controller to which the Account Collector binds to disable the referrals. Contact Microsoft for more information on how to disable this feature. Note that disabling referrals is not recommended as it may affect other applications that use Microsoft AD LDAP.
In this article
