Can CA Directory route/chain operations when it doesn't have any knowledge of the attributes defined in the search filter?

Document ID : KB000054039
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

CA Directory has the capability of routing/chaining operations to remote DSA's even though the DSA may not have knowledge of the schema defined within the operation.

Solution:

By default a CA Directory DSA does not route any operation that contains unknown schema.

Example:
When using Identity Manager in a high availability architecture, an example

Identity Manager GUI --|  
                       |--> Admin_router --|
                                           |--> Admin SLAPD --|
                                                              |--> admin_db_router --|
                                                                                     |-->  IDM-DSA.

In this example, The Identity Manager r8.1 Provisioning GUI sends a handful of operations to the admin_router DSA. The admin_router DSA then chains the operation to the Identity Manager slapd instance. slapd then sends the search to the backend CA Directory DSA IDM-DSA via the admin_db_router.

In one search sent by the Identity Manager GUI, an objectClass of group was specified. This objectClass is unknown to the CA Directory backbone, as it?s not defined in the directory schema.

As a result, the CA Directory DSA generated a warning message: WARN : LDAP: invalid oid: group.
CA Directory then translates this unknown schema attribute in the search filter to "(1.1) = (unreg)".

As the filter item of (1.1) is not a valid search filter, the admin_router DSA chains the operation to the SLAPD instance resulting in the search failing.

See below for the trace that illustrates the issue:

> <-- LDAP MESSAGE messageID 45
> SearchRequest
>  baseObject: eTNamespaceName=CommonObjects,dc=IDMDOM,dc=eta
>  scope: wholeSubtree
>  derefAliases: neverDerefAliases
>  sizeLimit: 0
>  timeLimit: 10
>  typesOnly: false
>  filter:
>   equalityMatch: objectclass = group
>  attributes:
>   objectclass
> 
? 20090203.230702.651 WARN : LDAP: invalid oid: group
! 
> 
> <- #48 LDAP SEARCH-REQ
>             invoke-id = 45   credit = 1023
>     Base object:
>         <cosineDomainComponent "eta">
>         <cosineDomainComponent "IDMDOM">
>         <eTNamespaceName "CommonObjects">
>     Search subset: Whole subtree
>     Filter:
>         (1.1) = (unreg)
>     Don't Search Aliases
>     Attributes to return:  
>         objectClass
>     Service controls:
>             Options: Don't deref aliases
>             Time limit:  10
> 
! ----------UserRequest (048/045)----------20090203.230702.651 
! userRequest
! authClass is 1 (assoc 1)
! ForwardOrPerform
! Candidate is: admin_server
! Candidate DSA is: admin_server
! RemoteRequest
! setupDomainInfo
! RemoteRequest trying admin_server
! RemoteSendToThisDsa(admin_server)
! RemoteSendIdu: assoc 26 updateIdleTime 1
! 
> 
> (Remote) -> #26 (SSL) [admin_server] DXLINK SEARCH-REQ
>             invoke-id = 59   credit = 1
>     Base object:
>         <cosineDomainComponent "eta">
>         <cosineDomainComponent "IDMDOM">
>         <eTNamespaceName "CommonObjects">
>     Search subset: Whole subtree
>     Filter:
>         (1.1) = (unreg)
>     Don't Search Aliases
>     Attributes to return:  
>         objectClass
>     Service controls:
>             Options: Don't deref aliases
>             Time limit:  10
>     Chaining Arguments:
>             Originator:
>             <cosineDomainComponent "eta">
>             <cosineDomainComponent "IDMDOM">
>             <eTNamespaceName "CommonObjects">
>             <eTGlobalUserContainerName "Global Users">
>             <eTGlobalUserName "etaadmin">
>             Trace Information:
>                 DSA:
>                 <cosineDomainComponent "eta">
>                 <commonName "admin_router">
>             Operation Progress: Name Resolution Phase:  Not Started
>             Auth Level:  simple
> 
? 20090203.230702.651 WARN : Schema: '(1.1)' not found
? 20090203.230702.651 WARN : LDAP: unknown attr: (1.1)
> 
> --> (SSL) LDAP MESSAGE messageID 59
> SearchRequest
>  baseObject: eTNamespaceName=CommonObjects,dc=IDMDOM,dc=eta
>  scope: wholeSubtree
>  derefAliases: neverDerefAliases
>  sizeLimit: 0
>  timeLimit: 10
>  typesOnly: false
>  filter:
>   equalityMatch: OID.1.1 = 05 00 -> ..
>  attributes:
>   objectClass
> 
> 
> <-- (SSL) LDAP MESSAGE messageID 59
> SearchResDone
>  resultCode: operationsError
>  matchedDN: 
>  errorMessage: :ETA_E_0021<RNS>, Namespace 'CommonObjects' search failed:
   DB [ldaps://IDM-DSA:21399] Read failed:  
> 
! ----------RemoteEvent (026/059)----------20090203.230702.714 
! 
> 
> (Remote) <- #26 (SSL) [admin_server] DXLINK SEARCH-REFUSE
>             invoke-id = 59   credit = 24
>     Routed LDAP error:
>         Result code: 1
>         Error message: ":ETA_E_0021<RNS>, Namespace 'CommonObjects' search failed:
          DB [ldaps://IDM-DSA:21399] Read failed:  "
>     Controls:
>         tunnel-ldap-error
>             errorCode: 1
>             errorMessage: "1::ETA_E_0021<RNS>, Namespace 'CommonObjects' search failed:
              DB [ldaps://IDM-DSA:21399] Read failed:  "
> 
! RemoteFreeOp: d155a4
! UserRemoteResponse
! ----------userSendIdu (048/045)----------20090203.230702.714 
! 
> 
> -> #48 LDAP SEARCH-REFUSE
>             invoke-id = 45   credit = 1
>     Routed LDAP error:
>         Result code: 1
>         Error message: ":ETA_E_0021<RNS>, Namespace 'CommonObjects' search failed:
          DB [ldaps://IDM-DSA:21399] Read failed:  "
>     Controls:
>         tunnel-ldap-error
>             errorCode: 1
>             errorMessage: "1::ETA_E_0021<RNS>, Namespace 'CommonObjects' search failed:
              DB [ldaps://IDM-DSA:21399] Read failed:  "
> 
> 
> --> LDAP MESSAGE messageID 45
> SearchResDone
>  resultCode: operationsError
>  matchedDN: 
>  errorMessage: :ETA_E_0021<RNS>, Namespace 'CommonObjects' search failed:
   DB [ldaps://IDM-DSA:21399] Read failed:  
> controls:
>   controlType: 1.3.6.1.4.1.3327.23.2
>   non-critical
>   controlValue: 
>             30 69 02 01 01 04 64 31 3a 3a 45 54 41 5f 45 5f 0i....d1::ETA_E_
>             30 30 32 31 3c 52 4e 53 3e 2c 20 4e 61 6d 65 73 0021<RNS>, Names
>             70 61 63 65 20 27 43 6f 6d 6d 6f 6e 4f 62 6a 65 pace 'CommonObje
>             63 74 73 27 20 73 65 61 72 63 68 20 66 61 69 6c cts' search fail
>             65 64 3a 20 44 42 20 5b 6c 64 61 70 73 3a 2f 2f ed: DB [ldaps://
>             66 77 64 69 6d 3a 32 31 33 39 39 5d 20 52 65 61 IDM-DSA:21399] Rea
>             64 20 66 61 69 6c 65 64 3a 20 20 d failed:
>

To overcome this and allow the correct routing of this search, the solution is to add the following configuration command to the any of the DSA's that are responsible for routing the operation.

     set transparent-routing=TRUE;

In the above example, that would mean that you add this configuration item to the following DSA's configurations:

  1. Admin_Router
  2. Admind_db_router

Ensure that you save the configuration changes and stop and start your DSA's.