error binding roles when user directory is in round robin configuration (Legacy_Onyx KB Id: 129919)

Document ID : KB000055011
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Customer is getting a "Task Failed" error message from IdentityMinder when I attempt to "Create Organization" within IdentityMinder.

16:24:10,349 WARN [ims] Waiting for Primary Events 0f00a8c0-2258-3fa2d2ed-3238-02222694
16:24:10,728 INFO [ims.tasktrack] Executing library method
16:24:10,786 ERROR [ims.[facility=4 severity=2 reason=0 status=38 message=No items found]] Create_Organization: Process_Auto_Access_Roles: Unable to get roles bound to org- exception:
16:24:10,903 ERROR [ims.[facility=4 severity=3 reason=0 status=2 message=SmImsCommand (bindRoleToOrg) Provider call failed
Error Code was: -2147418005
Error Message: Object Not UniqueID:1811]] Create_Organization: Process_Auto_Admin_Roles: Unable to get roles from orgRoleBinding - exception:
16:24:10,903 ERROR [ims] Create_Organization: Errors on provisioning roles to new org: 'ou=123456,ou=x,ou=y,dc=z,dc=company,dc=net'
16:24:10,904 ERROR [ims] Create_Organization: Unable to create organization - exception caught
16:24:10,904 ERROR [ims] Exception Occured during event processing.
16:24:11,239 WARN [ims] Evt 0f00a8c0-2258-3fa2d2ed-3238-02222694 is invalid.
16:24:12,984 INFO [ims.tasktrack] Task performed for session 0f00a8c0-2258-3fa2d2ed-3238-02222694


Solution:

Appears that this is a situation whereby a roundrobin user directory configuration is causing problems. This theory is based on analysis of the authentication logs. The logs show the same ldap search failing immediately after succeeding moments priot (see log snippet below)

To test this theory, I have asked customer to change user directory configuration from round-robin to failover mode.

----authentication log snippet showing likely error **Look at LDAP SERVER BANK IP ADDRESS**---

[31/Oct/2003:18:08:28 -0500][21-SmDsLdap] Using LDAP server bank # 1 : 'nn.nn.nn.128:389'
[31/Oct/2003:18:08:28 -0500][21-SmImsCommand (createDSObject classID)] 1
[31/Oct/2003:18:08:28 -0500][21-SmImsCommand (createDSObject dirOID)] 27-000e1657-fe71-1f54-869b-832cc85a0000
[31/Oct/2003:18:08:28 -0500][21-SmImsCommand (createDSObject envOID)] 00-
[31/Oct/2003:18:08:28 -0500][21-SmImsCommand (createDSObject orgDN)] ou=x,ou=y,dc=z,dc=company,dc=net
[31/Oct/2003:18:08:28 -0500][21-SmImsCommand (stringListToArray)] Empty List passed in
[31/Oct/2003:18:08:28 -0500][21-SmImsCommand (stringListToArray)] Empty List passed in
[31/Oct/2003:18:08:28 -0500][21-SmImsCommand (createDSObject)] Creating an Organization
[31/Oct/2003:18:08:28 -0500][21-CIMSDsLdapProvider::copyWellknownToAttr] Empty value found. Skipping attribute %ORG_DESCR%
[31/Oct/2003:18:08:28 -0500][21-CIMSDsLdapProvider::copyWellknownToAttr] Empty value found. Skipping attribute reyreyparent
[31/Oct/2003:18:08:28 -0500][21-CIMSDsLdapProvider::ValidateIMSObjectPath] Search root 'ou=123456,ou=x,ou=y,dc=z,dc=company,dc=net'
[31/Oct/2003:18:08:28 -0500][21-SmDsLdap] (Search) Base: 'ou=123456,ou=x,ou=y,dc=z,dc=company,dc=net', Filter: '(objectclass=*)'. Status: 1 entries


......



[31/Oct/2003:18:08:28 -0500][21-SmDsLdap] Using LDAP server bank # 2 : 'nn.nn.nn.129:389'
[31/Oct/2003:18:08:28 -0500][21-SmImsCommand (enumerateProvOrgRoleBindingsForOrg dirOID)] 27-000e1657-fe71-1f54-869b-832cc85a0000
[31/Oct/2003:18:08:28 -0500][21-SmImsCommand (enumerateProvOrgRoleBindingsForOrg envOID)] 2a-0004e953-048b-1f55-869b-832cc85a0000
[31/Oct/2003:18:08:28 -0500][21-SmImsCommand (enumerateProvOrgRoleBindingsForOrg orgDN)] ou=123456,ou=x,ou=y,dc=z,dc=company,dc=net
[31/Oct/2003:18:08:28 -0500][21-SmImsCommand (enumerateProvOrgRoleBindingsForOrg classID)] 4
[31/Oct/2003:18:08:28 -0500][21-SmObjProvider] Searching for object 'Agent' in domain '0a-00000000-0000-0000-0000-000000000000
[31/Oct/2003:18:08:28 -0500][21-SmObjProvider] Name : '2a-0004e953-048b-1f55-869b-832cc85a0000'
[31/Oct/2003:18:08:28 -0500][21-SmObjProvider] Searching for object 'Agent' in domain '0a-00000000-0000-0000-0000-000000000000
[31/Oct/2003:18:08:28 -0500][21-SmObjProvider] Name : '2a-0004e953-048b-1f55-869b-832cc85a0000'
[31/Oct/2003:18:08:28 -0500][21-SmImsCommand (enumerateProvOrgRoleBindingsForOrg)] Got provider
[31/Oct/2003:18:08:28 -0500][21-SmImsCommand (lookupRoleType)] Looking for ACCESS roles
[31/Oct/2003:18:08:28 -0500][21-CIMSDsLdapProvider::ValidateIMSObjectPath] Search root 'ou=123456,ou=x,ou=y,dc=z,dc=company,dc=net'
[31/Oct/2003:18:08:28 -0500][21-SmDsLdap] (Search) Base: 'ou=123456,ou=x,ou=y,dc=z,dc=company,dc=net', Filter: '(objectclass=*)'. Status: Error 32. No such object


----UPDATE--------------------------------------------
Removing Round robin directory fixes the problem.
---------------------------------------------------------We basically run into transaction processing problems here.

First the round robin operation is outside the scope of IMS. As far as IMS is concerned, when you create an organization and bind roles to it, for example, there are multiple steps that need to be completed:

-Create requested ou
-Create role binding
-etc

Now for things to work correctly, this set of operations must be atomic and must all be completed in one user directory. In case of roundrobin, consecutive requests may be sent to different user directories, and due to replication lag (which will uncessesarily be un-coordinated with IMS actions), any dependent steps will fail.