How to avoid postCreate errors in Identity Manager when importing directories when integrated with SiteMinder.

Document ID : KB000030130
Last Modified Date : 14/02/2018
Show Technical Document Details

There have a been a series of issues opened with support where the IM directory cannot be created from the management console when IM is integrated with Siteminder 12.0 and 12.5.

 

When creating a SiteMinder integrated IM Directory, the IM application server first creates a copy of the directory object in the IM object store and then does a post-create step using the SetLinkedData method to create a copy of the directory object in SiteMinder’s policy store. It’s in this post-create step that error occurs.

 

Typically, you’ll see a postCreate failure, “object not found” or “duplicate object ID” in the errors. None of these errors accurately describe the problem, nor the solution.

 

Here are the typical resolutions for this scenario:

 

  • If you are SM 12.5, you must import the idmSm.xdd file, or you will see this error.
  • If IM is pointed to a series of Policy Servers, IM uses round robin to talk to the Policy Server. In some cases, IM sends a command to the second Policy Server node before the first command has been replicated from the first Policy Server. To avoid this, please shut down all SM Policy Server nodes for the length of the import process.
  • IM searches for auth scheme called Basic to be used as a template for its new auth schemes if this does not return the object the IMS environment will fail to be created.
  • If you already have IM environments or directories that are created that are NOT integrated with SM, the new creation of an integrated directory will fail. Typically, this only happens in dev/test, as there are few real world scenarios where you would have mixed environments like this.
  • If for some reason, the SiteMinder server cannot establish the underlying user directory LDAP connection, you will get this error. Typically, this would be due to firewall problems where IM can reach the server, but SM cannot.
  • Related to this, if the directory.xml file has the <directorySearch timeout=”***”> value set, it appears that IM sees this value in seconds, but SM treats this value as milliseconds. So, if this number is set at 300, IM will connect successfully, but SM may timeout as it may not connect in 300 milliseconds. The workaround here is to set the timeout to “0” which is an infinite amount of time, or to a high value like 100000.