login suspended for all users even though only one of the several configured ADs LDAPs is down

Document ID : KB000125966
Last Modified Date : 04/02/2019
Show Technical Document Details
Issue:
Customer experiences login suspended for all users even though only one of the several configured AD’s (LDAP’s) is down.

The error message displayed is “AHD04042: login failed for userid('userid'); login timed out (IES 10901)”; no additional errors are recorded in the Service Desk log files.


 
Environment:
EEM 12.6.0.5 Windows 64-bit (language independent)
Service Desk Manager 14.x, 17.x
Cause:
  1. If an AD goes down, EEM tries to reconnect/rebind to the failed AD again only after the specified/configured time interval “connrebindtimeinterval” if there is a authN/authZ request to server.
  2. This way EEM verifies the status of failed ADs once for every predefined/configured time interval, specified in “connrebindtimeinterval” and can cause slowness every time it checks if the AD is down.
  3. If “connrebindtimeinterval” is not configured, then EEM will verify for every two minutes(default) if an AD is down.
 
Eg: Suppose if 3 ADs are down, each AD conntimeout=10 sec, and each AD connrebindtimeinterval=5 mins, then authN request will be slow for every 5 mins and may take almost 30 seconds i.e., cumulative of three failed LDAP’s conntimeout.
 
Best practices: “conntimeout” for an AD shouldn’t be more than 5 seconds even in case of very slow networks.
 
Resolution:
This case was resolved in the DEFECT DE367696

1. Define a new xml attribute connrebindtimeinterval sequence in SERVER.XSD present at C:\ProgramFiles\CA\SC\EmbeddedEntitlementsManager\config\server i.e.,  
<xs:element name="connrebindtimeinterval" type="NonZeroUnsignedInt"minOccurs="1" maxOccurs="1" />
 
Please add the above after the attribute ldapautoreferral as shown below in LdapStore section
 
image1

2. Now, configure the new attribute (time value in seconds) for each AD in SERVER.XML, as shown below, which is present at the same path as the server.xsd  
image2
Note: It should be added immediate after the attribute “ldapautoreferral”

3. Now, make sure iGateway, DXserver_itechpoz services are stopped, then backup the iPoz.dll, eiamSpindle.dll present at C:\ProgramFiles\CA\SC\EmbeddedEntitlementsManager\lib and copy the new iPoz.dll and eiamSpindle.dll which has the fix.  

4. Backup also the UI translations file eiamSpindle.tr present at C:\ProgramFiles\CA\SC\iTechnology and copy the new eiamSpindle.tr file.  

5. Start the iGateway and DXserver_itechpoz services.
Additional Information:
Unable to log in Service Desk with any user and EEM GUI is not accessible