What do these Messages mean, to be found in the various logs of the CA SSO Server or its embedded components: "MOD-ENTRY-REFUSE", "No Password Interval defined at all", "LDAP: Invalid oid", "navigate: name error, RDN not found"

Document ID : KB000025502
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Due to various circumstances one can find resulting errors and warnings in the embedded CA Directory logs.
This document is trying to give explanations on the possible reasons, asses their severity and is offer actions to circumvent.

By no means it claims to deliver a complete list of error messages or cover all possible combinations leading to these messages.

Should you find additional messages and require clarification, please do not hesitate to open a Support Issue with the SSO Support Team.

Solution:

  • Message:

    ERROR : MW: target="PS_ZSI-P301APPL" MOD-ENTRY-REFUSE
    dn=cn=@<user.id>,ou=<ou-name>:cn,ou=ps-ldap,ou=LoginInfos,o=PS
    No such object

    Possible Reason:

    This is most probably caused by an replication problem of the LoginInfos for this user for this application.
    We also saw issues where a larger set of LDIF data were loaded at the very same time on all Farm Members.

    Severity:

    Probably not severe when it is indeed just a replication problem at runtime of the dxmodify jobs.
    In case of SSO Client Failover at this very point in time the user would be faced with LearnMode for this application.

    Action to be taken:

    Allow the dxmodify job to comlete.
    Should the issue remain, manually sync the SSO Server's PS_DSAs by doing a dxdumpdb on one box and a dxloaddb on all the other boxes.

  • Message:

    No Password Interval defined at all.

    Possible Reason:

    This warning occurs each time a user runs an application, when there is no password policy associated with that application, to inform the administrator that an application exists without any password policy to enforce password expiration.
    This is the default situation when an application is created and it is not assigned a password policy.

    Severity:

    Testing has shown that this small amount of writing to log file has only a very small impact on performance.

    Action to be taken:

    If necessary create a password policy.

  • Message:

    WARN : LDAP: Invalid oid: dummy

    Possible Reason:

    This is a known issue to and is caused by the Policy Server referencing a dummy call to an invalid object identifier.

    Severity:

    Testing has shown that this small amount of writing to log file has only a very small impact on performance.

    Action to be taken:

    This is fixed in the latest build of the SSO 8.1 Server.

  • Message:

    WARN : navigate: name error, RDN not found

    Possible Reason:

    This is because the server tried to navigate to a specified entry in the PSTD, but it was not there since it was cleared due to SSO internal CleanUP mechanism clearing older tokens.

    Severity:

    The SSO Client will need to reauthenticate, but if you use the parameter:
    "AutoNetworkAuth=yes" in Auth.ini file, the relogon can be made transparent to the user in case of Windows Auth. Method is used.

    Action to be taken:

    If necessary increase the Policy Server's MaxConnections value equal or more to the maximum number of anticipated Clients and also TicketExpiration to allow a longer SSO Ticket lifetime.