Environment
Novell ZENworks Configuration Management 10 Authentication
Novell ZENworks Configuration Management 10 Bundles
Novell ZENworks Configuration Management 11 Authentication
Novell ZENworks Configuration Management 11 Bundles
Novell ZENworks Configuration Management 10 Bundles
Novell ZENworks Configuration Management 11 Authentication
Novell ZENworks Configuration Management 11 Bundles
Situation
- User-assigned bundles disappear or are not present (but device-assigned bundles always appear)
- Application icons disappear
- Users unable to log in to ZCM or are presented with a ZCM login dialogue box
- Errors appear in services-messages.log (note that GUIDs and names will vary)
- [AssignmentService.GENERAL_EXCEPTION] [The assignment web service encountered the following exception while handling "getEffectiveAssignments" request for 7d5706120c191016cc897c73ca4713cd~006650d06494d811a031000255c6af16: Unable to determine the object's parent UID] [] []
- javax.naming.CommunicationException: connection closed [[Root exception is java.io.IOException: connection closed]]; remaining name 'ou=NTS,ou=UKB,ou=EMEA,o=Novell'
- java.io.IOException: connection closed
Resolution
Ensure that the LDAP User Source is tuned correctly and that network latency is reduced. If necessary, ensure that an LDAP user source is local to ZCM authentication servers.
LDAP Tuning.
1. Make sure the LDAP server is placed locally to the ZCM servers, cutting out any WAN links.
2. Make sure the LDAP server(s) hold a Read Write replica of ALL partitions in the tree. NO EXCEPTIONS. ANY missing replica(s) will slow down LDAP queries.
3. Make sure there is an index on the following attributes. (indexes are added through the Index Management tab on the NCP server object for the LDAP server)
3. Make sure there is an index on the following attributes. (indexes are added through the Index Management tab on the NCP server object for the LDAP server)
a) GUID - This is a default index.
b) Member - Value
c) Group Membership - Value
b) Member - Value
c) Group Membership - Value
4. If using Dynamic groups. Make sure there is an index defined on the attribute(s) being used in the criteria for the dynamic groups.
An enhancement request has been raised to improve the way ZCM handles LDAP.
An enhancement request has been raised to improve the way ZCM handles LDAP.
Cause
This can be caused by a poor or intermittent LDAP/network performance.
Status
Reported to EngineeringTop Issue
Additional Information
There are various tools, including ldapsearch and LDAP monitoring software, which report that the LDAP server is responding in a timely manner. However, ZCM appears to be less tolerant of even small drops in LDAP performance. These cases, which ZCM needs to handle more gracefully, have been reported to engineering.
Whilst the problem is happening (i.e. Connection Closed messages are appearing in services-messages.log) it may be possible to recover by variously trying zac retr/reg/ref.
The problem may be more prevalent in Citrix environments due to it being possible to generate multiple getEffectiveAssignments requests over a single agent connection. In one case, an entire Citrix farm with hundreds of servers would funnel back to a single LDAP server generating a considerable load.
Another potential heavy-load scenario is when bundles are assigned to groups and users are members of many groups.
Whilst the problem is happening (i.e. Connection Closed messages are appearing in services-messages.log) it may be possible to recover by variously trying zac retr/reg/ref.
The problem may be more prevalent in Citrix environments due to it being possible to generate multiple getEffectiveAssignments requests over a single agent connection. In one case, an entire Citrix farm with hundreds of servers would funnel back to a single LDAP server generating a considerable load.
Another potential heavy-load scenario is when bundles are assigned to groups and users are members of many groups.