Unable to complete the CODE MAP refresh - LDAP error 80 transport failure (-625)

  • 7016855
  • 17-Sep-2015
  • 17-Sep-2015


NetIQ eDirectory 8.8.8
NetIQ Identity Manager 4.0.2
NetIQ Identity Manager Roles Based Provisioning Module 4.0.2
NetIQ Identity Manager 4.5
NetIQ Identity Manager Roles Based Provisioning Module 4.5


Entitlement query refresh does not complete when the driver is running on a server other than the one RBPM is pointed to.

RBPM logs show the following error during the code map refresh process:

Caused by: javax.naming.NamingException: [LDAP: error code 80 - transport failure (-625)]; remaining name ''
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
        at com.sun.jndi.ldap.LdapCtx.extendedOperation(Unknown Source)
        at sun.reflect.GeneratedMethodAccessor602.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.lang.reflect.Method.invoke(Unknown Source)
        at com.sssw.fw.directory.realm.impl.jndildap.EboLdapContextProxyHandler.invokeMethod(EboLdapContextProxyHandler.java:145)
        at com.sssw.fw.directory.realm.impl.jndildap.EboLdapContextProxyHandler.invoke(EboLdapContextProxyHandler.java:86)
        at com.sun.proxy.$Proxy393.extendedOperation(Unknown Source)
        at com.novell.idm.nrf.persist.PopulateCodeMap.runQuery(PopulateCodeMap.java:662)
        ... 46 more


By default the NCP connection between servers (also used in this process) has a total timeout of 115 seconds. If the total time of the query + returning results exceeds that value then we will get the error mentioned above. We can increase the timeout value by setting the environment variable NCPCLIENT_REQ_TIMEOUT to a number of seconds larger than the total time the query is taking.

On Linux this can be accomplished by editing the pre_ndsd_start script and adding the line:
where xxx needs to be replaced by the desired number of seconds. Default value is 44 seconds (the other 61 seconds of the 115 seconds total timeout cannot be changed via parameters). The ndsd process needs to be restarted for the change to take effect.

On Windows the system environment variables need to be changed adding the NCPCLIENT_REQ_TIMEOUT with the desired value and the whole Windows server needs to be restarted to validate the change.
Additional Information
The main cause in this TID applies only when a driverset is associated to two or more servers. Other possible timeout locations involved in the CODE MAP REFRESH that can happen even in a single-server system are:

- Query Function timeout. Values can go from 0 (unlimited) to 10 (minutes)
in 1 minute increments.
  Set at: IDMProv web UI > Roles and Resources > Configure Roles and
Resource Settings > Entitlement Query Settings > Default Query Timeout
  takes effect immediately