Environment
NetIQ Identity Manager 4.5.x
NetIQ Identity Manager Roles Based Provisioning Module 4.5.x
NetIQ Self Service Password Reset 3.2.0.x
NetIQ Identity Manager Roles Based Provisioning Module 4.5.x
NetIQ Self Service Password Reset 3.2.0.x
Situation
Unable to login to SSPR / RPBM. Getting a Login Failed, please try again message attempting to login.
Capturing a OSP trace allowed us to the see the following error:
Message: Closing LDAP connection due to connection timeout! Interval: 125314, Timeout: 10000, Connection: Id: d49e2ae4-44e5-410c-9c2d-3893d37097f5, host: ldaps://1.1.1.1
Looking at the ldap trace on the server did not show any errors during the ldap search.
Note: Customer was using a Custom attribute for login purposes (Custom-Login). So this was replacing the normal CN used for authentication.
This case also applicable if custom login attributes are not used. Usually CN and mail are the two attributes that are used for login in a default install.
Capturing a OSP trace allowed us to the see the following error:
Message: Closing LDAP connection due to connection timeout! Interval: 125314, Timeout: 10000, Connection: Id: d49e2ae4-44e5-410c-9c2d-3893d37097f5, host: ldaps://1.1.1.1
Looking at the ldap trace on the server did not show any errors during the ldap search.
Note: Customer was using a Custom attribute for login purposes (Custom-Login). So this was replacing the normal CN used for authentication.
This case also applicable if custom login attributes are not used. Usually CN and mail are the two attributes that are used for login in a default install.
Resolution
Creating an index on Custom-Login attribute on the NCP Server object for the ldap server that RBPM is using, with a value rule, allowed the search to return back in a timely manner and prevent the timeout. The user could then login fine.
You should create value indexes on any attribute you are using to search for users on. In this case the search criteria was: (&(Custom-Login=User1)(objectClass=User)) so there should be an index on Custom-Login and Object Class. Note that ldap attribute names may be different that eDirectory attribute names. You need to review the attribute mappings on the ldap group object for the ldap server you are using to see what the actual eDirectory attribute name is.
In case of a default install, ensure mail and CN (indexed by default) attributes have the value index.
You should create value indexes on any attribute you are using to search for users on. In this case the search criteria was: (&(Custom-Login=User1)(objectClass=User)) so there should be an index on Custom-Login and Object Class. Note that ldap attribute names may be different that eDirectory attribute names. You need to review the attribute mappings on the ldap group object for the ldap server you are using to see what the actual eDirectory attribute name is.
In case of a default install, ensure mail and CN (indexed by default) attributes have the value index.
Cause
You setup OSP logging by adding or update the following line in the setenv.sh file in the bin directory on the tomcat server, and restarting tomcat.
-Dcom.netiq.idm.osp.logging.level=TRACE
It writes to a file called osp-idm.<date>.log in the tomcat/log directory on the tomcat server where OSP is running. (same directory as catalina.out)
OSP tracing showed the following information and error.
[OIDP]
Time: 2016-07-01T06:18:50.497-0300
Level: TRACE
Java Execution:
Class: com.novell.oidp.source.ldap.LDAPAuthenticationSource
Method: searchUser
Line Number: -1
Thread: http-bio-443-exec-1
Message: Performing LDAP search (&(Custom-Login=User1)(objectClass=User)) in context ou=users,o=novell
[OIDP]
Time: 2016-07-01T06:18:50.497-0300
Level: TRACE
Java Execution:
Class: com.novell.identity.common.ldap.jndi.JNDIStore
Method: doAdminSearch
Line Number: -1
Thread: http-bio-443-exec-1
Message: Base context: ou=users,o=novell, Filter: (&(Custom-Login=User1)(objectClass=User)), Scope: 2, Attributes: GUID, Custom-Login, srvprvPreferredLocale, initials, {$dn}, mail, mail, givenName, nrfMemberOf, Custom-Login, sn, loginIntruderAttempts, Request Controls: 0
[OIDP]
Time: 2016-07-01T06:18:50.497-0300
Level: TRACE
Java Execution:
Class: com.novell.identity.common.ldap.jndi.A
Method: A
Line Number: -1
Thread: http-bio-443-exec-1
Message: Closing LDAP connection due to connection timeout! Interval: 125314, Timeout: 10000, Connection: Id: d49e2ae4-44e5-410c-9c2d-3893d37097f5, host: ldaps://1.1.1.1
-Dcom.netiq.idm.osp.logging.level=TRACE
It writes to a file called osp-idm.<date>.log in the tomcat/log directory on the tomcat server where OSP is running. (same directory as catalina.out)
OSP tracing showed the following information and error.
[OIDP]
Time: 2016-07-01T06:18:50.497-0300
Level: TRACE
Java Execution:
Class: com.novell.oidp.source.ldap.LDAPAuthenticationSource
Method: searchUser
Line Number: -1
Thread: http-bio-443-exec-1
Message: Performing LDAP search (&(Custom-Login=User1)(objectClass=User)) in context ou=users,o=novell
[OIDP]
Time: 2016-07-01T06:18:50.497-0300
Level: TRACE
Java Execution:
Class: com.novell.identity.common.ldap.jndi.JNDIStore
Method: doAdminSearch
Line Number: -1
Thread: http-bio-443-exec-1
Message: Base context: ou=users,o=novell, Filter: (&(Custom-Login=User1)(objectClass=User)), Scope: 2, Attributes: GUID, Custom-Login, srvprvPreferredLocale, initials, {$dn}, mail, mail, givenName, nrfMemberOf, Custom-Login, sn, loginIntruderAttempts, Request Controls: 0
[OIDP]
Time: 2016-07-01T06:18:50.497-0300
Level: TRACE
Java Execution:
Class: com.novell.identity.common.ldap.jndi.A
Method: A
Line Number: -1
Thread: http-bio-443-exec-1
Message: Closing LDAP connection due to connection timeout! Interval: 125314, Timeout: 10000, Connection: Id: d49e2ae4-44e5-410c-9c2d-3893d37097f5, host: ldaps://1.1.1.1