ISW Upgrade process from 6.0 to 6.0sp1 does not maintain pwsync plug-in configuration (Doc ID 1333767.1)

Last updated on OCTOBER 11, 2016

Applies to:

Oracle Directory Server Enterprise Edition - Version: 6.0 to 11.1.1.1.5 - Release: 6.0 to 11gR1
Oracle Directory Server Enterprise Edition - Version: 6.3 SP1 and later    [Release: 6.0 and later]
Information in this document applies to any platform.

Symptoms

After completion of an upgrade to ISW 6.0 SP1, error messages were noticed that indicated connectivity to the significant AD domain for a specific set of users was failing. When users attempt to bind from that domain, who had recently changed their passwords, the request seems to never come back properly from the AD server for on demand password synchronization for those specific accounts.  Eventually the directory server would hang as the volume of these user requests was increased.

Other users in other domains within the enterprise are still able to change passwords on AD and still log in correctly to other instances of the DS not a part of this same Active directory domain.  Tests demonstrated that password synchronization is still working for a majority of the AD domains.

As the activity scaled to production workload levels, with full user population, the issue caused production to hang. every few hours forcing a restart of services at first and then a complete re-route of traffic away from the DS servers, and ultimately the ISW connectors were uninstalled for the specific domain to try and get the directory server to stop hanging.


ERRORS SEEN DURING THE ISSUE
-----------------------

Within the 6.3.1 DSEE we only see replication messages from the point a search of the type that causes things to hang, and eventually the replication sessions halt as new connections to the DS are no longer accepted and it finally reaches a completely hung state.

Within the ISW 6.0 SP1 server we see the following messages in its logs up to a hang event

[13/Jun/2011:14:54:20.283 -0400] WARNING 28 CNN100 testserver.example.com "DS Plugin (SUBC100): unable to determine remote user id
of 'uid=testuser,ou=workgroup,ou=users,dc=example,dc=com'"

In this case a subset of users is impacted (users in a specific AD Forrest, who have recently changed their password). But the outage triggered was significant because an entire segment of the enterprise could not log in properly, and the cause at the time appeared to be random.

Changes

While all the upgrades to other  DS/ ISW / AD domains to date had gone fine, it was noticed that the last phase of the upgrade was now causing a specific set of users to fail.  It was noted that all failures were taking place around systems handing synchronixation for the "ou=workgroup,ou=users,dc=example,dc=com"

The recent upgrade represented significant changes to the environment.  The upgrade process for ISW 6.0 is effectively an export data, uninstall, install new, import data process if performed on the same system. 

It was discovered that specific tunable settings to the plugin were not present in the new configuration, that were present in the previous configuration.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms