ODSEE / ISW Upgrade Process from 6.0 to 6.0sp1 Does Not Maintain pwsync Plug-in Configuration
(Doc ID 1333767.1)
Last updated on FEBRUARY 27, 2019
Applies to:Oracle Directory Server Enterprise Edition - Version 6.3 SP1 and later
Information in this document applies to any platform.
Error messages were noticed after completion of an upgrade to ISW 6.0 SP1 that indicated connectivity to the significant AD domain for a specific set of users was failing. When users who had recently changed their passwords attempted to bind, the request seems to never come back from the AD server for on demand password synchronization for those specific accounts. Eventually the directory server would hang as the volume of these user requests was increased.
Other users in other domains within the enterprise are still able to change passwords on AD, and still log in correctly to other instances of the DS not a part of this same Active directory domain. Tests demonstrated that password synchronization is still working for a majority of the AD domains.
As the activity scaled to production workload levels, with full user population, the issue caused production to hang. Every few hours forcing a restart of services at first and then a complete re-route of traffic away from the DS servers, and ultimately the ISW connectors were uninstalled for the specific domain to try and get the directory server to stop hanging.
ERRORS SEEN DURING THE ISSUE
Within the 6.3.1 DSEE only see replication messages are observed from the point a search of the type that causes things to hang, and eventually the replication sessions halt as new connections to the DS are no longer accepted and it finally reaches a completely hung state.
Within the ISW 6.0 SP1 server the following messages are observed in its logs up to a hang event
[13/Jun/2011:14:54:20.283 -0400] WARNING 28 CNN100 <HOST>.example.com "DS Plugin (SUBC100): unable to determine remote user id of 'uid=<UID>,ou=workgroup,ou=users,dc=<example>,dc=com'"
In this case a subset of users is impacted (users in a specific AD Forrest, who have recently changed their password). But the outage triggered was significant because an entire segment of the enterprise could not log in properly, and the cause at the time appeared to be random.
While all the upgrades to other DS/ ISW / AD domains to date had gone fine, it was noticed that the last phase of the upgrade was now causing a specific set of users to fail. It was noted that all failures were taking place around systems handing synchronization for the "ou=workgroup,ou=users,dc=<example>,dc=com"
The recent upgrade represented significant changes to the environment. The upgrade process for ISW 6.0 is effectively an export data, uninstall, install new, import data process if performed on the same system.
It was discovered that specific tunable settings to the plugin were not present in the new configuration, that were present in the previous configuration.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document