Last updated on MAY 26, 2017
Applies to:Identity Manager Connector - Version 188.8.131.52 and later
Information in this document applies to any platform.
AD pass sync connector does not handle 503 response code.
Scenario: OIM is in 2 nodes cluster. AD Password Sync Connector has been configured to use a load balancer URL. SSL is configured over a load balanced address. Web servers are running Apache. Password sync'ing between AD and OIM has been working as expected when OIM is up and available.
Any password reset attempts performed in AD are not getting successfully synchronized over to OIM when OIM becomes available after an outage. The persistent password queue remained empty in customer's test. However, the same test works in single node without load balancer involved.
In single node test, when OIM node goes down and the connector tries to contact that single node, the response code returned to the connector is "502". The connector appears to be able to interpret this, so it then acts appropriately by persisting the
password reset in the queue until OIM becomes available again.
For load balanced test, when both nodes are unavailable, the result is a Web Server Bridge error and the response code returned to the connector is a "503". It seems connector can't handle this Web Server Bridge error and therefore cannot interpret (503) response code appropriately. Thus, the password reset is not persisted and eventually lost.
1. Stop all managed OIM and SOA servers in the environment.
2. After all managed servers are down, execute a password reset attempt via Ctrl+Alt+Del to reset the password in Active Directory.
3. The password reset is NOT placed into the persistent queue under this scenario when OIM is unavailable and a 503 response is returned. The
password reset is just "lost" as there is no attempt to persist it by the connector.
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
Million Knowledge Articles and hundreds of Community platforms