Group Circular RelationShip on Active Directory is Preventing to Access Analytics URL (Doc ID 2832953.1)

Last updated on DECEMBER 16, 2023

Applies to:

Symptoms

On production, some users can't log in to the Analytics URL, causing hogging threads on WLS bi_server1.

Two authentication providers were defined in the config/config.xml file, the embedded LDAP, and an external Active Directory, however, the issue is more related to the AD, where most of the users/groups were defined.

This issue was seen suddenly affecting consistently a set of users.

Customer was requested to provide a set of 3 thread dumps 20 seconds apart were collected on bi_server1 while the problematic users were trying to login into Analytics, finding a suspect thread:

From this thread the following information was obtained:

• This particular thread was blocking another 23 threads.
• As part of the problem, there would be a recursive call to weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.searchGroupLimited(LDAPAtnLoginModuleImpl.java:556) related to the authentication process when dealing with groups. 
• A similar problem was reported some years ago affecting an old version of WLS: WebLogic Managed Server Segmentation Fault and Core Dump Calling searchGroupUnlimited (<Note 1302204.1>)
• Enabling ATN debug flag should provide more information to isolate the problematic groups.

Changes

 No changes were reported from the WLS perspective.

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.