Troubleshooting
Problem
WebSEAL is configured with two ldap servers (high priority master and low priority replica). When master ldap server is power-down, WebSEAL sometimes becomes no authentication mechanism state even though replica ldap is still available.
Symptom
WebSEAL can not notice replica ldap server available during master ldap is down
Cause
WebSEAL is configured to use synchronized ldap connection creation by default. Once replica ldap times out accidentally during master ldap is down, WebSEAL decides both ldap down, and logs 'Authentication mechanism is not available'. In this situation, WebSEAL tries to connect each ldap for checking availability. However, new connection for checking replica server available has very few chance to be picked up. Because only one connection creation is picked up from waiting connection creations against many of master and only one replica. So, WebSEAL can not know if replica ldap becomes available.
Diagnosing The Problem
Following sequence of error messages is recorded in msg__webseald.log
HPDRG0201E Error code 0x51 was received from the LDAP server. Error text: "Can't contact LDAP server".
DPWIV0192W LDAP server MASTER has failed
HPDCO0197W LDAP search request to REPLICA timed out after 10 seconds.
DPWIV0192W LDAP server REPLICA has failed
HPDIA0119W Authentication mechanism is not available.
HPDRG0201E Error code 0x51 was received from the LDAP server. Error text: "Can't contact LDAP server".
The last message is recorded periodically until MASTER ldap becomes available.
Resolving The Problem
Configure WebSEAL to use asynchronized ldap connection creation by setting following parameter.
[ldap]
client-async-auth-binds=yes
The number of the concurrent ldap connection increases with this parameter.
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21983062