cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Can't connect on launchpad without updating ldap users before

former_member405370
Explorer

on ‎07-04-2016 3:47 PM

0 Kudos

hello,

I reach the following problem.

On BI4.1 sp6 (server Linux), I meet time out on launchpad authentication page.

No user can connect when this occures.

At this moment if i go on the CMC and ask for a refresh of all ldap users, people can connect to the launchpad again.

My configuration is as follow :

Authentification tier via Ldap, ldap dynamic groups,

If people try to authenticate via enterprise logging, it works.

My referentiel is DB2 (tier)

As anyone ever met this kind of behaviour ?

Best regards .

Raoul K.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

jean-luc_clerc
Explorer
‎07-05-2016 2:36 PM
0 Kudos

Hi Raoul,

Is there any firewalls between your CMS and/or Java web application server and your LDAP servers?

If yes, some timeouts on inactive session may occurs.

It can also happen with other network equipment that does some addresses translation .

CMS keeps a permanent connection to LDAP server..

Scheduling LDAP update is a good workaround if you cannot find quickly the root cause.

Scheduling an authentication probe that uses ldap authentication is a better one as you could receive a mail if it fails or if it's too slow.

Regards,

jean-Luc

Show replies
Show replies
former_member405370
Explorer
‎07-05-2016 4:18 PM
0 Kudos

Hi Jean-Luc

I have a firewall between  my LDAP servers and B.I4 Server. But i have on the same network a cluster of 2 BI servers (production) wich communicate with the same ldap server and do not have the same behaviour at all ... |-(

Raoul

former_member187093
Participant
‎07-05-2016 6:24 AM
0 Kudos

it seems strange..looks like connectivity problem.. it there any timeout set in LDAP server?

new users not are populated in BO so we wrote JAVA SDK and scheduled as program job to update LDAP so that it will rebuild the LDAP tree.

Show replies
Show replies
former_member405370
Explorer
‎07-05-2016 10:22 AM
0 Kudos

hello Sivakumar,

Thx for your suggestions.

No time out set in ldap.

No connectivity problem neither : If i ask for a manual ldap users update in CMC, it works fine.

I scheduled ldap users update every hour in CMC as a sidestep to bypass this problem but i suppose this is not the solution.

R.

former_member187093
Participant
‎07-05-2016 1:21 PM
0 Kudos

we used java SDK as a program job in 3.1. LDAP users update feature was not available in 3.1 🙂

normally, if the user not able to login(LDAP authentication) then BO is not able to connect with LDAP server to check the credentials but we should see 'not able reach LDAP server' error message.

I guess this issue is related to LDAP tree with SecLDAP.dll. try to enable trace and see if you can catch any details.  generally, intermittent issue is difficult to resolve 🙂

former_member405370
Explorer
‎07-05-2016 3:57 PM
0 Kudos

Where do you see "'not able reach LDAP server' error message ? In a dialog box or in logs ?

I have the same problem when i try to get the list of users in CMC/users. Almost all my users are imported from ldap. When i try to get this list , i got this message in a dialog box :

"An unexpected error occured when decoding JSF component {0}."

At this moment, if i update ldap users via CMC/authentication/ldap/update , i get my list a few seconds after.

former_member405370
Explorer
‎07-05-2016 4:15 PM
0 Kudos 


I guess this issue is related to LDAP tree with SecLDAP.dll. try to enable trace and see if you can catch any details.  generally, intermittent issue is difficult to resolve 🙂

I tried to tcpdump connections between ldap and BI4.1 and between BI4.1 and the db2 referentiel.

It's clear that connections seem lazy between ldap and BI4.1 (but is it perhaps normal) and verbose during and after update. But before update, the BI4.1 and the ldap server communicate :

Below is a short extrait of tcpdump between boxi-rct (BI4.1) and ldapr1 :

boxi-rct.in.ac-rennes.fr.45737 > ldapr1.ac-rennes.fr.ldap: Flags [P.], cksum 0x1e9d (incorrect -> 0xbcf5), seq 15:94, ack 15, win 115, options [nop,nop,TS val 283659523 ecr 652485228], length 79

E...e.@.@.....V...C.......(...K^...s.......

..M.&."l0M...cH.%ou=ac-rennes,ou=education,o=gouv,c=fr

..

...............uid..*****.

14:23:20.470004 IP (tos 0x0, ttl 62, id 26943, offset 0, flags [DF], proto TCP (6), length 1500)

    ldapr1.ac-rennes.fr.ldap > boxi-rct.in.ac-rennes.fr.45737: Flags [.], cksum 0x44e7 (correct), seq 15:1463, ack 94, win 1448, options [nop,nop,TS val 652485234 ecr 283659523], length 1448

E...i?@.>.....C...V.......K^..).....D......

&."r..M.0......d..y.Buid=*****,ou=personnels EN,ou=ac-rennes,ou=education,o=gouv,c=fr0..10...mailDeliveryOption1      ..mailbox0,..mailForwardingAddress1...******...mailMessageStore1    ..part****'..mailHost1...****.in.ac-rennes.fr0...mailUserStatus1...active0..

..theme_green0...dermaj1..

ps : i got a lot of cksum incorrect ...

jean-luc_clerc
Explorer
‎07-05-2016 5:00 PM
0 Kudos

The message "an unexpected error occured when decoding JSF component {0}' while trying to get AD or LDAP user list is clearly a communication failure.

when clicking on Update, the communication is restored and then it works again.

As it never happen on production system but only on that one, this could be because there is a lot less activity on that one.

Have you got an idea when the last logon happened before that problem occurs?

CMS opens a connection to ldap when it starts, and keep it open all its life.

The only place were it reopen it if it has been broken is when you update the LDAP tree (scheduled or manually).

former_member405370
Explorer
‎07-07-2016 3:17 PM
0 Kudos

Hello Jean-Luc

I was wrong when i said that i have on the same network a cluster of 2 BI servers (production) wich communicate with the same ldap server and do not have the same behaviour at all ; these 2 servers make ldap update every hour.

I will soon try a tcp.keep.alive to try to bypass a loss of activity that a firewall could diagnose and close connection.

Raoul

Ask a Question