Caught Exception at Azure AD Driver Initialization

Identity Manager Azure Active Directory Driver - Caught Exception during Initialization

Situation

The following error is received when attempting to start the Azure AD driver.

DirXML: [11/30/18 11:46:33.46]: TRACE:  Azure AD_Azure: RESTSubscriptionShim.init()
DirXML: [11/30/18 11:46:33.46]: TRACE:  Azure AD: Caught exception during REST Channels initialization.
DirXML: [11/30/18 11:46:33.46]: TRACE:  Remote Loader: PublicationShim.init() returned:
DirXML: [11/30/18 11:46:33.46]: TRACE:  <nds dtdversion="4.x" ndsversion="8.x">
    <source>
        <product build="20171120_1044" instance="Azure AD" version="5.0.1.2">Identity Manager Driver for Azure AD and Office 365</product>
        <contact>NetIQ Corporation</contact>
    </source>
    <output>
        <status level="fatal" type="com.novell.nds.dirxml.driver.azure.StatusException"/>
    </output>
</nds>
DirXML: [11/30/18 11:46:33.46]: 
DirXML Log Event -------------------
    Driver  = \VAULT\novell\services\DriverSet\Azure AD
    Thread  = Publisher
    Level   = fatal
DirXML: [11/30/18 11:46:33.46]: 
DirXML Log Event -------------------
    Driver  = \VAULT\novell\services\DriverSet\Azure AD
    Thread  = Subscriber
    Level   = error
    Message = Fatal error returned from shim

Environment

• Identity Manager Driver - Azure Active Directory version 5.0.1.2
• Identity Manager 4.8.0

Resolution

The Application User password being used by the Identity Manager Azure Active Directory driver to authenticate into Azure Active Directory contained a special character in the password.   In this case a < character.

After removing the special character from the password, and saving the new application password for the application user on the driver properties, the driver was able to start successfully.

[+/-] Read More...

[+/-] Summary Only...

Active Directory to Identity Vault Group Synchronization is Limited to 5000 Members

Situation

Active Directory Groups that contain more than 5000 members cannot be published / synchronized to Identity Vault via Identity Manager's Active Directory Driver. They are truncated to 5000 members during the Publisher Channel polling cycle.

However, migrating the Group into the Identity Vault will temporarily sync up the member lists but any subsequent modification of the group in Active Directory will cause the group to again be truncated to 5000 members in the Identity Vault.

Search:  Users members being lost from large groups 

Environment

• Novell Identity Manager 4.8
• Novell Identity Manager Driver- Active Directory Driver

Resolution

Under the Driver Parameters > Advanced Options, set Enable DirSync Incremental Values to Yes.   This allows the driver to query and synchronize only modified users in the group (users being added or removed from the group) instead of the whole group. 

Additional Information

This issue occurs due to a limitation in Microsoft's DirSync API. Microsoft Active Directory limits the number of values returned in response to DirSync LDAP queries to 5000 values. This is an Active Directory hard limit and is not dependent on the MaxValRange parameter of the Domain Controller's LDAP Policy (see ntdsutil.exe)

For Active Directory whose Forest and domain are operating at or after "Windows Server 2003" domain functional levels, implementation of the DIRSYNC_LDAP_INCREMENTAL_VALUES control resolves this issue. This control was implemented since Identity Manager 3.5 Active Directory Driver Patch 1 - 20070601, now replaced by the Identity Manager 3.5.1 or later downloads.

The Incremental Values server control allows the Active Directory driver to ask for (and receive) only changed values of an attribute such as the member attribute on a group object preventing the need to continually sync the entire member list and hit the 5000 value DirSync limitation.

This parameter is already included in current versions of the Active Directory driver configuration (3.6 and higher)

<definition display-name="Enable DirSync Incremental Values" hide="false" id="115" name="enable-incremental-values" type="enum">

<description>Ordinarily the publisher will receive all member values of a group when one or more has changed. This option reports only the added or deleted member values during the poll interval. Requires 2003 Forest functional mode.</description>

<enum-choice display-name="Yes">yes</enum-choice>

<enum-choice display-name="No">no</enum-choice>

<value>yes</value>

</definition>

[+/-] Read More...

[+/-] Summary Only...

Authentication Denied due to Low Memory

New Authentications Denied due to Low System Memory

Situation

Periodically, new connections to Identity Server or Access Gateway (proxy) services were failing with the error.

New authentications are being denied due to low system memory. Threshold 10 Current: 6.109713

Restarting the Identity Server or Access Gateway would temporarily resolve the problem

The Access Manager 4.4.4 Appliance each had 8 GB of memory. As the error was regarding authentications rather than proxy connections, it was suspected that this was java memory issue used by the embedded service provider.

Default Java memory is 1GB and had already been increased to 2 GB but the problem persisted.

 

Environment

• Micro Focus Access Manager 4.4.4 Appliance(s)

Resolution

Enabling Statistics Logging on the IDP Cluster will also enable statistics in the catalina log for the ESP on the Access Gateway. A recommended logging interval value for a production system would be 600 (seconds).

These statistics are then printed to the log every ten minutes and looks like

NIDPMonitor: Tick: 598

                          System Status

                          Initialization State: Started

                          Total Sessions: 26497

                          Total Subjects: 1766

                          Total Principals: 3532

                          System Memory

                          Free Memory: 3.2926752E8 

                          Total Memory: 2.11759923E9 

                          Percent Free: 15.549095

We can see that this is a busy Access Manager system.

Total memory is 2.11 exp 9 which equates to the -Xmx2048m  (max Heap Memory) value configured in server.xml.

In the above statistic we only have 15% of memory available.

The error mentioned above states "Threshold 10 Current: 6.109713"

The Threshold of 10 is defined in server.xml

JAVA_OPTS="${JAVA_OPTS} -Dnids.freemem.threshold=10" 

and the ESP will limit further authentication when free memory goes below 10 % and throttling will begin as we see in this example.

   Free Memory: 1.36996032E8 

   Total Memory: 2.11759923E9

   Percent Free: 6.4694033

   System Throttle:

   Due to Low Memory: (Request Blocked)

The solution here is to allocate more than 2 GB memory to the java heap. As the server has 8 GB RAM and is a dedicated Access Manager Appliance, 4 GB is sufficient for the operating system and we can allocate 4 GB to the java heap for the Identity Server.

As we know from our baseline that we will use at least 2 GB for java, we should allocate at least this value at startup (-Xms) to improve performance.

The following line was added to /opt/novell/nam/idp/conf/tomcat.conf to resolve the problem.

JAVA_OPTS="-server -Xmx4096m -Xms2048m -Xss128k"

[+/-] Read More...

[+/-] Summary Only...

Micro Focus GroupWise Web 18.2 - Part 2

Getting Started with GroupWise Web

• Prerequisites
• Installing Docker on SLES
• Downloading and running the webacc-ng-config utility
• Downloading and running the image
• Updating the image
• Updating the GroupWise Post Office Agent

Prerequisites

• GroupWise 18.2 or later.
• GroupWise POA with SOAP enabled. SOAP must have SSL enabled.
• (Optional) TLS certificates for GroupWise Web.
• Fill out the GroupWise Web Worksheet with the information for your GroupWise system.
• Docker 17.0.9 or higher

[+/-] Read More...

[+/-] Summary Only...

Read more »