When a backslash ("\") character is a part of a service account user name, we see that the FID server connection pool is using a Wrong Username connecting to the Backend AD without the Backslash ("\") in the username.
When there is a real-time cache refresh with ADDirSync connector capture and apply, we see that the Queue starts growing and the Apply stops refreshing any changes. (Probably happens mainly during a Switch from Primary to Failover and again from Failover to Primary is back online in the datasource)
The sync_engine.log show the below error during Apply
Failure when processing refresh event: com.rli.slapd.server.LDAPException (1); Operations error : javax.naming.AuthenticationException:[LDAP: error code 49 - 80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580 ]; Operations error - message left in queue- will retry
For example, if the Service Account is "NV\administrator", the refresh engine is using the Wrong username without the BackSlash: NVadministrator and causing the authenticationexception.
dn: cn=jndi,cn=conn-pools,cn=monitor
current-pool-size-simple: 2
pool-id-simple-1: 10.11.3.224:389:::null:NVadministrator:size=0; use=0; busy=0; idle=0; expired=0
pool-id-simple-0: localhost:500:::null:NVadministrator:size=17; use=17; busy=17; idle=0; expired=0
current-pool-size-simple: 2
pool-id-simple-1: 10.11.3.224:389:::null:NVadministrator:size=0; use=0; busy=0; idle=0; expired=0
pool-id-simple-0: localhost:500:::null:NVadministrator:size=17; use=17; busy=17; idle=0; expired=0
There should be a BackSlash between the NV and administrator, because the service account used has a backslash
This is a bug on the vds side where there is a missing escape happening during the connection pool generation. Our dev team is still working on this bug fix and it will most probably be available in the next release of v7.3.28.
Unfortunately, there is no easy workaround for this type of issue, since it comes within the FID server's internal connection management code. But we have a few recommendations / solutions to fix the issue currently, you can follow any one of these and validate.
- Use a Different type of Service Account username without any BackSlashes in it
For example, using the full DN of the account
or using the userprincipalname of the service account - Remove the Failover Server from the Datasource and have just 1 Primary Server in the Datasource, if that Primary server goes down, then the connectors will just keep retrying until it is back.
You can additionally increase the Retry intervals for a longer duration so that the connectors don't shut down after a certain period to start them manually again.
- Doing a HardReset of the cn_queue, you need to
a. Stop the FID servers on all the nodes starting with Followers first and leader last,
b. Rename the folder $RLI_HOME\vds_server\data\cn_queue on all the nodes
c. Start the Leader first and then the followers last
d. Stop the Cache Refresh connectors for the ou=users
e. Click on the Reset Cursor
f. Re-initialize the Pcache
g. Start the connectors back