Monday, 10 February 2014

CWWIM4564I The user registry is now connected to ....

A few of my colleagues have been seeing this "error" message in their WAS SystemOut.log files: -

[2/4/14 13:01:27:694 EST] 00000043 LdapConnectio I com.ibm.ws.wim.adapter.ldap.LdapConnection getDirContext CWWIM4564I  The user registry is now connected to 'ldap://hostname.domainname.com:389' LDAP Server.

repeatedly, in blocks of a few hundred, BUT with over 40K of messages in one hour :-(

Another chap came back and said that he'd seen, and mitigated, this with a wimconfig.xml change.

Initially, I thought it might be my old friend - allowOperationIfReposDown="true"

<snip>
...
<config:realmConfiguration defaultRealm="Collaboration">
<config:realms delimiter="/" name="Collaboration" securityUse="active" allowOperationIfReposDown="true">
<config:participatingBaseEntries name="ou=groups,o=foo"/> <config:participatingBaseEntries name="ou=users,o=foo"/> <config:participatingBaseEntries name="ou=systems,o=foo"/> <config:participatingBaseEntries name="ou=admins,o=foo"/>
...
</snip>

as documented in this Technote: -

What are the consequences of one repository becoming unavailable in a federated environment?

however, it wasn't that one - it was one of which I've not previously been aware: -

<snip>
...
 <config:repositories xsi:type="config:LdapRepositoryType" adapterClassName="com.ibm.ws.wim.adapter.ldap.LdapAdapter"
        id="MyLdap" isExtIdUnique="true" supportAsyncMode="false" supportExternalName="false"
        supportPaging="false" supportSorting="false" supportTransactions="false" supportChangeLog="none"
        certificateFilter="" certificateMapMode="exactdn" ldapServerType="AD" translateRDN="false">
      <config:baseEntries name="DC=myldap,DC=com" nameInRepository="DC=myldap,DC=com"/>
      <config:loginProperties>uid</config:loginProperties>
      <config:ldapServerConfiguration primaryServerQueryTimeInterval="15" returnToPrimaryServer="false"
          sslConfiguration="">
        <config:ldapServers authentication="simple" bindDN="myldap\user"
            bindPassword="{xor}asdfgasdfgasdf==" connectionPool="false" connectTimeout="20"
            derefAliases="always" referal="ignore" sslEnabled="false">
          <config:connections host="myldap.net" port="389"/>
        </config:ldapServers>
      </config:ldapServerConfiguration>
</snip>

This allows WAS to maintain connectivity to failover LDAP servers; apparently, if it is set to TRUE, WAS jumps across to the failover servers more frequently. With it set to FALSE, then WAS will "poll" less frequently.

Obviously, if you only have one LDAP server, then it makes no difference.

I've not yet seen any response back from the original poster as to whether it helps, or not.

No comments: