Symantec Access Management

  • 1.  Exception in SmDsObj: Failed to retrieve directory services provider from registry

    Posted Jan 25, 2017 10:59 AM

    I am receiving the error " Exception in SmDsObj: Failed to retrieve directory services provider from registry " in the smps.log on Policy Server Startup.  This is a new install Policy Server 12.6.01 on Red Hat Linux 7.  According to Error Messages - CA Single Sign-On - 12.6.01 - CA Technologies Documentation , this means that the policy server failed to lookup a DS provider. The documentation recommends to check if the provider shared library can be loaded by the policy server process.  Which library is the provider shared library and where is it located?  I am able to communicate over port 389 from policy server to Directory Services, but it appears the underlying ldap client is not loading properly.



  • 2.  Re: Exception in SmDsObj: Failed to retrieve directory services provider from registry

    Broadcom Employee
    Posted Jan 26, 2017 01:11 PM

    Hi Doyle, I believe you have not selected the correct Namespace while configuring the user directory. Try using LDAP namespace in the user directory object. 

     

    Thanks

    Awijit 



  • 3.  Re: Exception in SmDsObj: Failed to retrieve directory services provider from registry

    Posted Jan 26, 2017 05:53 PM

    Hi Doyle,

     

    If you look at the sm.registry file inside <ps_install_directory>/siteminder/registry/ , you will see that the default namespace providers are defined as below:

     

    sm.registry
    HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\NamespaceProviders=127574993
    Custom:= smdscustom; REG_SZ
    LDAP:= smdsldap; REG_SZ
    ODBC:= smdsodbc; REG_SZ

     

    So, If you are using LDAP: name space, it tries to load smdsldap.so library.

    If you are using ODBC: namespace, it tries to load smdsodbc.so library.

     

    Both these provider libraries are loacted at <ps_install_directory>/siteminder/lib directory. See below :

     

     

    I would suggest to verify if you are using the correct namespace for your Policystore/KeyStore.

    If it still doesn't work, then try starting PS with strace and see if it points to any permission related issues etc :

     

    strace -Ff -t -i -v -o strace.log -s 16384 <command to start PS>

    e.g.
    strace -Ff -t -i -v -o strace.log -s 16384 ./start-ps

     

    Let me know if any questions.

     

    Cheers,

    Ujwol

    Ujwol's Single Sign-On Blog 



  • 4.  Re: Exception in SmDsObj: Failed to retrieve directory services provider from registry
    Best Answer

    Posted Jan 30, 2017 04:03 PM

    I am using a AD namespace.  Strace results show no reference to either libsmdsldap.so or libsmdsodbc.  I do however see the following entry 

    12704 16:18:35 [00007fd51469d6c7] open("/app/CA/siteminder/bin/libsmds.so", O_RDONLY|O_CLOEXEC <unfinished ...>
    12703 16:18:35 [00007f50ec73c615] <... stat resumed> 0x7ffdc87c0540) = -1 ENOENT (No such file or directory)
    12704 16:18:35 [00007fd51469d6c7] <... open resumed> ) = -1 ENOENT (No such file or directory)
    12703 16:18:35 [00007f50ec73c6c7] open("/app/jdk/jdk1.8.0_111/jre/libpthread.so.0", O_RDONLY|O_CLOEXEC <unfinished ...>
    12704 16:18:35 [00007fd51469d6c7] open("/app/CA/siteminder/lib/libsmds.so", O_RDONLY|O_CLOEXEC <unfinished ...>

     

    Those files do exist under the those directory paths



  • 5.  Re: Exception in SmDsObj: Failed to retrieve directory services provider from registry

    Broadcom Employee
    Posted Jan 30, 2017 04:43 PM

    Hi

     

    I believe this will be the problem : 

     

    you write:
         I am using a AD namespace.  

     

    The AD namespace is only usable on Windows platforms and on Unix you need to use the LDAP namespace.

     

    The reason for that is the "AD" actually calls Microsoft system .dll's to implement the user store functionality.  It was a tradeoff, it then gives close interaction with AD, but obviously is not callable from Unix platforms. 

     

    The LDAP namespace with AD Enhanced setting is generally what is used to access the remote Active Directory store from a Siteminder Linux platform. 

     

    Cheers - Mark