getting error message in Policy server SMPS log

book

Article ID: 200952

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running a Policy Server and this one reports the following
errors :

1. [1030/140279310960384][Thu Aug 27 2020
   08:44:38][SmAuthUser.cpp:773][ERROR][sm-Server-02740]
   SmWalker.Evaluate(LDAPSearch): Error 10 for base
   "cn=jsmith,dc=training,dc=com",
   filter =
   "(&(objectCategory=group)(member=cn=jsmith,dc=training,dc=com))". Reason:
   Referral received
  
2. [1030/140280745424640][Thu Aug 27 2020
   08:44:42][SmDsLdapConnMgr.cpp:917][ERROR][sm-Ldap-01370]
   SmDsLdapConnMgr Bind. Server 10.0.0.1 : 636. Error 49-Invalid
   credentials

How can we avoid them showing in the smps.log ?

 

Environment

 

Policy Server 12.8SP3 on RedHat 7

 

Resolution

 

At first glance, both lines can be related to referral that the Policy
Server follows. At Policy Server level, you can configure the Policy
Server to not follow the referrals.

1. This log comes from SmWalker processing and as such, if Policy
   Server is configured to follow referrals, then this error log might
   occurs.

   SmWalker for CA Single Sign-On User Guide Version R14.3

   SmWalker Configuration :

     #SMWALKER.RESTRICTED Should resolve to a Boolean. If this value
   is true, then, for all functions except Evaluate, the function
   cannot be called directly as an Active Expression in any way. Such
   a function can be called by Evaluate, however.

    [...]

     If you are running on a version of CA Single Sign-On that
   supports Enhanced Referrals, it will automatically follow write
   referrals without this setting. In that case we will recommend
   using the CA Single Sign-On out of box functionality.

   Additional Note to above Applicable only Active Directory is being
   used as the directory server with Smwalker.
   In order to avoid referrals, you have to disble them by the Policy
   Server following instructions from this KD :
   
   Policy Server :: LDAP Referrals : EnableEnhancedReferrals and EnableReferrals

    In order to disable the referrals on the Policy Server you need to set
    these registry keys:

     HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\LDAPProvider= 
       EnableEnhancedReferrals = 1; REG_DWORD       
       EnableReferrals = 0; REG_DWORD 

    If the Policy Server has to contact Active Directories, let point the
    Policy Server to the Global Catalog which is the port 3268 in order
    for the Policy Server not to received command from Active Directory to
    follow referrals.

    (http://technet.microsoft.com/en-us/library/cc978012.aspx)

   https://knowledge.broadcom.com/external/article?articleId=48683

2. 

   This error is because the user provided the wrong
   credentials. There's no way in the product to remove them from the
   Policy Server logs.