search cancel

getting error in policy server (case reference 32198112 )

book

Article ID: 202197

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running a Policy Server and we'd like to know :

  1. What is the use of these referrals ?

  2. If we disable referrals what would be the impact ?

We see the following error in the Policy Server logs :

  [Thu Aug 27 2020 08:44:38][SmAuthUser.cpp:773][ERROR][sm-Server-02740]
  SmWalker.Evaluate(LDAPSearch): Error 10 for base
  "OU=group,DC=training,DC=com",
   filter =
   "(&(objectCategory=group)(member=CN=607969106,member=CN=jsmith,OU=users,DC=training,DC=com))". 
   Reason: Referral received

 

Environment

 

Policy Server 12.8SP3 on RedHat 7

 

Resolution

 

1. The use of the referral is according to give the LDAP client an
   alternate location for LDAP processing :

  LDAP Referral

   A LDAP Referral provides a reference to an alternate location in
   which an LDAP Request may be processed.  The DSA can return to the
   DUA a "LDAP Referral" response for any LDAP Request that requires a
   response. The LDAP Result Code response of "10" and an appropriate
   set of LDAP URLs. All of the URLs in the response are equivalent in
   that using any one should yield the correct result. The DUA should
   select one to continue the operation.

  https://ldapwiki.com/wiki/LDAP%20Referral

  So you need to get close to the team managing the LDAP User
  Directories to understand the reason some referrals have been set;

2. As per above, to understand the impact, you have to get in touch
   with team managing the LDAP User Directories to understand the
   reason thosee have been set and study the impacts to disable them;

   Referrals are configured at the LDAP service. Then you can configure
   Policy Server to follow referrals or not. And this will apply to all
   LDAP servers.

   So if you want the Policy Server to not follow referrals on the User
   Directory, and follow them when connection to LDAP Policy Stores, then
   you have to configure the LDAP User Directory to not present referrals
   (on the LDAP User Directory server directly, not in SiteMinder).