LDAP Errors

book

Article ID: 207245

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder)

Issue/Introduction

 

We're running a Policy Server and we noticed 6 errors in smps.log
related to LDAP transactions.

What are the reasons of these errors ?

  1. [12917/21][Tue Jan 05 2021
     02:02:30][plugin_AD.cpp:1689][ERROR][sm-Ldap-00770]
     (AuthenticateUser) DN:
     'cn=jsmith,dc=training,dc=com'
     . Status: Error 49 . 80090308: LdapErr: DSID-0C09044E, comment:
     AcceptSecurityContext error, data 52e, v2580 

  2. [6915/140245661083392][Mon Jan 04 2021
     22:27:43][SmDsLdapProvider.cpp:1888][ERROR][sm-Ldap-00650]
     CSmDsLdapProvider::Search(): Wrong syntax of LDAP search filter:
     (samAccountName=) 

  3. [2738/140170544277248][Mon Jan 04 2021
     21:09:30][SmDsLdapConnMgr.cpp:1201][ERROR][sm-Ldap-02230] Error#
     '32' during search: 'error: No such object extended error:
     0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data
     0, best match of:
     'cn=jsmith,dc=training,dc=com' matched
     dn: cn=jsmith,dc=training,dc=com'
     Search Query = 'objectclass=*' for server '10.0.0.1:636'

  4. [10840/20][Mon Jan 04 2021
     21:01:54][SmDsLdapFunctionImpl.cpp:1367][ERROR][sm-Ldap-00880]
     (SetUserProp) DN:
     'cn=jsmith,dc=training,dc=com',
     PropName: 'myProp', PropValue:
     'myUser:[NDSEnc-J]dfasdfsfsdfsdfSDDFSaDsdASdASDas1241421313dadsd'
     . Status: Error 50 . Insufficient access

  5. [793/140026520262400][Mon Jan 04 2021
     17:07:50][plugin_AD.cpp:821][ERROR][sm-Ldap-02070] Failed to read
     Active Directory user attribute userAccountControl for user:
     cn=jsmith,dc=training,dc=com

  6. [13528/140711800305408][Mon Jan 04 2021
     16:27:49][SmDsLdapConnMgr.cpp:1201][ERROR][sm-Ldap-02230] Error#
     '87' during search: 'error: Bad search filter' Search Query =
     'all' for server '10.0.0.1:636'

 

Resolution

 

At first glance those errors are returned by the LDAP Server and
they're no specific code from SiteMinder.

1. 80090308: LdapErr: DSID-0C09044E, comment AcceptSecurityContext
   error, data 52e, v2580

   This error means the username is valid, but the password is not
   valid.

   Common Active Directory Bind Errors

    | Code | hex |  DEC | Short Description   | More Information                   | Comments                |
    |------+-----+------+---------------------+------------------------------------+-------------------------|
    |   49 | 52e | 1326 | ERROR_LOGON_FAILURE | Returns when username is valid but | Will prevent most other |
    |      |     |      |                     | password/credential is invalid.    | errors from being       |
    |      |     |      |                     |                                    | displayed as noted.     |

   https://ldapwiki.com/wiki/Common%20Active%20Directory%20Bind%20Errors

2. [6915/140245661083392][Mon Jan 04 2021
   22:27:43][SmDsLdapProvider.cpp:1888][ERROR][sm-Ldap-00650]
   CSmDsLdapProvider::Search(): Wrong syntax of LDAP search filter:
   (samAccountName=) 

   It means as there's no value passed to samAccountName, then the
   filter cannot be applied :

   CSmDsLdapProvider::Search(): Wrong syntax of LDAP search filter: (samAccountName=)

3. [2738/140170544277248][Mon Jan 04 2021
   21:09:30][SmDsLdapConnMgr.cpp:1201][ERROR][sm-Ldap-02230] Error#
   '32' during search: 'error: No such object extended error:
   0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data
   0, best match of:
   'cn=jsmith,dc=training,dc=com' matched
   dn: cn=jsmith,dc=training,dc=com'
   Search Query = 'objectclass=*' for server '10.0.0.1:636'

   LDAP Error Code 32

     | Data Code | Description               |
     |-----------+---------------------------|
     |         0 | Defined DN does not exist |

   https://confluence.atlassian.com/stashkb/ldap-error-code-32-659785640.html

4. [10840/20][Mon Jan 04 2021
   21:01:54][SmDsLdapFunctionImpl.cpp:1367][ERROR][sm-Ldap-00880]
   (SetUserProp) DN:
   'cn=jsmith,dc=training,dc=com',
   PropName: 'myProp', PropValue:
   'myUser:[NDSEnc-J]dfasdfsfsdfsdfSDDFSaDsdASdASDas1241421313dadsd'
   . Status: Error 50 . Insufficient access

   The user you connect to the LDAP Store hasn't sufficient rights to
   set the property "myProp" with value
   "myUser:[NDSEnc-J]dfasdfsfsdfsdfSDDFSaDsdASdASDas1241421313dadsd"
   for user "cn=jsmith,dc=training,dc=com";

5. [793/140026520262400][Mon Jan 04 2021
   17:07:50][plugin_AD.cpp:821][ERROR][sm-Ldap-02070] Failed to read
   Active Directory user attribute userAccountControl for user:
   cn=jsmith,dc=training,dc=com

   The user you connect to the LDAP Store cannot read the attribute
   "userAccountControl" value for user
   "cn=jsmith,dc=training,dc=com";

   Maybe for rights or the value is corrupted or the value isn't in
   proper format or there's no value;

6. [13528/140711800305408][Mon Jan 04 2021
   16:27:49][SmDsLdapConnMgr.cpp:1201][ERROR][sm-Ldap-02230] Error#
   '87' during search: 'error: Bad search filter' Search Query =
   'all' for server '10.0.0.1:636'

   The search filter has been set to 'all' probably in 1 Policy :

   In User Tab. User directories are displayed and when you click on
   "Add Entry" of LDAP directory then you get to "User Directory
   Search Expression Editor" screen. If you set something wrong there
   then you'll get this error.

   Error 87 is about filter problem :

   filterError (87)

     The filterError result code indicates that the LDAP client
     encountered an error related to a search filter. This usually
     means that the client encountered a problem while trying to parse
     a string as a search filter, but there may be other cases in
     which it may be used. For example, the matched values request
     control (described in RFC 3876) may be used to indicate that the
     server should only return values for a specified attribute that
     match a given filter, but not all filter types may be used in
     conjunction with this filter, and an attempt to include an
     unsupported filter type may trigger the filterError result code.

   https://ldap.com/ldap-result-code-reference-client-side-result-codes/#rc-filterError