search cancel

LDAP errors explanations from smps.log of Policy Server

book

Article ID: 207245

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) SITEMINDER

Issue/Introduction

 

When running a Policy Server and 6 errors are noticed in smps.log related to LDAP transactions.

What are the reasons for these errors?

  1. [12917/21][Tue Jan 05 2021 02:02:30][plugin_AD.cpp:1689][ERROR][sm-Ldap-00770] (AuthenticateUser) DN:'cn=jsmith,dc=training,dc=com'. Status: Error 49 . 80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580
     
  2. [6915/140245661083392][Mon Jan 04 2021 22:27:43][SmDsLdapProvider.cpp:1888][ERROR][sm-Ldap-00650] CSmDsLdapProvider::Search(): Wrong syntax of LDAP search filter: (samAccountName=)
     
  3. [2738/140170544277248][Mon Jan 04 2021 21:09:30][SmDsLdapConnMgr.cpp:1201][ERROR][sm-Ldap-02230] Error# '32' during search: 'error: No such object extended error: 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of: 'cn=jsmith,dc=training,dc=com' matched dn: cn=jsmith,dc=training,dc=com' Search Query = 'objectclass=*' for server '10.0.0.1:636'

  4. [10840/20][Mon Jan 04 2021 21:01:54][SmDsLdapFunctionImpl.cpp:1367][ERROR][sm-Ldap-00880] (SetUserProp) DN: 'cn=jsmith,dc=training,dc=com', PropName: 'myProp', PropValue: 'myUser:[NDSEnc-J]dfasdfsfsdfsdfSDDFSaDsdASdASDas1241421313dadsd'. Status: Error 50 . Insufficient access

  5. [793/140026520262400][Mon Jan 04 2021 17:07:50][plugin_AD.cpp:821][ERROR][sm-Ldap-02070] Failed to read Active Directory user attribute userAccountControl for user: cn=jsmith,dc=training,dc=com

  6. [13528/140711800305408][Mon Jan 04 2021 16:27:49][SmDsLdapConnMgr.cpp:1201][ERROR][sm-Ldap-02230] Error# '87' during search: 'error: Bad search filter' Search Query = 'all' for server '10.0.0.1:636'

Resolution

At first glance, those errors are returned by the LDAP Server and they're no specific code from SiteMinder.

  1. 80090308: LdapErr: DSID-0C09044E, comment AcceptSecurityContext error, data 52e, v2580

    This error means the username is valid, but the password is not valid (1).

  2. [6915/140245661083392][Mon Jan 04 2021 22:27:43][SmDsLdapProvider.cpp:1888][ERROR][sm-Ldap-00650] CSmDsLdapProvider::Search(): Wrong syntax of LDAP search filter (samAccountName=) 

    It means as there's no value passed to samAccountName, then the filter cannot be applied:

    CSmDsLdapProvider::Search(): Wrong syntax of LDAP search filter: (samAccountName=)
  3. [2738/140170544277248][Mon Jan 04 2021 21:09:30][SmDsLdapConnMgr.cpp:1201][ERROR][sm-Ldap-02230] Error# '32' during search: 'error: No such object extended error: 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of: 'cn=jsmith,dc=training,dc=com' matched dn: cn=jsmith,dc=training,dc=com' Search Query = 'objectclass=*' for server '10.0.0.1:636'

    It means the defined DN doesn't exist (2).

  4. [10840/20][Mon Jan 04 2021 21:01:54][SmDsLdapFunctionImpl.cpp:1367][ERROR][sm-Ldap-00880] (SetUserProp) DN: 'cn=jsmith,dc=training,dc=com', PropName: 'myProp', PropValue: 'myUser [NDSEnc-J]dfasdfsfsdfsdfSDDFSaDsdASdASDas1241421313dadsd'. Status: Error 50 . Insufficient access

    The admin user that connects to the LDAP Store hasn't sufficient rights to set the property "myProp" with value "myUser:[NDSEnc-J]dfasdfsfsdfsdfSDDFSaDsdASdASDas1241421313dadsd" for user "cn=jsmith,dc=training,dc=com";

  5. [793/140026520262400][Mon Jan 04 2021 17:07:50][plugin_AD.cpp:821][ERROR][sm-Ldap-02070] Failed to read Active Directory user attribute userAccountControl for user: cn=jsmith,dc=training,dc=com

    The admin user that connects to the LDAP Store cannot read the attribute "userAccountControl" value for user "cn=jsmith,dc=training,dc=com";

    Maybe for rights or the value is corrupted or the value isn't in the proper format or there's no value;

  6. [13528/140711800305408][Mon Jan 04 2021 16:27:49][SmDsLdapConnMgr.cpp:1201][ERROR][sm-Ldap-02230] Error# '87' during search: 'error: Bad search filter' Search Query = 'all' for server '10.0.0.1:636'

    The search filter has been set to 'all' probably in 1 Policy:

    In the User Tab, User directories are displayed and when clicking on "Add Entry" of the LDAP directory then the browser goes to the "User Directory Search Expression Editor" screen. When setting something wrong there then this error will show.

    Error 87 is about filter problem (3).

Additional Information

 

(1)

    Common Active Directory Bind Errors

     | Code | hex |  DEC | Short Description   | More Information                   | Comments                |
     |------+-----+------+---------------------+------------------------------------+-------------------------|
     |   49 | 52e | 1326 | ERROR_LOGON_FAILURE | Returns when username is valid but | Will prevent most other |
     |      |     |      |                     | password/credential is invalid.    | errors from being       |
     |      |     |      |                     |                                    | displayed as noted.     |

    

(2)

    LDAP Error Code 32

      | Data Code | Description               |
      |-----------+---------------------------|
      |         0 | Defined DN does not exist |

    

(3)

    filterError (87)

      The filterError result code indicates that the LDAP client
      encountered an error related to a search filter. This usually
      means that the client encountered a problem while trying to parseb
      a string as a search filter, but there may be other cases in
      which it may be used. For example, the matched values request
      control (described in RFC 3876) may be used to indicate that the
      server should only return values for a specified attribute that
      match a given filter, but not all filter types may be used in
      conjunction with this filter, and an attempt to include an
      unsupported filter type may trigger the filterError result code.