Error: DSID-03152973 No such object extended in az from Policy Server
search cancel

Error: DSID-03152973 No such object extended in az from Policy Server

book

Article ID: 208761

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) SITEMINDER

Issue/Introduction


When running a Policy Server, when a given user tries to access an application, the Policy Server doesn't authorize it.

This happens when the user is part of a nested group of a group being attached to the Policy.

The user gets authorized when setting the nested group directly to the Policy.

 

Environment

 

  Policy Server 12.8SP3 on OEL 7;
     AdminUI 12.8SP3 on;
  Policy Store on CA Directory 14;
  User Store on Active Directory 2012R2;

 

Cause


The issue occurs because the user is a member of a group that doesn't exist.

The user <user>

CN=<user>,OU=<nestedGroup>,OU=Users,DC=example,DC=com

is a member of the non-existent group:

CN=<group>,OU=groups,DC=example,DC=com

When the Policy Server tries to search for this group, it gets an error from the Active Directory:

[LogMessage:ERROR:[sm-Ldap-02230] Error# '32' during search:
'error: No such object extended error: 0000208D: NameErr: DSID-03152973, problem 2001 (NO_OBJECT), data 0, best match of: 'OU=groups,DC=example,DC=com'
matched dn:
OU=groups,DC=example,DC=com'
Search Query = 'memberOf=*' for server '10.0.0.1:636']

[err=ErrCode: 32 ErrMsg: 0000208D: NameErr: DSID-03152973, problem 2001 (NO_OBJECT), data 0, best match of:
'OU=groups,DC=example,DC=com'
Ext ErrCode:  Ext ErrMsg: 0000208D: NameErr: DSID-03152973, problem 2001 (NO_OBJECT), data 0, best match of:
'OU=groups,DC=example,DC=com'
Matched DN: OU=groups,DC=example,DC=com]"

 

Resolution


To solve this issue, remove the user from this group membership and check that Active Directory has no inconsistency in the User configuration.

 

Powered by Wolken Software