user not able to authorize- 31813556

book

Article ID: 208761

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder)

Issue/Introduction

 

We're running a Policy Server, when user myUser1 tries to access an
application, the Policy Server doesn't authorize it.

This happens when user is part of a nested group of a group being
attached to the Policy.

If we set the nested group directly to the Policy, then the user gets
authorized.

How can we fix this ?

 

Cause

 

The issue occurs because the user is member of a group which doesn't
exist.

The user myUser1

   CN=myUser1,OU=nestedGroup,OU=Users,DC=training,DC=com

is a member of non-existent group :

   CN=myOtherGroup1,OU=groups,DC=training,DC=com

When the Policy Server tries to search for this group, it gets an error
from the AD:

   [LogMessage:ERROR:[sm-Ldap-02230] Error# '32' during search:
   'error: No such object extended error: 0000208D: NameErr:
   DSID-03152973, problem 2001 (NO_OBJECT), data 0, best match of:
   'OU=groups,DC=training,DC=com'
   matched dn:
   OU=groups,DC=training,DC=com'
   Search Query = 'memberOf=*' for server '10.0.0.1:636']

   [err=ErrCode: 32 ErrMsg: 0000208D: NameErr: DSID-03152973, problem 2001 (NO_OBJECT), data 0, best match of:
      'OU=groups,DC=training,DC=com'
    Ext ErrCode:  Ext ErrMsg: 0000208D: NameErr: DSID-03152973, problem 2001 (NO_OBJECT), data 0, best match of:
      'OU=groups,DC=training,DC=com'
    Matched DN: OU=groups,DC=training,DC=com]"

 

Environment

 

  Policy Server 12.8SP3 on OEL 7;
     AdminUI 12.8SP3 on;
  Policy Store on CA Directory 14;
  User Store on Active Directory 2012R2;

 

Resolution

 

To solve this issue, remove the user from this group membership and
check that Active Directory has no inconsistency in the User
configuration.