We're running a Policy Server, when user myUser1 tries to access an
application, the Policy Server doesn't authorize it.
This happens when user is part of a nested group of a group being
attached to the Policy.
If we set the nested group directly to the Policy, then the user gets
authorized.
How can we fix this ?
The issue occurs because the user is member of a group which doesn't
exist.
The user myUser1
CN=myUser1,OU=nestedGroup,OU=Users,DC=training,DC=com
is a member of non-existent group :
CN=myOtherGroup1,OU=groups,DC=training,DC=com
When the Policy Server tries to search for this group, it gets an error
from the AD:
[LogMessage:ERROR:[sm-Ldap-02230] Error# '32' during search:
'error: No such object extended error: 0000208D: NameErr:
DSID-03152973, problem 2001 (NO_OBJECT), data 0, best match of:
'OU=groups,DC=training,DC=com'
matched dn:
OU=groups,DC=training,DC=com'
Search Query = 'memberOf=*' for server '10.0.0.1:636']
[err=ErrCode: 32 ErrMsg: 0000208D: NameErr: DSID-03152973, problem 2001 (NO_OBJECT), data 0, best match of:
'OU=groups,DC=training,DC=com'
Ext ErrCode: Ext ErrMsg: 0000208D: NameErr: DSID-03152973, problem 2001 (NO_OBJECT), data 0, best match of:
'OU=groups,DC=training,DC=com'
Matched DN: OU=groups,DC=training,DC=com]"
Policy Server 12.8SP3 on OEL 7;
AdminUI 12.8SP3 on;
Policy Store on CA Directory 14;
User Store on Active Directory 2012R2;
To solve this issue, remove the user from this group membership and
check that Active Directory has no inconsistency in the User
configuration.