LDAP errors 87 and 32 from Policy Server smps.log
search cancel

LDAP errors 87 and 32 from Policy Server smps.log

book

Article ID: 210598

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) SITEMINDER

Issue/Introduction


When running a Policy Server, some LDAP errors might be seen like these ones, and here some guidance to understand their meaning.

  1. [2738/140170544277248][Mon Jan 04 2021 21:09:30][SmDsLdapConnMgr.cpp:1201][ERROR][sm-Ldap-02230] Error# '32' during search: 'error: No such object extended error: 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of: 'OU=Groups,DC=example,DC=com' matched dn: OU=Groups,DC=example,DC=com' Search Query = 'objectclass=*' for server '10.0.0.1:636'
  2. [793/140026520262400][Mon Jan 04 2021 17:07:50][plugin_AD.cpp:821][ERROR][sm-Ldap-02070] Failed to read Active Directory user attribute userAccountControl for user: CN=<UserID>,DC=example,DC=com
  3. [13528/140711800305408][Mon Jan 04 2021 16:27:49][SmDsLdapConnMgr.cpp:1201][ERROR][sm-Ldap-02230] Error# '87' during search: 'error: Bad search filter' Search Query = 'all' for server '10.0.0.1:636'

 

Resolution

 

Those errors are thrown by the LDAP Server, and the Policy Server reports them. For many of them, you should investigate the logs and traces of the LDAP Server in order to get more details about what causes it.

Here are the explanations:

  1. 1. 'OU=Groups,DC=example,DC=com' matched dn: OU=Groups,DC=example,DC=com' Search Query = 'objectclass=*' for server '10.0.0.1:636'

    This error is thrown when the User Store reports an error to execute the ldap query. You should investigate on the LDAP server logs and traces to understand why the LDAP server returns this error.
    From the following links, the error might show up if the base or search dn is badly defined among the others (1)(2)(3).

  2. Failed to read Active Directory user attribute userAccountControl for user: CN=<UserID>,DC=example,DC=com

    The attribute userAccountControl is not readable, because it doesn't exist, or the value is not readable, or the user doing the search doesn't have enough permission to read this attribute.

  3. Error# '87' during search: 'error: Bad search filter' Search Query = 'all' for server '10.0.0.1:636'

    Somewhere in configuration, the filter has been set to "all", which is a bad filter.

    When configuring a Policy, a customization of the filter to find the user is possible. There might be a configuration where "all" has been set as expression (4).

    Note that a custom search can be set in the Password Policy too.

 

Additional Information

 

(1)

    Ldap error code 32
    

(2)
    
    Internal event: The LDAP server returned an error. 
    

(3)
    
    Error to get user group from Active Directory use LDAP in mono
    

(4)

    User Directory Search Expression Editor
    

Powered by Wolken Software