Those errors are thrown by the LDAP Server, and the Policy Server reports them. For many of them, you should investigate the logs and traces of the LDAP Server in order to get more details about what causes it.
Here are the explanations:
- 1. 'OU=Groups,DC=example,DC=com' matched dn: OU=Groups,DC=example,DC=com' Search Query = 'objectclass=*' for server '10.0.0.1:636'
This error is thrown when the User Store reports an error to execute the ldap query. You should investigate on the LDAP server logs and traces to understand why the LDAP server returns this error.
From the following links, the error might show up if the base or search dn is badly defined among the others (1)(2)(3).
- Failed to read Active Directory user attribute userAccountControl for user: CN=<UserID>,DC=example,DC=com
The attribute userAccountControl is not readable, because it doesn't exist, or the value is not readable, or the user doing the search doesn't have enough permission to read this attribute.
- Error# '87' during search: 'error: Bad search filter' Search Query = 'all' for server '10.0.0.1:636'
Somewhere in configuration, the filter has been set to "all", which is a bad filter.
When configuring a Policy, a customization of the filter to find the user is possible. There might be a configuration where "all" has been set as expression (4).
Note that a custom search can be set in the Password Policy too.