When running a Policy Server, some LDAP errors might be seen like these ones, Provided here are some guidance to understand their meaning.

1. [2738/140170544277248][Mon Jan 04 2021 21:09:30][SmDsLdapConnMgr.cpp:1201][ERROR][sm-Ldap-02230] Error# '32' during search: 'error: No such object extended error: 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of: 'OU=Groups,DC=example,DC=com' matched dn: OU=Groups,DC=example,DC=com' Search Query = 'objectclass=*' for server '##.##.##.##:<port>'
2. [793/140026520262400][Mon Jan 04 2021 17:07:50][plugin_AD.cpp:821][ERROR][sm-Ldap-02070] Failed to read Active Directory user attribute userAccountControl for user: CN=<UserID>,DC=example,DC=com
3. [13528/140711800305408][Mon Jan 04 2021 16:27:49][SmDsLdapConnMgr.cpp:1201][ERROR][sm-Ldap-02230] Error# '87' during search: 'error: Bad search filter' Search Query = 'all' for server '##.##.##.##:<port>'

Siteminder release: 12.8x
Component: SMPLC (Policy Server)

Errors are thrown by the LDAP Server, and the Policy Server reports them. For many of them, user should investigate the logs and traces of the LDAP Server in order to get more details about what causes it.

Here are the explanations:

1. 1. 'OU=Groups,DC=example,DC=com' matched dn: OU=Groups,DC=example,DC=com' Search Query = 'objectclass=*' for server '##.##.##.##:<port>'
   
   This error is thrown when the User Store reports an error to execute the ldap query. You should investigate on the LDAP server logs and traces to understand why the LDAP server returns this error.
   From the following links, the error might show up if the base or search dn is badly defined among the others (1)(2)(3).
   
   
2. Failed to read Active Directory user attribute userAccountControl for user: CN=<UserID>,DC=example,DC=com
   
   The attribute userAccountControl is not readable, because it doesn't exist, or the value is not readable, or the user doing the search doesn't have enough permission to read this attribute.
   
   
3. Error# '87' during search: 'error: Bad search filter' Search Query = 'all' for server '##.##.##.##:<port>'
   
   Somewhere in configuration, the filter has been set to "all", which is a bad filter.
   
   When configuring a Policy, a customization of the filter to find the user is possible. There might be a configuration where "all" has been set as expression (4).
   
   Note that a custom search can be set in the Password Policy too.

(1)

    Ldap error code 32
    

(2)
    
    Internal event: The LDAP server returned an error. 
    

(3)
    
    Error to get user group from Active Directory use LDAP in mono
    

(4)

    User Directory Search Expression Editor