LDAP errors

book

Article ID: 210598

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) SITEMINDER

Issue/Introduction

 

When running a Policy Server, some LDAP errors might be seen like
these ones, and here some guidance to understand their meaning.

1.

   [2738/140170544277248][Mon Jan 04 2021 21:09:30][SmDsLdapConnMgr.cpp:1201]
   [ERROR][sm-Ldap-02230] Error# '32' during search: 'error: No such object extended error:
   0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
   'OU=Groups,DC=training,DC=com' matched
   dn: OU=Groups,DC=training,DC=com'
   Search Query = 'objectclass=*' for server '10.0.0.1:636'
2.
 
   [793/140026520262400][Mon Jan 04 2021 17:07:50][plugin_AD.cpp:821]
   [ERROR][sm-Ldap-02070] Failed to read Active Directory user attribute userAccountControl for user:
   CN=jsmith,DC=training,DC=com
3. 
  
   [13528/140711800305408][Mon Jan 04 2021 16:27:49][SmDsLdapConnMgr.cpp:1201]
   [ERROR][sm-Ldap-02230] Error# '87' during search: 'error: 
   Bad search filter' Search Query = 'all' for server '10.0.0.1:636'

 

Resolution

 

Those errors are thrown by the LDAP Server, and the Policy Server
reports them. For many of them, you should investigate the logs and
traces of the LDAP Server in order to get more details about what
causes it.

Here are the explanations :

1. 

   'OU=Groups,DC=training,DC=com' matched
   dn: OU=Groups,DC=training,DC=com'
   Search Query = 'objectclass=*' for server '10.0.0.1:636'

   This error is thrown when the User Store reports error to execute
   the ldap query. You should investigate on the LDAP server logs and
   traces to understand why the LDAP server returns this error.

   From the following links, the error might show up if the base or
   search dn is badly defined among the others (1).

2. 

   Failed to read Active Directory user attribute userAccountControl
   for user: CN=jsmith,DC=training,DC=com

   The attribute userAccountControl is not readable, because it
   doesn't exist, or the value is not readable, or the user doing the
   search doesn't have enough permission to read this attribute.

3. 

   Error# '87' during search: 'error: Bad search filter' Search Query = 'all' for server '10.0.0.1:636'
  
   Somewhere in configuration, the filter has been set to "all", which
   is a bad filter.

   When configuring a Policy, you have the possibility to customize
   the filter to find the user. It seems there might be a
   configuration where "all" has been set as expression (2).

   Note you can set custom search in Password Policy too.

 

Additional Information

 

(1)

    Ldap error code 32

      object which you're searching doesn't exist or the container in
      which you are searching is not correct.

    https://stackoverflow.com/questions/10607865/ldap-error-code-32

    Internal event: The LDAP server returned an error.

      0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data
      0, best match of: 'CN=Groups,DC=training,DC=com'

      Any ideas as to what may be causing this or how I can
      troubleshoot it?
 
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/517cfc7c-2a4e-47f9-80bf-0d5d7e2cd4ac/internal-event-the-ldap-server-returned-an-error?forum=winserverDS

    Error to get user group from Active Directory use LDAP in mono

      This error is usually generated when the search base is not
      valid.

    https://stackoverflow.com/questions/32584772/error-to-get-user-group-from-active-directory-use-ldap-in-mono

(2)

   User Directory Search Expression Editor
   https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/using/administrative-ui/policy-and-related-dialogs-reference/users-screen/user-directory-search-expression-editor.html