CA IM (Identity Manager) searches are failing with the following error:
javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Unwilling To Perform]; remaining name 'ou=im,ou=ca,o=com
Log Extract:
2021-11-15 12:21:23,672 [1;31;13mERROR [ims.llsdk.directory.jndi.searcher] (default task-8) evaluateSearchUnit has naming exception[0m
2021-11-15 12:21:23,672 [1;31;13mERROR [ims.llsdk.directory.jndi.searcher] (default task-8) javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Unwilling To Perform]; remaining name 'ou=im,ou=ca,o=com'[0m
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3227)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1846)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:276)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:276)
at com.netegrity.llsdk6.imsimpl.directory.jndi.LdapOps.search(LdapOps.java:492)
at com.netegrity.llsdk6.imsimpl.directory.jndi.LdapOps.searchSubTree(LdapOps.java:510)
at com.netegrity.llsdk6.imsimpl.directory.jndi.JndiSearcher.evaluateSearchUnit(JndiSearcher.java:363)
at
Release : 14.3
Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)
The LDAP search/query from IM is causing the unwilling to perform error. The IM Userstore alarm logs show the following error.
[6] 20211115.201932.257 WARN : Cannot have substrings filter with integer syntax
[4] 20211115.201932.563 WARN : Cannot have substrings filter with integer syntax
[1] 20211115.201932.762 WARN : Cannot have substrings filter with integer syntax
[3] 20211115.201933.029 WARN : Cannot have substrings filter with integer syntax
This is normal as one cannot perform a wild card search on an integer value.
Reference:
https://knowledge.broadcom.com/external/article?articleId=50697
Enabling DSA Directory tracing will identify the attributes being searched (for example)
schema set attribute im-UU-attr:213 = {
name = imInteger03
ldap-names = imInteger03
equality = integerMatch
syntax = integer
};
In the context of CA Identity Manager (IM), this would be referenced via a search screen attached to a task. To resolve the issue customers need to determine which attributes are involved in the failing search and make the appropriate changes.