The user directory cannot connect to AD servers with following error,

[SmDsLdapFunctionImpl.cpp:2860][ERROR][sm-Ldap-01220] (Bind) DN: 'CN=xxx,OU=xxx,DC=xxx'. Status: Error 8 . Strong authentication reqd

Siteminder 12.8 SP7 on Linux

As per RFC2251 , the error 8 indicates "strongAuthRequired: the server requires authentication be performed with a SASL mechanism"

So, when the AD server requires SASL, but the user directory is not configured to support SASL authentication, then the AD server will reject the connection.

Only AD namespace type supports SASL, LDAP namespace type doesn't support native Windows SASL. But Linux policy server doesn't support AD namespace type, which means Linux policy server cannot support SASL.

So, the solutions are (choose one of them)

1. Install policy server on Windows server, and enable SASL as per document,

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/user-directories/configure-an-active-directory-user-store-connection.html

2. Disable SASL on AD side, and use ldap over ssl (ldaps) instead. 

To conifigure ldap over ssl,

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/user-directories/configure-an-ldap-user-directory-connection-over-ssl.html

3. Disable SASL and LDAPS on AD side.

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/user-directories/configure-an-active-directory-user-store-connection.html

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/user-directories/configure-an-ldap-user-directory-connection-over-ssl.html

https://datatracker.ietf.org/doc/html/rfc2251