• After adding LDAP to SSP, a group for example Group1 is added in UserManagement section by selecting a role.
• A user who is part of this group tries to login and sees this error "The application server is unable to fulfill your request due to insufficient privileges. You do not have the privileges to access Security Services Platform. (403 Forbidden)" error."

SSP 5.0.0

• This could happen if our identity and access management service(authelia) is not able to retrieve the groups this particular user is part of.
• Check this by running the script to check the authorization. the user is part of a group with name  "\0A" part in it. (Contact Broadcom Support for the script)
• "\0A" This is an escaped newline character (Line Feed). This means there's a literal newline embedded within the Common Name of the group. This is very unusual and problematic for a CN, as it's not standard practice and can cause issues with tools that don't handle escaped characters correctly.
• Because of the this the groups header was not processed correctly by authelia as this is a non standard practice.
• Run ldapsearch for the user to see more information from SSPI as root.

export LDAPTLS_REQCERT=ALLOW

ldapsearch -x -H ldaps://url:636 -D "[email protected]" -b "dc=example,dc=local" "([email protected])" memberOf -W

Remove user from the group with "\0A". User should be able to login.