CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 9th June 2016
INTRODUCTION:
The Search class, SmDmsSearch, represents a configuration object for the search operation. It holds the search base and the filter. The filter expects a string-based search expression for the object class.
The search class returns a list of distinguished names paired with the corresponding class identifier, and optionally, selected attribute information for the items retrieved in the search.
QUESTION:
User search is successful via User Directories >> View Contents, but it is failing via SDK API. Policy Server trace logged the following error corresponding to the search:
[01/17/2016][21:10:18.682][21:10:18][49335][4034558832][SmDsDir.cpp:425][CSmDsDir::Search][Advanced search, Root='o=ca.com',Filter='uid=Adm112233'][][Start of call Search.][][][]
[01/17/2016][21:10:18.682][21:10:18][49335][4034558832][SmDsDir.cpp:446][CSmDsDir::Search][false][Return from call Search.][][][]
...
[01/17/2016][21:10:18.682][21:10:18][49335][4034558832][SmEmsCommandBase.cpp:497][CSmEmsCommandBase::traceResponse][1939][<session=siteminder@db7IP13Vp0P/Jkq7YEef93dLPyU=>
<command=search>
<status=E/0793/0/Search failure>
][][Processed EMS2 response.][][][]
The same is working with R12.52 Policy Server, failing with R12.52 SP1 CR2 Policy Server.
ENVIRONMENT:
Apply to all R12.52 SP1 Policy Servers.
ANSWER:
With R12.52 SP1 Policy Server release, additional condition is added to the search call. Policy Server validates if the search root with the SDK API call includes lower hierarchical level compared to the root DN defined with the user directory setup. If so, Policy Server will not allow the search.
For example, Policy Server returns the search failure if you have <searchroot=ou=support,o=ca.com> defined as root DN within the user directory setup while having <root=o=ca.com> defined as root DN within the SDK API call.
Hence, match the root DN or define top level of the hierarchy as search root within the user directory setup.