Symantec Access Management

Expand all | Collapse all

Identity Mapping

Jump to Best Answer
  • 1.  Identity Mapping

    Posted 12-06-2016 05:02 AM

    i encountered a problem when i configure identity mapping using custom search.

    There are two type of user stores, one is LDAP server, the another one is AD. User will be authenticated against LDAP server, then authorised against AD.There are two connections to my AD server, one is using AD namespace, the another one is using LDAP namespace. 

    The identity mapping configuration is using Authentication-Authorization type, and using custom search (sAMAccountName=SM_USERLOGINNAME). 

    The problem is when i use the mapping which  is using AD namespace user store, the user can be authorised, no issue. But when i use the mapping which is using LDAP namespace then user not authorized.

     

    I also tried to configure the identity mapping to use Universal ID, it is working, no problem.

     

     

    From the trace logs i saw the below bad search filter error:

    [12/06/2016][16:59:59.347][16:59:59][4484][5412][SmDsLdapProvider.cpp:1793][][][][][][][][][][][][][][][][][][][][][][LogMessage:ERROR:[sm-Ldap-00650] CSmDsLdapProvider::Search(): Wrong syntax of LDAP search filter: (&(|(objectclass=organizationalPerson)(objectclass=inetOrgPerson)(objectclass=organization)(objectclass=organizationalUnit)(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=group))((sAMAccountName=s2828282k)))]
    [12/06/2016][16:59:59.347][16:59:59][4484][5412][SmDsLdapConnMgr.cpp:1231][][][][][][][][][][][][][][][][][][][][][][LogMessage:ERROR:[sm-Ldap-02230] Error# '87' during search: 'error: Bad search filter' Search Query = '(&(|(objectclass=organizationalPerson)(objectclass=inetOrgPerson)(objectclass=organization)(objectclass=organizationalUnit)(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=group))((sAMAccountName=s2828282k)))']
    [12/06/2016][16:59:59.347][16:59:59][4484][5412][SmDsLdapProvider.cpp:2395][CSmDsLdapProvider::Search][][][][][][][][][][][][][Bad search filter][][][][][][(Search) Base: 'DC=devstudent,DC=forward,DC=inc', Filter: '(&(|(objectclass=organizationalPerson)(objectclass=inetOrgPerson)(objectclass=organization)(objectclass=organizationalUnit)(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=group))((sAMAccountName=s2828282k)))'][][Ldap Search callout fails.]

     

    compare to the user store using AD namespace:

    [12/06/2016][16:13:14.502][16:13:14][4776][3240][SmDsLdapProvider.cpp:2362][CSmDsLdapProvider::Search][][][][][][][][][][][][][][][][][][][(Search) Base: 'DC=devstaff,DC=forward,DC=inc', Filter: '(&(|(objectclass=organizationalPerson)(objectclass=inetOrgPerson)(objectclass=organization)(objectclass=organizationalUnit)(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=group))(sAMAccountName=s2828282k))'. Status: 1 entries.][][Ldap Search callout succeeds.]
    [12/06/2016][16:13:14.502][16:13:14][4776][3240][SmDsLdapProvider.cpp:2362][CSmDsLdapProvider::Search][][][][][][][][][][][][][][][][][][][(Search) Retrieving attributes for: 'CN=S2828282K,CN=Users,DC=forward,DC=inc', Filter: 'objectclass=*'. Status: 1 matching objects.][][Ldap Search callout succeeds.]

     

    Anyone can suggest how to resolve this. i need to use custom search.



  • 2.  Re: Identity Mapping
    Best Answer

    Posted 12-06-2016 07:49 AM

    That seems like a known defect.

    Can you confirm your PS version? 


    This is fixed in 12.52 SP1 CR4 onwards.

    This issue is still not fixed until 12.52SP2CR1



    From 12.52SP1CR4 release notes:

    ==========================

    Authorization Failure in Identity Mapping

    Authorization fails to work with Identity Mapping.

    STAR Issue: 00194700

    RTC Issue: 165424/DE85265

    https://docops.ca.com/ca-single-sign-on/12-52-sp2/en/release-notes/cumulative-releases/defects-fixed-in-12-52-sp1-cr04#DefectsFixedin12.52SP1CR04-PolicyServer







  • 3.  Re: Identity Mapping

    Posted 12-06-2016 10:07 PM

    I am using 12.52 SP02 CR01



  • 4.  Re: Identity Mapping

    Posted 12-06-2016 10:09 PM

    Yeah unfortunately the issue is not yet fixed in that CR.

    Request you to open a support ticket and request a dev fix.



  • 5.  Re: Identity Mapping

    Posted 12-06-2016 10:48 PM

    Ok, thank you Ujwol,  i will open ticket.