Symantec Access Management

i encountered a problem when i configure identity mapping using custom search.

There are two type of user stores, one is LDAP server, the another one is AD. User will be authenticated against LDAP server, then authorised against AD.There are two connections to my AD server, one is using AD namespace, the another one is using LDAP namespace. 

The identity mapping configuration is using Authentication-Authorization type, and using custom search (sAMAccountName=SM_USERLOGINNAME). 

The problem is when i use the mapping which  is using AD namespace user store, the user can be authorised, no issue. But when i use the mapping which is using LDAP namespace then user not authorized.

I also tried to configure the identity mapping to use Universal ID, it is working, no problem.

From the trace logs i saw the below bad search filter error:

[12/06/2016][16:59:59.347][16:59:59][4484][5412][SmDsLdapProvider.cpp:1793][][][][][][][][][][][][][][][][][][][][][][LogMessage:ERROR:[sm-Ldap-00650] CSmDsLdapProvider::Search(): Wrong syntax of LDAP search filter: (&(|(objectclass=organizationalPerson)(objectclass=inetOrgPerson)(objectclass=organization)(objectclass=organizationalUnit)(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=group))((sAMAccountName=s2828282k)))]
[12/06/2016][16:59:59.347][16:59:59][4484][5412][SmDsLdapConnMgr.cpp:1231][][][][][][][][][][][][][][][][][][][][][][LogMessage:ERROR:[sm-Ldap-02230] Error# '87' during search: 'error: Bad search filter' Search Query = '(&(|(objectclass=organizationalPerson)(objectclass=inetOrgPerson)(objectclass=organization)(objectclass=organizationalUnit)(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=group))((sAMAccountName=s2828282k)))']
[12/06/2016][16:59:59.347][16:59:59][4484][5412][SmDsLdapProvider.cpp:2395][CSmDsLdapProvider::Search][][][][][][][][][][][][][Bad search filter][][][][][][(Search) Base: 'DC=devstudent,DC=forward,DC=inc', Filter: '(&(|(objectclass=organizationalPerson)(objectclass=inetOrgPerson)(objectclass=organization)(objectclass=organizationalUnit)(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=group))((sAMAccountName=s2828282k)))'][][Ldap Search callout fails.]

compare to the user store using AD namespace:

[12/06/2016][16:13:14.502][16:13:14][4776][3240][SmDsLdapProvider.cpp:2362][CSmDsLdapProvider::Search][][][][][][][][][][][][][][][][][][][(Search) Base: 'DC=devstaff,DC=forward,DC=inc', Filter: '(&(|(objectclass=organizationalPerson)(objectclass=inetOrgPerson)(objectclass=organization)(objectclass=organizationalUnit)(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=group))(sAMAccountName=s2828282k))'. Status: 1 entries.][][Ldap Search callout succeeds.]
[12/06/2016][16:13:14.502][16:13:14][4776][3240][SmDsLdapProvider.cpp:2362][CSmDsLdapProvider::Search][][][][][][][][][][][][][][][][][][][(Search) Retrieving attributes for: 'CN=S2828282K,CN=Users,DC=forward,DC=inc', Filter: 'objectclass=*'. Status: 1 matching objects.][][Ldap Search callout succeeds.]

Anyone can suggest how to resolve this. i need to use custom search.

That seems like a known defect.

Can you confirm your PS version? 

This is fixed in 12.52 SP1 CR4 onwards.

This issue is still not fixed until 12.52SP2CR1

From 12.52SP1CR4 release notes:

==========================

Authorization Failure in Identity Mapping

Authorization fails to work with Identity Mapping.

STAR Issue: 00194700

RTC Issue: 165424/DE85265

https://docops.ca.com/ca-single-sign-on/12-52-sp2/en/release-notes/cumulative-releases/defects-fixed-in-12-52-sp1-cr04#DefectsFixedin12.52SP1CR04-PolicyServer

I am using 12.52 SP02 CR01

Yeah unfortunately the issue is not yet fixed in that CR.

Request you to open a support ticket and request a dev fix.

Ok, thank you Ujwol,  i will open ticket.