I’m trying to synchronize OpenLDAP and Active directory together. To do so I’m using a program called LSC-Project which is specified to do this sort of thing.
I have configured the program the best I can however I can’t find a way to shake off the following error:
javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-
031001CD,
problem 2001 (NO_OBJECT), data 0, best match of:
'DC=domname,DC=com'
]; remaining name
'uid=user1,ou=Users'
May 09 15:19:25 - ERROR - Error while synchronizing ID uid=user1,ou=Users:
java.lang.Exception:
Technical problem while applying modifications to directory
dn: uid=user1,ou=Users,dc=domname,dc=com
changetype: add
userPassword: 3+kU2th/WMo/v553A24a3SBw2kU=
objectClass: uid
This is the configuration file that the program runs on:
###############################
Destination LDAP directory #
##############################
dst.java.naming.provider.url = ldap://192.168.1.3:389/dc=Windows,dc=com
dst.java.naming.security.authentication = simple
dst.java.naming.security.principal = cn=Administrator,cn=Users,dc=Windows,dc=com
dst.java.naming.security.credentials = 11111
dst.java.naming.referral = ignore
dst.java.naming.ldap.derefAliases = never
dst.java.naming.factory.initial = com.sun.jndi.ldap.LdapCtxFactory
dst.java.naming.ldap.version = 3
dst.java.naming.ldap.pageSize = 1000
#########################
Source LDAP directory
#########################
src.java.naming.provider.url = ldap://192.168.1.2:389/dc=Linux,dc=com
src.java.naming.security.authentication = simple
src.java.naming.security.principal = uid=root,ou=users,dc=Linux,dc=com
src.java.naming.security.credentials = 11111
src.java.naming.referral = ignore
src.java.naming.ldap.derefAliases = never
src.java.naming.factory.initial = com.sun.jndi.ldap.LdapCtxFactory
src.java.naming.ldap.version = 3
#######################
Tasks configuration
#######################
lsc.tasks = Administrator
lsc.tasks.Administrator.srcService = org.lsc.jndi.SimpleJndiSrcService
lsc.tasks.Administrator.srcService.baseDn = ou=users
lsc.tasks.Administrator.srcService.filterAll = (&(objectClass=person))
lsc.tasks.Administrator.srcService.pivotAttrs = uid
lsc.tasks.Administrator.srcService.filterId = (&(objectClass=person)(uid={uid}))
lsc.tasks.Administrator.srcService.attrs = description uid userPassword
lsc.tasks.Administrator.dstService = org.lsc.jndi.SimpleJndiDstService
lsc.tasks.Administrator.dstService.baseDn = cn=Users
lsc.tasks.Administrator.dstService.filterAll = (&(cn=*)(objectClass=organizationalPerson))
lsc.tasks.Administrator.dstService.pivotAttrs = cn, top, person, user, organizationalPerson
lsc.tasks.Administrator.dstService.filterId = (&(objectClass=user) (sAMAccountName={cn}))
lsc.tasks.Administrator.dstService.attrs = description cn userPassword objectClass
lsc.tasks.Administrator.bean = org.lsc.beans.SimpleBean
lsc.tasks.Administrator.dn = "uid=" + srcBean.getAttributeValueById("uid") + ",ou=Users"
dn.real_root = dc=Domname,dc=com
#############################
Syncoptions configuration
#############################
lsc.syncoptions.Administrator = org.lsc.beans.syncoptions.PropertiesBasedSyncOptions
lsc.syncoptions.Administrator.default.action = M
lsc.syncoptions.Administrator.objectClass.action = M
lsc.syncoptions.Administrator.objectClass.force_value = srcBean.getAttributeValueById("cn").toUpperCase()
lsc.syncoptions.Administrator.userPassword.default_value = SecurityUtils.hash(SecurityUtils.HASH_SHA1, "defaultPassword")
lsc.syncoptions.Administrator.default.delimiter=;
lsc.syncoptions.Administrator.objectClass.force_value = "top";"user";"person";"organizationalPerson"
lsc.syncoptions.Administrator.userPrincipalName.force_value = srcBean.getAttributeValueById("uid") + "@Domname.com"
lsc.syncoptions.Administrator.userAccountControl.create_value = AD.userAccountControlSet ( "0", [AD.UAC_SET_NORMAL_ACCOUNT])
I’m suspecting that it has something to do with the baseDn of the Task configuration in the part of the source configuration.
The OSs is ubuntu 10.04 and Windows2K3
Someone suggested to me to make a manual sync between them but I have not found any guides to do so. And this program is pretty much the only thing that says that is does this kind of job without costs.
Troubleshooting
Problem
Some users that were once able to view FileNet Content Platform Engine (CPE) content from Content Navigator (ICN) or Workplace XT (WPXT) now get LDAP error code 32 when retrieving content
Symptom
The following error seen in the p8_server_error.log:
2018-05-08T08:00:41.672 3C50EAD8 ENG FNRCS0025E — ERROR method name: handleLDAPProviderExceptions principal name: P8User123 Global Transaction: false User Transaction: false Exception Info: The server was not able to access the LDAP provider while attempting the operation getSecurityToken for the security principal P8User123. The cause of the error is: [LDAP: error code 32 — 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
‘OU=Security,OU=Groups,DC=Accouting,DC=Finance,DC=Company123,DC=com’
] Message was: LDAP getAttributes operation failed.
com.filenet.api.exception.EngineRuntimeException: FNRCS0025E: SECURITY_LDAP_PROVIDER_FAILED: The server was not able to access the LDAP provider while attempting the operation getSecurityToken for the security principal P8User123. The cause of the error is: [LDAP: error code 32 — 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
‘OU=Security,OU=Groups,DC=Accouting,DC=Finance,DC=Company123,DC=com’
] Message was: LDAP getAttributes operation failed.
Cause
LDAP: error code 32 is a generic error more defined by its data code :
==
LDAP: error code 32 — 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0
==
In this occurrence data code value is «Data ‘0’ = Defined DN (DistinguishedName)does not exist and/or value is not recognized . Error is typically generated during an CPE Authorization search operation issued against the DN of a user object. In this Authorization search operation Content Engine issues a connection to Domain , either via DC(Domain Controller) and /or GC(Global Catalog)searching for the user or group via DN, in which LDAP API does not recognize the value of the DN string.
A nested Active Directory (AD) group that provides the failing users with authorization to CPE content was only searchable from it’s source AD domain/domain controllers. When searched via the Global Catalog, other domain controllers found that group in the «Lost and Found» folder, indicating there may have been a replication issue between AD domain controllers essentially orphaning the group.
Environment
CPE with Microsoft Active Directory
Diagnosing The Problem
To validate the issue/locate the orphaned group, work with your AD/LDAP admin and using an LDAP browsing tool, drill into each nested group within error stack . Ensure resulting Group object DN is in a readable format, not producing an LDAP error 32 from within the LDAP browser tool . Also ensuring each group can be resolved to a DN location (other than the Lost and Found folder). Repeat this for each DC(Domain Controller) and GC(Global Catalog) defined within your CPE DCO(Directory Configuration Object) in Administration Console for Content Engine (ACCE).
Resolving The Problem
To resolve, your AD admin can resolve the replication issue (working with Microsoft as needed) or you can update the DCO in ACCE to only include domain controllers that can resolve all the nested groups correctly.
Note: If the DCO is updated the CPE application servers will need to be restarted for the change to take effect.
Related Information
[{«Product»:{«code»:»SSNVNV»,»label»:»FileNet Content Manager»},»Business Unit»:{«code»:»BU053″,»label»:»Cloud & Data Platform»},»Component»:»Content Engine»,»Platform»:[{«code»:»PF002″,»label»:»AIX»},{«code»:»PF016″,»label»:»Linux»},{«code»:»PF033″,»label»:»Windows»}],»Version»:»5.5.0;5.2.1;5.2.0″,»Edition»:»»,»Line of Business»:{«code»:»LOB45″,»label»:»Automation»}}]
Эта функция доступна в версиях Business Plus, Enterprise, Education Fundamentals, Education Standard, Teaching and Learning Upgrade и Education Plus. Сравнение версий
В случае возникновения неполадок при выполнении запросов LDAP во время и после подключения LDAP-клиента сервис Secure LDAP возвращает коды ошибок. Доступность этих кодов ошибок конечным пользователям через LDAP-клиенты зависит от клиента. Описанные в этой статье коды также заносятся в журналы аудита.
PROTOCOL_ERROR (2)
- Возвращается, если в запросе упоминается неподдерживаемая версия LDAP. Сервис Secure LDAP поддерживает LDAP версии 3.
- Возвращается, если в запросе упоминается неподдерживаемое действие. Google поддерживает следующие действия: Abandon (Отменить), Bind (Привязать), Extended (Расширено) (для StartTLS), Search (Поиск) и Unbind (Отменить привязку). Неподдерживаемые действия: Add (Добавить), Compare (Сравнить), Del (Удалить), Modify (Изменить) и ModifyDn (Изменить уникальное имя).
- Возвращается, если в запросе упоминается неподдерживаемый идентификатор заказа Oid. Действие Extended (Расширено) поддерживается Google только для StartTLS (Oid 1.3.6.1.4.1.1466.20037) через ранее не защищенное подключение.
AUTH_METHOD_NOT_SUPPORTED (7)
- Возвращается, если в запросе Bind упоминается неподдерживаемый метод аутентификации. Google поддерживает методы SIMPLE, SASL PLAIN, and SASL EXTERNAL.
ADMIN_LIMIT_EXCEEDED (11)
- Возвращается при превышении квоты LDAP.о
CONFIDENTIALITY_REQUIRED (13)
- Возвращается, если запрос SASL Bind отправляется через незащищенное подключение.
- Возвращается, если действие Search запрашивает данные, не относящиеся к атрибутам сервера, и выполняется через незащищенное подключение.
NO_SUCH_OBJECT (32)
- Возвращается при поиске несуществующего объекта (например, неизвестного пользователя, группы или организационного подразделения).
- Возвращается при поиске идентификатора пользователя, которого нет в каталоге.
INVALID_DN_SYNTAX (34)
- Возвращается, если уникальное имя некорректно и не поддается анализу JNDI. Подробную информацию можно найти на странице javax.naming.ldap.LdapName (только на английском языке).
- Возвращается, если уникальное имя содержит атрибут со значением, не являющимся строковым. Поддерживаются только строковые значения. Подробную информацию можно найти на странице javax.naming.directory.Attribute (только на английском языке).
INAPPROPRIATE_AUTHENTICATION (48)
- Возвращается, если в запросе Bind указан некорректный сертификат клиента или сертификат с истекшим сроком действия.
- Возвращается, если в запросе SASL PLAIN Bind не указаны или указаны некорректные учетные данные.
INSUFFICIENT_ACCESS_RIGHTS (50)
- Возвращается, если сервис Secure LDAP отключен для LDAP-клиента.
- Возвращается, если у клиента нет лицензии на использование сервиса Secure LDAP.
- Возвращается, если в запросе Bind указан пользователь, у которого нет лицензии на использование сервиса Secure LDAP.
- Возвращается, если в запросе Bind указан отключенный пользователь.
- Возвращается, если в последующем запросе Bind (rebind) указан пользователь, не принадлежащий к организационному подразделению, для которого включена аутентификация в конфигурации Secure LDAP.
- Возвращается, если в запросе SIMPLE Bind не указаны учетные данные (без аутентификации).
UNWILLING_TO_PERFORM (53)
- Возвращается, если в запросе SIMPLE Bind не указаны учетные данные (без аутентификации).
OTHER (80)
- Эта ошибка возвращается при получении неожиданного результата по причине ошибки в коде. Если она у вас возникла, обратитесь в службу поддержки Google Workspace или службу поддержки Cloud Identity Premium.
CANCELED (118)
- Возвращается, если запрос Abandon прервал текущую операцию LDAP.
Эта информация оказалась полезной?
Как можно улучшить эту статью?
Содержание
- LDAP: error code 32 — No Such Object
- Answers
- Ldap error no such object code 32
- Answered by:
- Question
- LDAP: error code 32 — No Such Object] message Error While Using LDAP Server Against Oracle Directory Server Enterprise Edition. (Doc ID 1642594.1)
- Applies to:
- Symptoms
- Changes
- Cause
- To view full details, sign in with your My Oracle Support account.
- Don’t have a My Oracle Support account? Click to get started!
- Ldap error no such object code 32
- Вопрос
- Ldap error no such object code 32
- Answered by:
- Question
LDAP: error code 32 — No Such Object
Please help with SQL developer database connection using connection type LDAP. I get above error message .
The database is 11gR2
I created an Advanced Connection Type with a Custom JDBC URL similar to the following that I found on google( jdbc:oracle:thin:@ldap 
jdbc:oracle:thin:@ldap 
This is the entry of my LDAP.ora
I will be grateful for your assistance
Answers
Hello, have you tried the «LDAP» connection type available from the drop down, rather than that custom JDBC «url» ?
SInce you have an LDAP.ORA file and presumably an OCI (or instant) client working, can you connect via LDAP using slq*plus ?
I have tried that, when I chose LDAP connection, it correctly loads the LDAP server but the next two options; Context and DB Service is protected and when I clicked the load drop down on the DB service, it is blank.
I don’t know if it is to do with my Oracle home because I have 2 oracle homes and Toad picks up my Oracle home 2 without any problems using LDAP. I don’t know where to change my Oracle Home to point to Oracle Home 2 in SQL developer options may be it will work.
You did not say whether you can connect from sql*plus. That would establish if your LDAP.ORA file is correct.
If you have a full client (i/o instant) then «tnsping» would tell you if the db name is resolved via TNSNAMES or via LDAP (sql+ does not)
I am far from an LDAP expert, but i would check the DEFAULT_ADMIN_CONTEXT parameter in your LDAP.ORA file
i believe this is parsed by sqldeveloper and then used to populate that drop-down.
I have no problems connecting from sql* plus and I have no problems connecting SQL Developer using basic connection with correct hostname, SID and port. The DEFAULT_ADMIN_CONTEXT parameter in myLDAP.ORA file is as posted above and it works fine with TOAD on the same PC.
Ah sorry i missed that from your original post.You can use the forum search functionality for similar questions, but i seem to recall only OID is officially supported. One last idea: did you point sqldeveloper at the actual location of your OCI client ? If you have a non-empty TNSNAMES.ORA, are its entries proposed when creating a basic connection (if yes i suppose sqldeveloper is correctly parsing it, so why wouldn’it read LDAP.ORA similarly and populate the drop-down ?)
IIRC toad is always relying on an OCI client, so you can try forcing sqldeveloper to do the same — check the preferences under database/advanced
I suggest that you use ‘google’ to find and download the Oracle documentation. The docs should ALWAYS be the FIRST place you look for information about an Oracle product.
Try connecting ‘similar to that’ shown in the Oracle documentation.
The LDAP section shows how to connect properly. Then if you have a problem with one of those steps SHOW US:
2. HOW you do it
3. WHAT results you get
Thanks for the link rp0428 but I have not been able to resolve it.
These are the entries on my ldap.ora
These are what I did
1. Chose LDAP database connection and it loads the LDAP server «ldap-srv.tomri.ac.uk:389» Both Conbtext and DB service options were blank
and when I click the drop down list on the load DB Service, it was blank.
2. I followed the suggestion to enter the directory server location and port (either SSL or non-SSL), for example: system123.example.com:389:636 (ldap- system:nonssl-port:ssl-port) as «ldap-srv.tomri.ac.uk:389:1555 , but i get LDAP: error code 32 — No Such Object
3. I tried the last option of using OCI/Thick preference under Database: Advanced
a. I populated the «use oracle client» as C:appldproduct11.2.0client_2networkadmin
b. tnsnames directory as C:appldproduct11.2.0client_2networkadmin
BUT i get error message «C:Usersldjdbclib is not a valid jar file»
Please I haven’t used this connection method before but I found out when there is a change of database server you don’t have to reconfigure your connection using LDAP in TOAD and this is the main reason I would like to use LDAP.
Источник
Ldap error no such object code 32
This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.
Answered by:
Question
I am trying to authenticate a user again AD LDS using the Spring framework and Spring Security 3.0. I keep getting the following error and hopefully someone from here can explain if (and where) the problem lies with my AD LDS config.
[LDAP: error code 32 — 0000208D: NameErr: DSID-0315258B, problem 2001 (NO_OBJECT), data 0, best match of: ‘CN=Users,DC=Domain,DC=local’ ]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 — 0000208D: NameErr: DSID-0315258B, problem 2001 (NO_OBJECT), data 0, best match of: ‘CN=Users,DC=Domain,DC=local’ ]; remaining name ‘cn=Mo Logan,cn=Users,dc=Domain,dc=local’
Can anyone explain what the best match of and remaining name bits mean — this is really confusing me? Is this type of search case sensitive? And would problems like time differences between the server and client make a difference?
From what I have read online error code 32 means that object cant be found — very helpful I’m sure you’ll agree. I am searching by uid (no SAMAccountName in LDS) and when i search by the same criteria using ldap.exe on the server I can find the user correctly e.g:
I am binding to AD LDS as an administrator account which belongs to the reader group under roles. This user sits at the same level as the username I am trying to verify.
As you can probably tell I am flat out of ideas as to why I am getting this error and hopefully someone will be able to help me out or point me in the right direction,
Источник
LDAP: error code 32 — No Such Object] message Error While Using LDAP Server Against Oracle Directory Server Enterprise Edition. (Doc ID 1642594.1)
Last updated on NOVEMBER 03, 2021
Applies to:
Symptoms
Environment
—————-
Sql Developer 4.x
Oracle Internet Directory schema to the Oracle Directory Server Enterprise Edition (in the User99.ldif)
Oracle Directory Server Enterprise Edition 11g
Entry in OID
————————-
cn=OracleContext (orclcontext class) entry
To define each of the TNS entries (orclNetService class).
В
SQL Developer doesn’t use the DEFAULT_ADMIN_CONTEXT parameter in the ldap.ora file.
Then it searches for an Oracle Context.
Error
————-
[LDAP: error code 32 — No Such Object] message
and the Context combo box stays empty..
Changes
Cause
To view full details, sign in with your My Oracle Support account.
Don’t have a My Oracle Support account? Click to get started!
In this Document
My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.
Oracle offers a comprehensive and fully integrated stack of cloud applications and platform services. For more information about Oracle (NYSE:ORCL), visit oracle.com. пїЅ Oracle | Contact and Chat | Support | Communities | Connect with us | 


Источник
Ldap error no such object code 32
Вопрос
I am new to ad lds and ldap. I created an instance of ad lds using port 50000 (for non-ssl) and created a user with adsi edit as follows:
DN is CN=UserInsideOU,OU=OUNumber1,O=Microsoft,C=US
I can get on a second server and use ldp.exe 3.0 to do a simple bind successfully. I can also see this in wireshark, although oddly the bindrequest has a blank after C=US.
Then it does a searchrequest on baseObject which is successful. I do not know what the searchRequest is doing or what ROOT is.
Now I am debugging a java service that is supposed to authenticate in the same way as ldp.
the wireshark capture on this java service attempt has the following differences:
1. there is no blank after c=us in the bind request, but the bind is successful
2. the search request is » OU=OUNumber1,O=Microsoft,C=US» without the blank followed by wholeSubTree, but the working (LDP) traffic says searchRequest » » baseObject
3. the search above for wholeSubTree fails. nosuchObject DSID-031522c9, Problem 2001 best match of ‘o=Microsoft,C=US’
4. Is the information in the search request case sensitive?
5. Why is there a search immediately after the simple bind?
6. Is it possible that I need specific properties set on the user of ou objects that I created by hand in AdsiEdit that must be populated with certain values?
Any answers or explanation as to why there is a search after the bind or the other steps would be greatly appreciated.
Источник
Ldap error no such object code 32
This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.
Answered by:
Question
I am new to ad lds and ldap. I created an instance of ad lds using port 50000 (for non-ssl) and created a user with adsi edit as follows:
DN is CN=UserInsideOU,OU=OUNumber1,O=Microsoft,C=US
I can get on a second server and use ldp.exe 3.0 to do a simple bind successfully. I can also see this in wireshark, although oddly the bindrequest has a blank after C=US.
Then it does a searchrequest on baseObject which is successful. I do not know what the searchRequest is doing or what ROOT is.
Now I am debugging a java service that is supposed to authenticate in the same way as ldp.
the wireshark capture on this java service attempt has the following differences:
1. there is no blank after c=us in the bind request, but the bind is successful
2. the search request is » OU=OUNumber1,O=Microsoft,C=US» without the blank followed by wholeSubTree, but the working (LDP) traffic says searchRequest » » baseObject
3. the search above for wholeSubTree fails. nosuchObject DSID-031522c9, Problem 2001 best match of ‘o=Microsoft,C=US’
4. Is the information in the search request case sensitive?
5. Why is there a search immediately after the simple bind?
6. Is it possible that I need specific properties set on the user of ou objects that I created by hand in AdsiEdit that must be populated with certain values?
Any answers or explanation as to why there is a search after the bind or the other steps would be greatly appreciated.
Источник
Hi Folks,
I am trying to authenticate a user again AD LDS using the Spring framework and Spring Security 3.0. I keep getting the following error and hopefully someone from here can explain if (and where) the problem lies with my AD LDS config.
[LDAP: error code 32 — 0000208D: NameErr: DSID-0315258B, problem 2001 (NO_OBJECT), data 0, best match of: ‘CN=Users,DC=Domain,DC=local’ ]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 — 0000208D: NameErr: DSID-0315258B, problem
2001 (NO_OBJECT), data 0, best match of: ‘CN=Users,DC=Domain,DC=local’ ];
remaining name ‘cn=Mo Logan,cn=Users,dc=Domain,dc=local’
Can anyone explain what the best match of and remaining name bits mean — this is really confusing me? Is this type of search case sensitive? And would problems like time differences between the server and client make a difference?
From what I have read online error code 32 means that object cant be found — very helpful I’m sure you’ll agree. I am searching by uid (no SAMAccountName in LDS) and when i search by the same criteria using ldap.exe on the server I can find the user correctly
e.g:
ldap_search_s(ld, "CN=Users,DC=JLP,DC=local", 2, "(uid=mologan)", attrList, 0, &msg)
***Searching...
ldap_search_s(ld, "CN=Users,DC=Domain,DC=local", 2, "(uid=mologan)", attrList, 0, &msg)
Getting 1 entries:
Dn: CN=Mo Logan,CN=Users,DC=Domain,DC=local
badPasswordTime: 9/20/2011 1:19:51 PM GMT Standard Time;
badPwdCount: 0;
cn: Mo Logan;
distinguishedName: CN=Mo Logan,CN=Users,DC=Domain,DC=local;
dSCorePropagationData: 0x0 = ( );
instanceType: 0x4 = ( WRITE );
lastLogonTimestamp: 9/20/2011 9:10:32 AM GMT Standard Time;
lockoutTime: 0;
memberOf (2): CN=DMSUsers,CN=Users,DC=Domain,DC=local; CN=Users,CN=Roles,CN=Users,DC=Domain,DC=local;
msDS-UserAccountDisabled: FALSE;
name: Mo Logan;
objectCategory: CN=Person,CN=Schema,CN=Configuration,CN={BD500A33-CE7C-492F-9007-BF1B17F972EE};
objectClass (4): top; person; organizationalPerson; user;
objectGUID: 40f74ed4-6cf3-495e-a28c-6aa080a0333b;
objectSid: S-1-514506224-2209559093-2723712157-1234827279-3369888698-2052446679;
pwdLastSet: 9/20/2011 8:19:06 AM GMT Standard Time;
uid: mologan;
uSNChanged: 13994;
uSNCreated: 13985;
whenChanged: 9/20/2011 9:10:32 AM GMT Standard Time;
whenCreated: 9/20/2011 8:16:54 AM GMT Standard Time;
I am binding to AD LDS as an administrator account which belongs to the reader group under roles. This user sits at the same level as the username I am trying to verify.
As you can probably tell I am flat out of ideas as to why I am getting this error and hopefully someone will be able to help me out or point me in the right direction,
Cheers & thanks in advance,
Mo

