Environment
NetIQ Self Service Password Reset (SSPR)
Active Directory (AD)
LDAP/LDAPS
Situation
- ERROR, auth.SessionAuthenticator, {129} ldap error during search: 5016 ERROR_CANT_MATCH_USER (ldap error during searchID=xx, error=javax.naming.PartialResultException, cause:javax.naming.CommunicationException: mydomain.com:636, cause:java.net.SocketException: Connection reset) [xx.xx.xx.xx]
- Intermittently unable to log in to SSPR
Resolution
Ensure that all AD Domain Controllers are configured to use LDAP and are accessible to SSPR.
Cause
AD uses referrals and so when SSPR does a search, a list of LDAP servers is returned. SSPR will then attempt to use one or more of those servers. If a server it is trying to access does not have LDAP configured, has an invalid certificate or is otherwise inaccessible, a 5016 ERROR_CANT_MATCH_USER error will be returned.
Additional Information
A network (e.g. Wireshark, tcpdump) trace shows the server responds to a query such as
standard DNS query myserver.mydomain.com
With multiple servers.
DNS requests of the form
standard DNS query ForestDnsZones.mydomain.comstandard DNS query DomainDnsZones.mydomain.com
and the servers listed in the responses to these requests will also need to be accessible.
Turning off referrals in SSPR [Configuration Editor -> LDAP -> LDAP Settings -> Global -> Follow LDAP Referrals] may work if AD itself is set up not to need them (all objects and OUs are available on one server) but if this is not the case then AD may then return a Not Found error.
Currently [December 2016] manually editing /etc/hosts will not work as this file is ignored by SSPR. This has been reported to Engineering.