• 7018363
  • 06-Dec-2016
  • 06-Dec-2016


NetIQ Self Service Password Reset (SSPR)
Active Directory (AD)


  • ERROR, auth.SessionAuthenticator, {129} ldap error during search: 5016 ERROR_CANT_MATCH_USER (ldap error during searchID=xx, error=javax.naming.PartialResultException, cause:javax.naming.CommunicationException:, Connection reset) [xx.xx.xx.xx]
  • Intermittently unable to log in to SSPR


Ensure that all AD Domain Controllers are configured to use LDAP and are accessible to SSPR.


AD uses referrals and so when SSPR does a search, a list of LDAP servers is returned.  SSPR will then attempt to use one or more of those servers.  If a server it is trying to access does not have LDAP configured, has an invalid certificate or is otherwise inaccessible, a 5016 ERROR_CANT_MATCH_USER error will be returned.

Additional Information

A network (e.g. Wireshark, tcpdump) trace shows the server responds to a query such as

standard DNS query

With multiple servers.  

DNS requests of the form

standard DNS query
standard DNS query

and the servers listed in the responses to these requests will also need to be accessible.

Turning off referrals in SSPR [Configuration Editor -> LDAP -> LDAP Settings -> Global -> Follow LDAP Referrals] may work if AD itself is set up not to need them (all objects and OUs are available on one server) but if this is not the case then AD may then return a Not Found error.

Currently [December 2016] manually editing /etc/hosts will not work as this file is ignored by SSPR.  This has been reported to Engineering.