0
Fixed

One Identity error connecting to LDAP gateway

When attempting to connect to the LDAP gateway from One Identity's LDAP connector, One Identity is throwing an error regarding it:


2018-07-13 00:50:51.1156 FATAL UFY-1IM-WEB01\UFYAdmin (SystemConnector ) : Error parsing condition.
syntax error!
Value "" was found, but one of the following values expected.

Unfortunately it's not a very helpful error.


The full logs of what One Identity is doing are as follows:


2018-07-13 00:50:46.7972 TRACE UFY-1IM-WEB01\UFYAdmin (SqlLog ) : -- Connection 1 switched from Working to Available 
2018-07-13 00:50:50.8968 TRACE UFY-1IM-WEB01\UFYAdmin (SystemConnector ) : Simple LdapSearch BaseDN: '', SearchScope: 'Base', Filter: '(objectclass=*)', RequestAttributes: 'subschemaSubentry' 
2018-07-13 00:50:50.9594 TRACE UFY-1IM-WEB01\UFYAdmin (SystemConnector ) : LdapSearchResult code: 'Success' entries: '1' 
2018-07-13 00:50:50.9594 TRACE UFY-1IM-WEB01\UFYAdmin (SystemConnector ) : Schema DN is 'cn=schema' 
2018-07-13 00:50:50.9594 TRACE UFY-1IM-WEB01\UFYAdmin (SystemConnector ) : Simple LdapSearch BaseDN: 'cn=schema', SearchScope: 'Base', Filter: '(objectclass=*)', RequestAttributes: 'ldapSyntaxes,attributeTypes,matchingRules,matchingRuleUse,objectClasses' 
2018-07-13 00:50:51.0062 TRACE UFY-1IM-WEB01\UFYAdmin (SystemConnector ) : Got 16 elements of type 'ldapsyntaxes' 
2018-07-13 00:50:51.0843 TRACE UFY-1IM-WEB01\UFYAdmin (SystemConnector ) : Got 34 elements of type 'matchingrules' 
2018-07-13 00:50:51.1156 FATAL UFY-1IM-WEB01\UFYAdmin (SystemConnector ) : Error parsing condition.
syntax error!
Value "" was found, but one of the following values expected.


In the logs, we can see that it's requesting certain attributes from Broker:

'ldapSyntaxes,attributeTypes,matchingRules,matchingRuleUse,objectClasses'

And this can also be seen from a wireshark trace:

Image 4875


But when Broker responds, we're only sending back 4 attributes:


Image 4876


I'm unsure if that's the cause of the issue, as One Identity doesn't provide any more information regarding the connection. But it's the only discrepancy that I can see.


The pcap file is also attached for reference.

Output.pcap

Answer

Answer

Here's a patch which corrects the format of the matchingrule attribute. There was a few missing parameters, one of which was required, so I'm hoping this is the fix.

Unify.IdentityBroker.LDAP.dll

Under review

Hi Matt, from a initial investigation, in addition to matchingRuleUse not being provided, it seems the contents of matchingRules attribute may not match LDAP spec.


As you say, it may not be the cause of the issue, but I've added a backlog item to investigate further.

Answer

Here's a patch which corrects the format of the matchingrule attribute. There was a few missing parameters, one of which was required, so I'm hoping this is the fix.

Unify.IdentityBroker.LDAP.dll

Thanks Beau, that patch has resolved the issue. The 1IM LDAP Connector is accepting the schema.