A "LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT)" Message Appears in Symantec Endpoint Protection Manager's System Logs: Server Activity

Article:TECH90835  |  Created: 2008-01-12  |  Updated: 2010-01-17  |  Article URL http://www.symantec.com/docs/TECH90835
Article Type
Technical Solution


Issue



When clicking on the SEPM's Monitors Tab, accessing its Logs, and selecting the System log type and Server Activity log content, an administrator notices a "Severe" event that begins "LDAP: error code 32...." What does this mean?

Symptoms
In addition to the listing in the GUI, the error message also appears when the log is exported. Here are the listings from an exported system_report.txt


11/12/2008 09:20:49,1000,An unexpected exception has occurred,[LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=domainname,DC=com',,,javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=domainname,DC=com',servername,My Site

When SEPM debugging is enabled, a few additional details can be seen in the ADSITask-0.log:

2008-11-12 06:20:49.875 FINE: LdapUtils>> search: Met a Referral in result.hasMore. Then ignore it! baseDN=[DC=domainname,DC=com]
2008-11-12 06:20:49.875 WARNING: LdapUtils>> search: Exception...
2008-11-12 06:20:49.875 WARNING: javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=domainname,DC=com'
]; remaining name 'OU=DeletedOUname,DC=domainname,DC=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3010)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2931)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2737)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1808)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1731)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:338)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:321)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:248)
at com.sygate.scm.server.util.ldap.LdapUtils.search(LdapUtils.java:889)
at com.sygate.scm.server.util.ldap.LdapUtils.searchAllUsersComputerOUs(LdapUtils.java:839)
at com.sygate.scm.server.util.ldap.LdapManager.doSearchAll(LdapManager.java:266)
at com.sygate.scm.server.util.NativeCall.retrieveOrganization(NativeCall.java:114)
at com.sygate.scm.server.util.NativeCall.getOrganization(NativeCall.java:265)
at com.sygate.scm.server.task.ADSITask.syncAdTreeGroup(ADSITask.java:730)
at com.sygate.scm.server.task.ADSITask.checkEachDomain(ADSITask.java:660)
at com.sygate.scm.server.task.ADSITask.checkDomains(ADSITask.java:573)
at com.sygate.scm.server.task.ADSITask.checkADSI(ADSITask.java:319)
at com.sygate.scm.server.task.ADSITask.run(ADSITask.java:217)
at java.util.TimerThread.mainLoop(Timer.java:512)
at java.util.TimerThread.run(Timer.java:462)


Cause



The error message which appears is not a Symantec Endpoint Protection error, but an industry-standard LDAP error. This is correctly reporting that a specific object is missing. This error occurs when an Active Directory (or other LDAP directory) Organizational Unit (OU) was imported into the SEPM, and then was deleted out of Active Directory / LDAP. The SEPM does not know that this OU no longer exists when it periodically attempts to synchronize with the Directory, and so reports an error in its logs. The name of the deleted OU can be seen in the debug ADSITask-0.log: 2008-11-12 06:20:49.875 WARNING: javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=domainname,DC=com' ]; remaining name 'OU=DeletedOUname,DC=domainname,DC=com' <-------------------------- name of the deleted OU appears here at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3010) Comparing the OU's which are listed in SEPM with what appear in Active Directory Users and Computer console will confirm that there is a difference. Deleting an OU from Active Directory does not automatically delete the OU from SEPM.

Solution



Manually re-synchronize SEPM with Active Directory/LDAP in order to prevent the message from recurring. Instructions can be found in the Administration Guide for Symantec™ Endpoint Protection and Symantec Network Access Control.



Technical Information
Entries similar to the following may also appear in ADSITask-0.log:


2010-06-16 17:06:02.484 WARNING: NativeCall>> testLdapServerConnection: error code=33
2010-06-16 17:06:02.484 WARNING: NativeCall>> testLdapServerConnection: error msg=LDAP Query For All Failed [path=LDAP://10.10.10.10:389, baseDn=OU=DeletedOUname,DC=domainname,DC=com, filter=]




Legacy ID



2008111216553148


Article URL http://www.symantec.com/docs/TECH90835


Terms of use for this information are found in Legal Notices