AD aggregation error - [LDAP: error code 12 - 00000057: LdapErr: DSID-0C090831

5 Kudos

Symptoms

During an aggregation using the Active Directory connector, the following error is returned:

LDAP: error code 12 - 00000057: LdapErr: DSID-0C090831, comment: Error processing control, data 0, v2580

The event log on the Windows host will show the Internal Event:

"The LDAP server has exceeded the limit of the LDAP Maximum Result Set Size."

Solution

This error is a result of the Active Directory Domain Controller server's configuration. The MaxResultSetSize is too low. The administrator of the server must increase the maximum result set size. The standard guidance, if the server has enough memory, is to increase the limit to 250 MB or great, from the default of 262 KB, provided the server has sufficient memory to handle these requests.

Refer to the Microsoft documentation for additional context and guidance.

swcoleman · ‎Jan 26, 2024

Where is this error seen on the IDN side? I am troubleshooting an issue where at least 1 AD account doesn't appear to be aggerating into IDN. The account doesn't show in either the account list or the uncorrelated report for that AD source. As a result when IDN is trying to create the AD that fails since the sAMMAccount name already exists.

dinesh_mishra · ‎Jan 28, 2024

Hi @swcoleman, please work with SailPoint support team. There might be a different error or issue.

AN20351692 · ‎Mar 20, 2025

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule created="1614065902223" id="0a7440ac77cd120a8177cdd3228f0019" language="beanshell" modified="1688152007435" name="RSA Certification PreDelegation Rule" type="CertificationPreDelegation">
<Description>A pre-delegation rule that is run on every CertificationEntity when the certification is generated in order to cause some entities to be pre-delegated. As an example, a manager certification could pre-delegate the certification responsibility to each employee that reports to the manager. This would allow each subordinate to first determine what they need access to, then allow the manager to review their decision.</Description>
<Signature returnType="Map">
<Inputs>
<Argument name="log">
<Description>
The log object associated with the SailPointContext.
</Description>
</Argument>
<Argument name="context">
<Description>
A sailpoint.api.SailPointContext object that can be used to query the database if necessary.
</Description>
</Argument>
<Argument name="certification">
<Description>
The sailpoint.object.Certification being created.
</Description>
</Argument>
<Argument name="entity">
<Description>
The sailpoint.object.CertificationEntity to possibly pre-delegate.
</Description>
</Argument>
<Argument name="certContext">
<Description>
The sailpoint.api.CertificationContext generating this certification.
</Description>
</Argument>
<Argument name="state">
<Description>
A Map containing state information.
</Description>
</Argument>
</Inputs>
<Returns>
<Argument name="recipientName">
<Description>
The name of the Identity that should certify this entity. Either
this or 'recipient' should be non-null if pre-delegation should be
performed.
</Description>
</Argument>
<Argument name="recipient">
<Description>
The Identity that should certify this entity. Either this or
'recipientName' should be non-null if pre-delegation should be
performed.
</Description>
</Argument>
<Argument name="description">
<Description>
Optional description to set on the delegation WorkItem. If null, a
default description of 'Certify [entity name]' is used.
</Description>
</Argument>
<Argument name="comments">
<Description>
Optional comments to set on the delegation WorkItems.
</Description>
</Argument>
<Argument name="reassign">
<Description>
Optional boolean to specify to reassign rather than delegate.
</Description>
</Argument>
<Argument name="certificationName">
<Description>
Optional String to specify the name for the reassignment certification
if creating a new certification for reassignment. This is ignored for
delegations.
</Description>
</Argument>
</Returns>
</Signature>
<Source>import sailpoint.object.Identity;
import sailpoint.object.CertificationItem;
import sailpoint.object.EntitlementSnapshot;
import org.apache.log4j.Logger;

Logger logger = Logger.getLogger("com.sailpoint.RSA.Rule");
if(logger.isDebugEnabled()){
logger.debug("RSA Certification PreDelegation Rule : Start");
}

Map returnMap = new HashMap();

// If we get no certification this is bad
if ((void == certification) || (null == certification)) {
return;
}
String entityName = entity.getIdentity();

// Lookup the owner of the certification.
List certCertifiers = certification.getCertifiers();
if ((null == certCertifiers) || (certCertifiers.isEmpty())) {
logger.error("RSA Certification PreDelegation Rule : Could not find certifiers Certification: " + certName);
return(returnMap);
}
List selfCertItem= new ArrayList();
String certifierName = certCertifiers.get(0);
Identity certifierObj = context.getObjectByName(Identity.class, certifierName);
for (CertificationItem item : entity.getItems())
{
logger.debug("item.getType() : "+item.getType());
logger.debug("item.getTargetName() : "+item.getTargetName());
if (certCertifiers.contains(item.getTargetName())){
selfCertItem.add(item);
}

}
if(selfCertItem.size() > 0) {
logger.debug("certifierObj : "+certifierObj);
logger.debug("selfCertItem : "+selfCertItem);
logger.debug("certifierObj.getManager() : "+certifierObj.getManager());
logger.debug("certification.getName() : "+certification.getName());
logger.debug("context.getConfiguration() : "+context.getConfiguration());

certification.bulkReassign(certifierObj, selfCertItem, certifierObj.getManager(), certifierObj.getManager().getDisplayName()+" - Entitlement Owner Certification", "Owner Manager Review", "please Review", context.getConfiguration());
context.saveObject(certification);

context.commitTransaction();

return null;
}
if(logger.isDebugEnabled()){
logger.debug("RSA Certification PreDelegation Rule : End");
}
return returnMap;</Source>
</Rule>

AD aggregation error - [LDAP: error code 12 - 00000057: LdapErr: DSID-0C090831