In using Dynamic Group, there is difference LDAP search logic between 12.51 and 12.7 Policy Server

Document ID : KB000104908
Last Modified Date : 05/07/2018
Show Technical Document Details
Issue:
There is difference LDAP search logic between 12.51 and 12.7 Policy Server.
In 12.7,  Login user stored in Dynamic Group is AuthAccept and AzReject, while 12.51 is NOT AzReject, this mean Authenticate/Authorization are succesfully.

Each configuration of CA SSO and LDAP User Store is as following:

Dynamic Group Configuration:
dn: cn=testGroup,ou=groups,o=cajapan,dc=example,dc=com
cn: testGroup
memberURL: ldap:///dc=example,dc=com??sub?(&(employeenumber=dynamic))
objectClass: groupOfUniqueNames
objectClass: groupOfUrls
objectClass: top

Login User Configuration:
login user configuration:
dn: uid=user01,ou=people,o=cajapan,dc=example,dc=com
objectClass: inetOrgPerson
userPassword: passwordsn: testuser
cn: 10330740
givenName: 10330740
employeenumber: dynamic
uid: user01

User Directory Configuration in AdminUI:

Domain Policy Configuration in AdminUI:
User-added image

smaccess.log:
AuthAccept XXXX-XXXX [27/Jun/2018:16:11:29 +0900] "::1 uid=user01,ou=people,o=cajapan,dc=example,dc=com" "XXXX-XXXX-spsagent GET /basic/_dumpvars.asp" [idletime=3600;maxtime=7200;authlevel=5;] [0]  [] []
AzReject XXXX-XXXX [27/Jun/2018:16:11:30 +0900] "::1 uid=user01,ou=people,o=cajapan,dc=example,dc=com" "XXXX-XXXX-spsagent GET /basic/_dumpvars.asp" [18763142-f738d707-1043b0dd-a6b138d8-d001a3ee-ab] [0]  [] []
Environment:
ProductName=CA Single Sign-On Policy Server
FullVersion=12.70.0.1194
Resolution:
This is product bug in 12.51 Policy Server, It was a product bug and fixed in 12.52 sp1 CR01 and applicable for current version 12.7 as well.
As product design, Policy Server should search users info under "LDAP Search" Root DN, so "memberURL" should exist under this Root DN.