LDAP Lookup is not functioning.
Error message in the tomcat log file indicates:
SEVERE [com.vontu.lookup.liveldap.LiveLdapLookup] Failed to initialize LDAP lookup.
Cause:com.vontu.directory.common.InitializationException: Could not connect to the LDAP server.
Reason: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 532, v1771 ]
The error indicates that invalid credentials have been used.
The following restrictions would apply:
- LDAP lookup don’t work against LDAPS / SLDAP. Enhancement Request PM-753 has been filed
- The LiveLDAP lookup does NOT support Anonymous bind. It does however support unauthenticated login by providing a valid username with no password. Otherwise the LiveLDAP lookup requires authenticated credentials to connect to LDAP. (See KB 54248)
In general, the next step would be to try logging into LDAP via an external LDAP Browser with the exact same credentials and make sure they have a named login.
LDAP error code 49 has several meanings, and further information is specified in the data code. There are several values that can indicate what <LDAP> function is causing the issue. The AD-specific <error code> is specified after "data" in the actual <error> string returned to the binding process. Here are some general references from Microsoft Active Directory:
525 user not found
52e invalid credentials
530 not permitted to logon at this time
531 not permitted to logon at this workstation
532 password expired
533 account disabled
701 account expired
773 user must reset password
775 user account locked
Lookup Plug-In Support for LDAPS (Secure LDAP) is supported with DLP Version 14.5 ondwards.
NOTE: For errors related to invalid credentials, where the username and password appear to be correct, one possible cause is the presence of trailing characters (spaces, tabs, etc.) in the username or password lines of the LiveLdapLookup.properties file. You can check for this by capturing LDAP traffic using Wireshark or a similar tool, and viewing the characters sent to the LDAP server, or by simply removing the credentials from the file and entering them again manually.