LDAP errors retrieved from the LDAP server when loading the Lookup Plugin
search cancel

LDAP errors retrieved from the LDAP server when loading the Lookup Plugin

book

Article ID: 160305

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

LDAP Lookup is not functioning.

Error message in the tomcat log file indicates:

Cause:com.vontu.directory.common.InitializationException: Could not connect to the LDAP server.
Reason: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 532, v1771 ]

or 

Caused by: com.vontu.directory.common.InitializationException: Could not connect to the LDAP server.
Reason: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563 ]

or

[com.vontu.enforce.workflow.attributes.DeferredUpdateLookupRequest.doLookup] Lookup plug-in com.vontu.lookup.liveldap.LiveLdapLookup timed out. It was unloaded.

Resolution

The error indicates that invalid credentials have been used.

The following restriction would apply: 

  • The LiveLDAP lookup does NOT support Anonymous bind. It does however support unauthenticated login by providing a valid username with no password. Otherwise the LiveLDAP lookup requires authenticated credentials to connect to LDAP. 

In general, the next step would be to try logging into LDAP via an external LDAP Browser with the exact same credentials and make sure they have a named login.

LDAP error code 49 has several meanings, and further information is specified in the data code. There are several values that can indicate what <LDAP> function is causing the issue. The AD-specific <error code> is specified after "data" in the actual <error> string returned to the binding process. Here are some general references from Microsoft Active Directory:

  • 525 user not found
  • 52e invalid credentials
  • 530 not permitted to logon at this time
  • 531 not permitted to logon at this workstation
  • 532 password expired
  • 533 account disabled
  • 701 account expired
  • 773 user must reset password
  • 775 user account locked

 

NOTE: For errors related to invalid credentials, where the username and password appear to be correct, one possible cause is the presence of trailing characters (spaces, tabs, etc.) in the username or password lines of the LiveLdapLookup.properties file. You can check for this by capturing LDAP traffic using Wireshark or a similar tool, and viewing the characters sent to the LDAP server, or by simply removing the credentials from the file and entering them again manually.

Powered by Wolken Software