LDAP errors retrieved from the LDAP server when loading the Lookup Plugin

Article Id: 160305
Status: Published
Updated On: 01-09-2016 18:40
Legacy Id: TECH220872
Products:
Data Loss Prevention Enforce
Issue/Introduction:

LDAP Lookup is not functioning.

Error message in the tomcat log file indicates:

SEVERE [com.vontu.lookup.liveldap.LiveLdapLookup] Failed to initialize LDAP lookup.
Cause:com.vontu.directory.common.InitializationException: Could not connect to the LDAP server.
Reason: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 532, v1771 ]

 

Resolution:

The error indicates that invalid credentials have been used.

The following restrictions would apply:

 

-          LDAP lookup don’t work against LDAPS / SLDAP. Enhancement Request PM-753 has been filed

-          The LiveLDAP lookup does NOT support Anonymous bind. It does however support unauthenticated login by providing a valid username with no password. Otherwise the LiveLDAP lookup requires authenticated credentials to connect to LDAP. (See KB 54248)

 

In general, the next step would be to try logging into LDAP via an external LDAP Browser with the exact same credentials and make sure they have a named login.

 

LDAP error code 49 has several meanings, and further information is specified in the data code. There are several values that can indicate what <LDAP> function is causing the issue. The AD-specific <error code> is specified after "data" in the actual <error> string returned to the binding process. Here are some general references from Microsoft Active Directory:

 

525 user not found
52e invalid credentials

530 not permitted to logon at this time

531 not permitted to logon at this workstation

532 password expired

533 account disabled

701 account expired

773 user must reset password

775 user account locked

 

===================================================================
Lookup Plug-In Support for LDAPS (Secure LDAP) is supported with DLP Version 14.5 ondwards.
===================================================================

 

NOTE: For errors related to invalid credentials, where the username and password appear to be correct, one possible cause is the presence of trailing characters (spaces, tabs, etc.) in the username or password lines of the LiveLdapLookup.properties file. You can check for this by capturing LDAP traffic using Wireshark or a similar tool, and viewing the characters sent to the LDAP server, or by simply removing the credentials from the file and entering them again manually.