search cancel

PAM-CM-0762 Authentication failed trying to manage credentials for the LDAP binding account.

book

Article ID: 216745

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

The customer is getting "PAM-CM-0762 Authentication failed" when trying to manage credential for the LDAP binding account. The binding account can be verified but the password can't be changed. 

The account is configured to update its own password.

 

Tomcat logs message:

javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002035: LdapErr: DSID-0C090F91, comment: Operation not allowed through GC port, data 0, v4563]; remaining name 'CN=CAPAMBindUsr,OU=Users,OU=SysMgt,DC=tus,DC=AMS1907,DC=com'

Environment

Release: 3.4.x

Component: CA LDAP Server

Cause

The customer is using port 3269 to manage the credential for the LDAP binding account instead of port 636.

Resolution

3269 port is used for queries specifically targeted for the Global Catalog. LDAP requests sent to port 3269 can be used to search for objects in the entire forest. 

On the Target Application/Active Directory changed the port for the Domain Controller Port (SSL) to  636