LDAP User Login Error, "LDAP: Error Code 49 - Invalid Credentials"
Article ID: 297629
Updated On:
Products
Issue/Introduction
When a customer tries cf login with an LDAP user, it fails with the following message:
# cf login API endpoint: https://api.system.example.com Email> [email protected] Password> Authenticating... Credentials were rejected, please try again. ... API endpoint: https://api.system.example.com (API version: 2.54.0) Not logged in. Use 'cf login' to log in. FAILED Unable to authenticate.
In the UAA log, there's a detailed error message:
[YYYY-MM-DDTHH:MM:SS] uaa - 31377 [http-bio-8080-exec-4] .... DEBUG --- LdapAuthenticationProvider: Processing authentication request for user: [email protected]
[YYYY-MM-DDTHH:MM:SS] uaa - 31377 [http-bio-8080-exec-4] .... DEBUG --- FilterBasedLdapUserSearch: Searching for user '[email protected]', with user search [ searchFilter: 'cn={0}', searchBase: 'ou=uiusers,ou=dac,dc=example,dc=com', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ] ... [2016-09-27 06:31:25.687] uaa - 31377 [http-bio-8080-exec-4] .... DEBUG --- BackwardsCompatibleTokenEndpointAuthenticationFilter: Authentication request for failed: org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - Invalid Credentials]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
Environment
Cause
The error listed in this article can be triggered in a few different scenarios.
We have primarily seen this occur when Operations (Ops) Manager & TAS (Tanzu Application Service for VMs) have been configured to use LDAP. The configuration is successfully deployed and working, however, at some point after the deployment the credentials for the LDAP bind user are changed and Ops Manager & TAS are not updated. UAA may continue to function if it can bind anonymously to your LDAP server, however, if anonymous bind is disabled, the UAA server will fail to authenticate users, logging the message listed above.
Other possible triggers could be the password being incorrectly updated in Ops Manager and applied to the environment, or if a user modified the UAA configuration file manually and restarted UAA.
Resolution
1. Refer to this article and install ldapsearch. To make sure the user's password is correct, we create a new user with email [email protected] using a simple password. Then run ldapsearch with exactly the same search base and filter in the UAA log:
ldapsearch -H "ldap://192.0.2.0:389" -D "cn=pcfldap,ou=sysusers,dc=example,dc=com" -W -b "ou=uiusers,ou=dac,dc=example,dc=com" '[email protected]'
It returns the user information successfully which ends with #numEntries: 1.
2. The above step helps confirm that the user exists in LDAP and that the ldapsearch command can get the user successfully with exactly the same search base, and search filter used by cf login.
3. The Invalid Credentials error message may indicate that the admin user's password is wrong. So please go to Ops Manager, update the password and run Apply Change. Please contact support if you have any problems updating the credentials through Ops Manager. We may need to check the /var/vcap/jobs/uaa/config/uaa.ymll file in UAA VM and provide a workaround.
Feedback
