LDAP users cannot login to Portal
search cancel

LDAP users cannot login to Portal

book

Article ID: 368255

calendar_today

Updated On:

Products

DX NetOps CA Performance Management - Usage and Administration

Issue/Introduction

Local users such as “admin” are able to login to the Portal.

 

All LDAP users are getting an error “Authorization Failure”

 

When we use the SSO Config utility to test the LDAP we are getting this message:

 

Choose an option > 5

 

SSO Configuration/DX NetOps/Test LDAP

Enter username > testuser

Enter password >

The UserBind option has been selected. We will now perform the first bind with the LdapConnectionUser and LdapConnectionPassword supplied in the SSO Config utility.

 

ldapSearchDomain = ldap://10.10.10.10:389/DC-Companyname,DC=com

ldapTimeout = 10000

DirContext.SECURITY_AUTHENTICATION = simple

DirContext.SECURITY_PRINCIPAL = CN=specadmin,OU=Service Accounts,OU=Clients,DC=Companyname,DC=com

DirContext.SECURITY_CREDENTIALS set

Could not obtain a DirectoryContext.

javax.naming.AuthenticationException: [LDAP: error code49 - 80090308: ldapErr: DSID-0c090569, comment: AcceptSecurityContext error, data 532, v4563]

Logon failure: the specified account password has expired.

Bind to the directory failed.

Environment

DX NetOps: All Supported Versions

Cause

This is the LDAP configuration in use as seen in the SSO Config utility:

……

Connection User: CN=specadmin,OU=Service Accounts,OU=Clients,DC=Companyname,DC=com

Connection Password: *********

Search Domain: ldap://10.10.10.10:389/DC-Companyname,DC=com

Search String: (sAMAccountName={0})

Search Scope: Subtree

User Bind: Enabled

Encryption:

Account User: {sAMAccountName}

Account User Default Clone: nologin

Group: <LDAPGroups><Group searchtag=”memberof” searchString=”CN=portal_admins,OU=Admin Groups,DC=Companyname,DC=com” user=”{sAMAccountName}” passwd=”” userClone=”admin”/>

Krb5ConfigFile:

Status: Enabled

Timeout: 10000

……

With this configuration, the initial contact to the LDAP host is made by the LDAP service account specadmin.

Then the user trying to login has their password checked for access.

 

As the error states, the password for the service account specadmin has expired.

So the user never gets passed to LDAP for verification.

Resolution

Reset or enable the password for the specadmin service account in LDAP

Additional Information

Please note:: in the examples for this techdoc the user = specadmin

This is a random user created for this purpose.

Powered by Wolken Software