Доброго времени уважаемые форумчане.
Суть проблемы:
С недавнего времени перестали выполнятся групповые политики в домене у пользователей.
С логах системы у клиента ошибка:
Сбой обработки групповой политики из-за отсутствия сетевого подключения к контроллеру домена. Это может быть временным явлением. Как только компьютеру удастся подключиться к контроллеру домена и групповая политика будет
обработана успешно, будет создано сообщение об успехе. Если это сообщение не появляется в течение нескольких часов, обратитесь к администратору.
Не удалось успешно обновить политику пользователя. Обнаружены следующие ошибки:
Ошибка при обработке групповой политики. Не удалось пройти проверку подлинности в службе каталогов Active Directory на контроллере домена. (Ошибка при выполнении привязки LDAP Bind). На вкладке «Подробности» можно найти код и описание
ошибки.
Подробности:
Посмотрев по статье:
Event ID 1006 — Group Policy Preprocessing (Active Directory)
Как-то бред с неправильными учетными данными, даже поменял пароль. Сервер по сети доступен, сетевые папки видны:
Доступ к ним есть.
На сервере в событиях безопасности формируется аудит отказа:
Учетной записи не удалось выполнить вход в систему.
Субъект:
ИД безопасности:
NULL SID
Имя учетной записи:
—
Домен учетной записи:
—
Код входа:
0x0
Тип входа: 3
Учетная запись, которой не удалось выполнить вход:
ИД безопасности:
NULL SID
Имя учетной записи:
CAB2$
Домен учетной записи:
DOMAIN.LOCAL
Сведения об ошибке:
Причина ошибки:
Выбранный режим входа для данного пользователя на этом компьютере не предусмотрен.
Состояние:
0xC000015B
Подсостояние:
0x0
Сведения о процессе:
Идентификатор процесса вызывающей стороны:
0x0
Имя процесса вызывающей стороны:
—
Сведения о сети:
Имя рабочей станции:
—
Сетевой адрес источника:
192.168.1.16
Порт источника:
50404
Сведения о проверке подлинности:
Процесс входа:
Kerberos
Пакет проверки подлинности:
Kerberos
Промежуточные службы:
—
Имя пакета (только NTLM):
—
Длина ключа:
0
Данное событие возникает при неудачной попытке входа. Оно регистрируется на компьютере, попытка доступа к которому была выполнена.
Поля «Субъект» указывают на учетную запись локальной системы, запросившую вход. Обычно это служба, например, служба «Сервер», или локальный процесс, такой как Winlogon.exe или Services.exe.
В поле «Тип входа» указан тип выполненного входа. Наиболее распространенными являются типы 2 (интерактивный) и 3 (сетевой).
В полях «Сведения о процессе» указано, какая учетная запись и процесс в системе выполнили запрос на вход.
Поля «Сведения о сети» указывают на источник запроса на удаленный вход. Имя рабочей станции доступно не всегда, и в некоторых случаях это поле может оставаться незаполненным.
Поля сведений о проверке подлинности содержат подробные данные о конкретном запросе на вход.
— В поле «Промежуточные службы» указано, какие промежуточные службы участвовали в данном запросе на вход.
— Поле «Имя пакета» указывает на подпротокол, использованный с протоколами NTLM.
— Поле «Длина ключа» содержит длину созданного сеансового ключа. Это поле может иметь значение «0», если сеансовый ключ не запрашивался.
Содержание
- LDAP: error code 49 — Invalid Credentials During FileNet Enterprise Manager (FEM) Logon
- Troubleshooting
- Problem
- Symptom
- Cause
- Diagnosing The Problem
- Resolving The Problem
- Ldap error invalid credentials error code 49
- Asked by:
- Question
- LDAP Integration — Bind failed: 49: Invalid credentials #4177
- Comments
- Steps to reproduce
- Expected behaviour
- Actual behaviour
- Server configuration
- LDAP configuration (delete this part if not used)
- Client configuration
- Web server error log
- Nextcloud log (data/nextcloud.log)
- Browser log
- Ldap error invalid credentials error code 49
- Asked by:
- Question
- LDAP Integration — Bind failed: 49: Invalid credentials #4177
- Comments
- Steps to reproduce
- Expected behaviour
- Actual behaviour
- Server configuration
- LDAP configuration (delete this part if not used)
- Client configuration
- Web server error log
- Nextcloud log (data/nextcloud.log)
- Browser log
LDAP: error code 49 — Invalid Credentials During FileNet Enterprise Manager (FEM) Logon
Troubleshooting
Problem
Users cannot login to FEM
Symptom
FEM returns a «LDAP: error code 49 — Invalid Credentials»
Cause
1. The credential of the bind user in one of the Directory Configurations is incorrect.
2. The credential of bootstrap user is incorrect
Diagnosing The Problem
Check for Directory Configuration bind user credential is incorrect
1. Check the ping page and confirm that CE has started successfully with no errors.
2. Attempt to login through FEM with a valid user. If the login fails with a LDAP error 49, at least one of the directory configuration bind user credential is incorrect.
Check for bootstrap user credential is incorrect
1. Check the ping page and confirm that CE has started, but the ping page should give a LDAP error 49.
2. Attempt to login through FEM with a valid user. If the login fails with a LDAP error 49, the bootstrap user crenential is incorrect.
Resolving The Problem
Using a third-party tool, login to the LDAP server with directory configuration bind user credential. If login is unsuccessful, contact an LDAP administrator to get the correct password. If login is successful, the bootstrap or bind user credential is incorrect.
Directory Configuration bind user credential is incorrect
Use the GCDUtil tool to modify the Directory Configuration bind user password
Bootstrap user credential is incorrect
Start CMUI tool, run the bootstrap task to update the bootstrap user credentials, and then redeploy CE.
Источник
Ldap error invalid credentials error code 49
This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.
Asked by:
Question
We are developing a LDAP authentication against Active Directory, we met the follow errors, although the username and password are correct.
LDAP: error code 49 — 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece
The user detail is: CN=Peter, Lia ,OU=DEV,OU=HK_U,OU=cita,OU=US,DC=achtest,DC=local
As you may saw, the last name of this user has a backslash, plus a space in CN, we guess it may be the problem, since other users don’t have this problem if the last name of users don’t have a backslash and a space.
However we don’t know how we can add a new user to duplicate this issue, since it’s not way to add a new user with space in the end of name, the Active Directory will auto trim the space when system save the new user to database.
My questions are:
1. Do you have this kind of experience? Any idea to resolve?
2. How we can add a new user with a space in the end of last name? and then we can replicate this issue again?
Источник
LDAP Integration — Bind failed: 49: Invalid credentials #4177
Steps to reproduce
- Connect to LDAP Server, Configuration OK. 301 Users found, they show up in User category.
2.Try to log in with a user, using the ‘username’ displayed in NC
3.Wrong Password shows up and user is rejected, log says Bind failed: 49: Invalid credentials
Expected behaviour
User should be authenticated and logged in
Actual behaviour
User is rejected
Server configuration
Operating system:
Ubuntu 12.04.5 LTS
Web server:
Apache2
Database:
MySql
PHP version:
PHP 7.0.15-0ubuntu0.16.04.4
Nextcloud version: (see Nextcloud admin page)
11,0,2,7
Updated from an older Nextcloud/ownCloud or fresh install:
Fresh install
Where did you install Nextcloud from:
Tar from official website: Nextcloud-11.0.2.tar.bz2
Signing status:
List of activated apps:
- activity: 2.4.1
- admin_audit: 1.1.0
- comments: 1.1.0
- dav: 1.1.1
- federatedfilesharing: 1.1.1
- federation: 1.1.1
- files: 1.6.1
- files_pdfviewer: 1.0.1
- files_sharing: 1.1.1
- files_texteditor: 2.2
- files_trashbin: 1.1.0
- files_versions: 1.4.0
- files_videoplayer: 1.0.0
- firstrunwizard: 2.0
- gallery: 16.0.0
- logreader: 2.0.0
- lookup_server_connector: 1.0.0
- nextcloud_announcements: 1.0
- notifications: 1.0.1
- provisioning_api: 1.1.0
- serverinfo: 1.1.1
- sharebymail: 1.0.1
- survey_client: 0.1.5
- systemtags: 1.1.3
- theming: 1.1.1
- twofactor_backupcodes: 1.0.0
- updatenotification: 1.1.1
- user_external: 0.4
- user_ldap: 1.1.2
- workflowengine: 1.1.1
Disabled: - encryption
- external
- files_accesscontrol
- files_automatedtagging
- files_external
- files_retention
- password_policy
- templateeditor
- user_saml
The content of config/config.php:
Are you using external storage, if yes which one: local/smb/sftp/.
no
Are you using encryption: yes/no
no
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/.
LDAP:
Kerberos with LDAP as login agent
LDAP configuration (delete this part if not used)
Client configuration
Browser:
Operating system:
Web server error log
Nextcloud log (data/nextcloud.log)
+——————————-+————————————————————————————-+
| Configuration | s01 |
+——————————-+————————————————————————————-+
| hasMemberOfFilterSupport | |
| hasPagedResultSupport | |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | cn=ADMIN,dc=ds,dc=local |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | dc=ds,dc=local |
| ldapBaseGroups | dc=ds,dc=local |
| ldapBaseUsers | ou=people,dc=ds,dc=local |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 0 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | |
| ldapExpertUsernameAttr | uid |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | (&(|(objectclass=posixGroup))) |
| ldapGroupFilterGroups | |
| ldapGroupFilterMode | 1 |
| ldapGroupFilterObjectclass | posixGroup |
| ldapGroupMemberAssocAttr | memberUid |
| ldapHost | teller.ds.local |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(|(objectclass=inetOrgPerson))(uid=%uid)) |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 0 |
| ldapLoginFilterMode | 1 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 1 |
| ldapOverrideMainServer | |
| ldapPagingSize | 1000 |
| ldapPort | 389 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserDisplayName | cn |
| ldapUserDisplayName2 | |
| ldapUserFilter | (|(objectclass=inetOrgPerson)(objectclass=krb5Principal)(objectclass=posixAccount)) |
| ldapUserFilterGroups | |
| ldapUserFilterMode | 0 |
| ldapUserFilterObjectclass | inetOrgPerson;krb5Principal;posixAccount |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 1 |
| turnOnPasswordChange | 0 |
| useMemberOfToDetectMembership | 1 |
+——————————-+————————————————————————————-+
+——————————-+—————+
| Configuration | s02 |
+——————————-+—————+
| hasMemberOfFilterSupport | 0 |
| hasPagedResultSupport | |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | |
| ldapBaseGroups | |
| ldapBaseUsers | |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 0 |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | |
| ldapExperiencedAdmin | 0 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | |
| ldapExpertUsernameAttr | |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | |
| ldapGroupFilterGroups | |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | |
| ldapGroupMemberAssocAttr | uniqueMember |
| ldapHost | |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 0 |
| ldapLoginFilterMode | 0 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 0 |
| ldapOverrideMainServer | |
| ldapPagingSize | 500 |
| ldapPort | |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserDisplayName | displayName |
| ldapUserDisplayName2 | |
| ldapUserFilter | |
| ldapUserFilterGroups | |
| ldapUserFilterMode | 0 |
| ldapUserFilterObjectclass | |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 0 |
| turnOnPasswordChange | 0 |
| useMemberOfToDetectMembership | 1 |
+——————————-+—————+
Browser log
Due to personal info and IP’s I can’t admitt the log. Putting warnings and errors here.
Warning user_ldap Bind failed: 49: Invalid credentials
Warning core Login failed: ‘Username’
Error index OCServerNotAvailableException: Connection to LDAP server could not be established (This one might have showed up when I was tinkering and is probably not a permanent one)
Error PHP ldap_search(): Partial search results returned: Sizelimit exceeded at /var/www/nextcloud/apps/user_ldap/lib/LDAP.php#293
The text was updated successfully, but these errors were encountered:
Источник
Ldap error invalid credentials error code 49
This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.
Asked by:
Question
We are developing a LDAP authentication against Active Directory, we met the follow errors, although the username and password are correct.
LDAP: error code 49 — 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece
The user detail is: CN=Peter, Lia ,OU=DEV,OU=HK_U,OU=cita,OU=US,DC=achtest,DC=local
As you may saw, the last name of this user has a backslash, plus a space in CN, we guess it may be the problem, since other users don’t have this problem if the last name of users don’t have a backslash and a space.
However we don’t know how we can add a new user to duplicate this issue, since it’s not way to add a new user with space in the end of name, the Active Directory will auto trim the space when system save the new user to database.
My questions are:
1. Do you have this kind of experience? Any idea to resolve?
2. How we can add a new user with a space in the end of last name? and then we can replicate this issue again?
Источник
LDAP Integration — Bind failed: 49: Invalid credentials #4177
Steps to reproduce
- Connect to LDAP Server, Configuration OK. 301 Users found, they show up in User category.
2.Try to log in with a user, using the ‘username’ displayed in NC
3.Wrong Password shows up and user is rejected, log says Bind failed: 49: Invalid credentials
Expected behaviour
User should be authenticated and logged in
Actual behaviour
User is rejected
Server configuration
Operating system:
Ubuntu 12.04.5 LTS
Web server:
Apache2
Database:
MySql
PHP version:
PHP 7.0.15-0ubuntu0.16.04.4
Nextcloud version: (see Nextcloud admin page)
11,0,2,7
Updated from an older Nextcloud/ownCloud or fresh install:
Fresh install
Where did you install Nextcloud from:
Tar from official website: Nextcloud-11.0.2.tar.bz2
Signing status:
List of activated apps:
- activity: 2.4.1
- admin_audit: 1.1.0
- comments: 1.1.0
- dav: 1.1.1
- federatedfilesharing: 1.1.1
- federation: 1.1.1
- files: 1.6.1
- files_pdfviewer: 1.0.1
- files_sharing: 1.1.1
- files_texteditor: 2.2
- files_trashbin: 1.1.0
- files_versions: 1.4.0
- files_videoplayer: 1.0.0
- firstrunwizard: 2.0
- gallery: 16.0.0
- logreader: 2.0.0
- lookup_server_connector: 1.0.0
- nextcloud_announcements: 1.0
- notifications: 1.0.1
- provisioning_api: 1.1.0
- serverinfo: 1.1.1
- sharebymail: 1.0.1
- survey_client: 0.1.5
- systemtags: 1.1.3
- theming: 1.1.1
- twofactor_backupcodes: 1.0.0
- updatenotification: 1.1.1
- user_external: 0.4
- user_ldap: 1.1.2
- workflowengine: 1.1.1
Disabled: - encryption
- external
- files_accesscontrol
- files_automatedtagging
- files_external
- files_retention
- password_policy
- templateeditor
- user_saml
The content of config/config.php:
Are you using external storage, if yes which one: local/smb/sftp/.
no
Are you using encryption: yes/no
no
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/.
LDAP:
Kerberos with LDAP as login agent
LDAP configuration (delete this part if not used)
Client configuration
Browser:
Operating system:
Web server error log
Nextcloud log (data/nextcloud.log)
+——————————-+————————————————————————————-+
| Configuration | s01 |
+——————————-+————————————————————————————-+
| hasMemberOfFilterSupport | |
| hasPagedResultSupport | |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | cn=ADMIN,dc=ds,dc=local |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | dc=ds,dc=local |
| ldapBaseGroups | dc=ds,dc=local |
| ldapBaseUsers | ou=people,dc=ds,dc=local |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 0 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | |
| ldapExpertUsernameAttr | uid |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | (&(|(objectclass=posixGroup))) |
| ldapGroupFilterGroups | |
| ldapGroupFilterMode | 1 |
| ldapGroupFilterObjectclass | posixGroup |
| ldapGroupMemberAssocAttr | memberUid |
| ldapHost | teller.ds.local |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(|(objectclass=inetOrgPerson))(uid=%uid)) |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 0 |
| ldapLoginFilterMode | 1 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 1 |
| ldapOverrideMainServer | |
| ldapPagingSize | 1000 |
| ldapPort | 389 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserDisplayName | cn |
| ldapUserDisplayName2 | |
| ldapUserFilter | (|(objectclass=inetOrgPerson)(objectclass=krb5Principal)(objectclass=posixAccount)) |
| ldapUserFilterGroups | |
| ldapUserFilterMode | 0 |
| ldapUserFilterObjectclass | inetOrgPerson;krb5Principal;posixAccount |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 1 |
| turnOnPasswordChange | 0 |
| useMemberOfToDetectMembership | 1 |
+——————————-+————————————————————————————-+
+——————————-+—————+
| Configuration | s02 |
+——————————-+—————+
| hasMemberOfFilterSupport | 0 |
| hasPagedResultSupport | |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | |
| ldapBaseGroups | |
| ldapBaseUsers | |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 0 |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | |
| ldapExperiencedAdmin | 0 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | |
| ldapExpertUsernameAttr | |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | |
| ldapGroupFilterGroups | |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | |
| ldapGroupMemberAssocAttr | uniqueMember |
| ldapHost | |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 0 |
| ldapLoginFilterMode | 0 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 0 |
| ldapOverrideMainServer | |
| ldapPagingSize | 500 |
| ldapPort | |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserDisplayName | displayName |
| ldapUserDisplayName2 | |
| ldapUserFilter | |
| ldapUserFilterGroups | |
| ldapUserFilterMode | 0 |
| ldapUserFilterObjectclass | |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 0 |
| turnOnPasswordChange | 0 |
| useMemberOfToDetectMembership | 1 |
+——————————-+—————+
Browser log
Due to personal info and IP’s I can’t admitt the log. Putting warnings and errors here.
Warning user_ldap Bind failed: 49: Invalid credentials
Warning core Login failed: ‘Username’
Error index OCServerNotAvailableException: Connection to LDAP server could not be established (This one might have showed up when I was tinkering and is probably not a permanent one)
Error PHP ldap_search(): Partial search results returned: Sizelimit exceeded at /var/www/nextcloud/apps/user_ldap/lib/LDAP.php#293
The text was updated successfully, but these errors were encountered:
Источник
Problem
Users cannot login to FEM
Symptom
FEM returns a «LDAP: error code 49 — Invalid Credentials»
Cause
1. The credential of the bind user in one of the Directory Configurations is incorrect.
2. The credential of bootstrap user is incorrect
Diagnosing The Problem
Check for Directory Configuration bind user credential is incorrect
1. Check the ping page and confirm that CE has started successfully with no errors.
2. Attempt to login through FEM with a valid user. If the login fails with a LDAP error 49, at least one of the directory configuration bind user credential is incorrect.
Check for bootstrap user credential is incorrect
1. Check the ping page and confirm that CE has started, but the ping page should give a LDAP error 49.
2. Attempt to login through FEM with a valid user. If the login fails with a LDAP error 49, the bootstrap user crenential is incorrect.
Resolving The Problem
Using a third-party tool, login to the LDAP server with directory configuration bind user credential. If login is unsuccessful, contact an LDAP administrator to get the correct password. If login is successful, the bootstrap or bind user credential is incorrect.
Directory Configuration bind user credential is incorrect
Use the GCDUtil tool to modify the Directory Configuration bind user password
Bootstrap user credential is incorrect
Start CMUI tool, run the bootstrap task to update the bootstrap user credentials, and then redeploy CE.
[{«Product»:{«code»:»SSNVNV»,»label»:»FileNet Content Manager»},»Business Unit»:{«code»:»BU053″,»label»:»Cloud & Data Platform»},»Component»:»Content Engine»,»Platform»:[{«code»:»PF033″,»label»:»Windows»},{«code»:»PF002″,»label»:»AIX»},{«code»:»PF010″,»label»:»HP-UX»},{«code»:»PF016″,»label»:»Linux»},{«code»:»PF027″,»label»:»Solaris»}],»Version»:»4.5;4.5.1″,»Edition»:»»,»Line of Business»:{«code»:»LOB45″,»label»:»Automation»}}]
Есть гуру по LDAP’у?
С некоторых пор не удается ничего сделать в ЛДАПе, система не принимает пароли (ldap_bind: Invalid credentials (49))
Поначалу подумал, что забыл пароль. Сбросил пароль на «qwe»:
dn: cn=admin,dc=my_domain
userPassword:: cXdl
Все равно ldap_bind: Invalid credentials (49)
Кто-нибудь подскажите, в чем может быть дело и куда копать?
-
Вопрос заданболее трёх лет назад
-
10633 просмотра
49 ошибка доступа — AuthenticationException: [LDAP: error code 49 — Invalid Credentials…
секция конфиги где написано access to * by OwnerWorld read/write (нечто подобное), указали что этой группе можно читать писать?
Пригласить эксперта
Что за лдап-то? Смотрите логи, очевидно. Там должна быть конкретная причина указана. Возможно, устарел пароль.
Jul 14 04:20:17 ldap slapd[29525]: conn=1045 fd=16 ACCEPT from IP=[::1]:48517 (IP=[::]:389)
Jul 14 04:20:17 ldap slapd[29525]: conn=1045 op=0 BIND dn=«cn=admin,dc=my_domain» method=128
Jul 14 04:20:17 ldap slapd[29525]: conn=1045 op=0 RESULT tag=97 err=49 text=
Jul 14 04:20:17 ldap slapd[29525]: conn=1045 op=1 UNBIND
Jul 14 04:20:17 ldap slapd[29525]: conn=1045 fd=16 closed
Ничего конкретного, код ошибки 49 и все.
Ограничений на срок пароля не стоит
Сделайте ngrep port LDAP и посмотрите, что прилетает.
-
Показать ещё
Загружается…
12 февр. 2023, в 02:07
2000 руб./за проект
12 февр. 2023, в 00:06
1000 руб./в час
11 февр. 2023, в 22:57
25000 руб./за проект
Минуточку внимания
I’m trying to set up an openLdap server and after following the instructions I’m stuck at the point where I can’t add any data.
The error I’m getting is
ldap_bind: Invalid credentials (49)
Please help me in this issue. And be patient while reading the debug data and the slapd.conf file because they are quite long.
My system is: Red Hat Enterprise Linux 6.0
Installed openLdap using yum openldap*.
Here is my slapd.conf file:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
# Module syncprov.la is now statically linked with slapd and there
# is no need to load it here
# modulepath /usr/lib/openldap # or /usr/lib64/openldap
# moduleload accesslog.la
# moduleload auditlog.la
## To load this module, you have to install openldap-server-sql first
# moduleload back_sql.la
## Following two modules can't be loaded simultaneously
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload lastmod.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it. Your client software
# may balk at self-signed certificates, however.
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix dc=ttsbroot,dc=teleotele
#checkpoint 1024 15
rootdn cn=shamal,dc=ttsbroot,dc=teleotele
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {crypt}49/WKVk.6oz3o
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
# enable monitoring
database monitor
# allow onlu rootdn to read the monitor
access to * by * write by * read by * search by * auth
I’m adding the debug data returned when I added -d 255 argument.
[root@TTSBROOT Documents]# ldapadd -D "cn=shamal,dc=TTSBROOT,dc=teleotele" -W -x -a -f teleotele.ldif -d 255
ldap_create
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 4 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x18345d0 ptr=0x18345d0 end=0x1834612 len=66
0000: 30 84 00 00 00 3c 02 01 01 60 84 00 00 00 33 02 0....<...`....3.
0010: 01 03 04 22 63 6e 3d 73 68 61 6d 61 6c 2c 64 63 ..."cn=shamal,dc
0020: 3d 54 54 53 42 52 4f 4f 54 2c 64 63 3d 74 65 6c =TTSBROOT,dc=tel
0030: 65 6f 74 65 6c 65 80 0a 73 68 61 6d 61 6c 31 32 eotele..shamal12
0040: 33 34 34
ber_scanf fmt ({i) ber:
ber_dump: buf=0x18345d0 ptr=0x18345d9 end=0x1834612 len=57
0000: 60 84 00 00 00 33 02 01 03 04 22 63 6e 3d 73 68 `....3...."cn=sh
0010: 61 6d 61 6c 2c 64 63 3d 54 54 53 42 52 4f 4f 54 amal,dc=TTSBROOT
0020: 2c 64 63 3d 74 65 6c 65 6f 74 65 6c 65 80 0a 73 ,dc=teleotele..s
0030: 68 61 6d 61 6c 31 32 33 34 hamal1234
ber_flush2: 66 bytes to sd 4
0000: 30 84 00 00 00 3c 02 01 01 60 84 00 00 00 33 02 0....<...`....3.
0010: 01 03 04 22 63 6e 3d 73 68 61 6d 61 6c 2c 64 63 ..."cn=shamal,dc
0020: 3d 54 54 53 42 52 4f 4f 54 2c 64 63 3d 74 65 6c =TTSBROOT,dc=tel
0030: 65 6f 74 65 6c 65 80 0a 73 68 61 6d 61 6c 31 32 eotele..shamal12
0040: 33 34 34
ldap_write: want=66, written=66
0000: 30 84 00 00 00 3c 02 01 01 60 84 00 00 00 33 02 0....<...`....3.
0010: 01 03 04 22 63 6e 3d 73 68 61 6d 61 6c 2c 64 63 ..."cn=shamal,dc
0020: 3d 54 54 53 42 52 4f 4f 54 2c 64 63 3d 74 65 6c =TTSBROOT,dc=tel
0030: 65 6f 74 65 6c 65 80 0a 73 68 61 6d 61 6c 31 32 eotele..shamal12
0040: 33 34 34
ldap_result ld 0x182c3e0 msgid 1
wait4msg ld 0x182c3e0 msgid 1 (infinite timeout)
wait4msg continue ld 0x182c3e0 msgid 1 all 1
** ld 0x182c3e0 Connections:
* host: localhost port: 389 (default)
refcnt: 2 status: Connected
last used: Fri Apr 22 14:24:17 2011
** ld 0x182c3e0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x182c3e0 request count 1 (abandoned 0)
** ld 0x182c3e0 Response Queue:
Empty
ld 0x182c3e0 response count 0
ldap_chkResponseList ld 0x182c3e0 msgid 1 all 1
ldap_chkResponseList returns ld 0x182c3e0 NULL
ldap_int_select
read1msg: ld 0x182c3e0 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=8
0000: 30 84 00 00 00 10 02 01 0.......
ldap_read: want=14, got=14
0000: 01 61 84 00 00 00 07 0a 01 31 04 00 04 00 .a.......1....
ber_get_next: tag 0x30 len 16 contents:
ber_dump: buf=0x1835a50 ptr=0x1835a50 end=0x1835a60 len=16
0000: 02 01 01 61 84 00 00 00 07 0a 01 31 04 00 04 00 ...a.......1....
read1msg: ld 0x182c3e0 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x1835a50 ptr=0x1835a53 end=0x1835a60 len=13
0000: 61 84 00 00 00 07 0a 01 31 04 00 04 00 a.......1....
read1msg: ld 0x182c3e0 0 new referrals
read1msg: mark request completed, ld 0x182c3e0 msgid 1
request done: ld 0x182c3e0 msgid 1
res_errno: 49, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_dump: buf=0x1835a50 ptr=0x1835a53 end=0x1835a60 len=13
0000: 61 84 00 00 00 07 0a 01 31 04 00 04 00 a.......1....
ber_scanf fmt (}) ber:
ber_dump: buf=0x1835a50 ptr=0x1835a60 end=0x1835a60 len=0
ldap_msgfree
ldap_err2string
ldap_bind: Invalid credentials (49)
Steps to reproduce
- Connect to LDAP Server, Configuration OK. 301 Users found, they show up in User category.
2.Try to log in with a user, using the ‘username’ displayed in NC
3.Wrong Password shows up and user is rejected, log says Bind failed: 49: Invalid credentials
Expected behaviour
User should be authenticated and logged in
Actual behaviour
User is rejected
Server configuration
Operating system:
Ubuntu 12.04.5 LTS
Web server:
Apache2
Database:
MySql
PHP version:
PHP 7.0.15-0ubuntu0.16.04.4
Nextcloud version: (see Nextcloud admin page)
11,0,2,7
Updated from an older Nextcloud/ownCloud or fresh install:
Fresh install
Where did you install Nextcloud from:
Tar from official website: Nextcloud-11.0.2.tar.bz2
Signing status:
Signing status
Login as admin user into your Nextcloud and access
http://example.com/index.php/settings/integrity/failed
paste the results here.
No errors have been found.
List of activated apps:
App list
If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder
Enabled:
- activity: 2.4.1
- admin_audit: 1.1.0
- comments: 1.1.0
- dav: 1.1.1
- federatedfilesharing: 1.1.1
- federation: 1.1.1
- files: 1.6.1
- files_pdfviewer: 1.0.1
- files_sharing: 1.1.1
- files_texteditor: 2.2
- files_trashbin: 1.1.0
- files_versions: 1.4.0
- files_videoplayer: 1.0.0
- firstrunwizard: 2.0
- gallery: 16.0.0
- logreader: 2.0.0
- lookup_server_connector: 1.0.0
- nextcloud_announcements: 1.0
- notifications: 1.0.1
- provisioning_api: 1.1.0
- serverinfo: 1.1.1
- sharebymail: 1.0.1
- survey_client: 0.1.5
- systemtags: 1.1.3
- theming: 1.1.1
- twofactor_backupcodes: 1.0.0
- updatenotification: 1.1.1
- user_external: 0.4
- user_ldap: 1.1.2
- workflowengine: 1.1.1
Disabled: - encryption
- external
- files_accesscontrol
- files_automatedtagging
- files_external
- files_retention
- password_policy
- templateeditor
- user_saml
The content of config/config.php:
Config report
If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder
or
Insert your config.php content here
(Without the database password, passwordsalt and secret)
{
"system": {
"instanceid": "ocqigl38jpv6",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"xxx.xxx.org"
],
"datadirectory": "/var/www/nextcloud/data",
"overwrite.cli.url": "https://xxx.xxx.org/nextcloud",
"dbtype": "mysql",
"version": "11.0.2.7",
"dbname": "nextcloud",
"dbhost": "localhost",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"logtimezone": "UTC",
"installed": true,
"ldapIgnoreNamingRules": false,
"ldapProviderFactory": "\OCA\User_LDAP\LDAPProviderFactory"
}
}
Are you using external storage, if yes which one: local/smb/sftp/…
no
Are you using encryption: yes/no
no
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/…
LDAP:
Kerberos with LDAP as login agent
LDAP configuration (delete this part if not used)
LDAP config
With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your Nextcloud installation folder
Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap';
Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.
Client configuration
Browser:
Operating system:
Logs
Web server error log
Web server error log
Insert your webserver log here
Nextcloud log (data/nextcloud.log)
Nextcloud log
+——————————-+————————————————————————————-+
| Configuration | s01 |
+——————————-+————————————————————————————-+
| hasMemberOfFilterSupport | |
| hasPagedResultSupport | |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | cn=ADMIN,dc=ds,dc=local |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | dc=ds,dc=local |
| ldapBaseGroups | dc=ds,dc=local |
| ldapBaseUsers | ou=people,dc=ds,dc=local |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 0 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | |
| ldapExpertUsernameAttr | uid |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | (&(|(objectclass=posixGroup))) |
| ldapGroupFilterGroups | |
| ldapGroupFilterMode | 1 |
| ldapGroupFilterObjectclass | posixGroup |
| ldapGroupMemberAssocAttr | memberUid |
| ldapHost | teller.ds.local |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(|(objectclass=inetOrgPerson))(uid=%uid)) |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 0 |
| ldapLoginFilterMode | 1 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 1 |
| ldapOverrideMainServer | |
| ldapPagingSize | 1000 |
| ldapPort | 389 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserDisplayName | cn |
| ldapUserDisplayName2 | |
| ldapUserFilter | (|(objectclass=inetOrgPerson)(objectclass=krb5Principal)(objectclass=posixAccount)) |
| ldapUserFilterGroups | |
| ldapUserFilterMode | 0 |
| ldapUserFilterObjectclass | inetOrgPerson;krb5Principal;posixAccount |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 1 |
| turnOnPasswordChange | 0 |
| useMemberOfToDetectMembership | 1 |
+——————————-+————————————————————————————-+
+——————————-+—————+
| Configuration | s02 |
+——————————-+—————+
| hasMemberOfFilterSupport | 0 |
| hasPagedResultSupport | |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | |
| ldapBaseGroups | |
| ldapBaseUsers | |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 0 |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | |
| ldapExperiencedAdmin | 0 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | |
| ldapExpertUsernameAttr | |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | |
| ldapGroupFilterGroups | |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | |
| ldapGroupMemberAssocAttr | uniqueMember |
| ldapHost | |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 0 |
| ldapLoginFilterMode | 0 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 0 |
| ldapOverrideMainServer | |
| ldapPagingSize | 500 |
| ldapPort | |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserDisplayName | displayName |
| ldapUserDisplayName2 | |
| ldapUserFilter | |
| ldapUserFilterGroups | |
| ldapUserFilterMode | 0 |
| ldapUserFilterObjectclass | |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 0 |
| turnOnPasswordChange | 0 |
| useMemberOfToDetectMembership | 1 |
+——————————-+—————+
Browser log
Browser log
Insert your browser log here, this could for example include:
a) The javascript console log
b) The network log
c) ...
Due to personal info and IP’s I can’t admitt the log. Putting warnings and errors here.
Warning user_ldap Bind failed: 49: Invalid credentials
Warning core Login failed: ‘Username’
Error index OCServerNotAvailableException: Connection to LDAP server could not be established (This one might have showed up when I was tinkering and is probably not a permanent one)
Error PHP ldap_search(): Partial search results returned: Sizelimit exceeded at /var/www/nextcloud/apps/user_ldap/lib/LDAP.php#293
I have followed this
link to setup Active Directory DS. I am not able bind user in ldp.exe tool.
Below is my connection output
ld = ldap_sslinit(«ldaps.ad.pumahub.com», 636, 1);
Error 49 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 128 bits
Established connection to ldaps.ad.pumahub.com.
Retrieving base DSA information…
Getting 1 entries:
Dn: (RootDSE)
configurationNamingContext: CN=Configuration,DC=ad,DC=pumahub,DC=com;
currentTime: 9/23/2019 10:17:06 PM India Standard Time;
defaultNamingContext: DC=ad,DC=pumahub,DC=com;
dnsHostName: V8XIHHEM-YEF2AP.ad.pumahub.com;
domainControllerFunctionality: 6 = ( WIN2012R2 );
domainFunctionality: 6 = ( WIN2012R2 );
dsServiceName: CN=NTDS Settings,CN=V8XIHHEM-YEF2AP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=pumahub,DC=com;
forestFunctionality: 6 = ( WIN2012R2 );
highestCommittedUSN: 34195;
isGlobalCatalogReady: TRUE;
isSynchronized: TRUE;
ldapServiceName: ad.pumahub.com:v8xihhem-yef2ap$@AD.PUMAHUB.COM;
namingContexts (5): DC=ad,DC=pumahub,DC=com; CN=Configuration,DC=ad,DC=pumahub,DC=com; CN=Schema,CN=Configuration,DC=ad,DC=pumahub,DC=com; DC=DomainDnsZones,DC=ad,DC=pumahub,DC=com; DC=ForestDnsZones,DC=ad,DC=pumahub,DC=com;
rootDomainNamingContext: DC=ad,DC=pumahub,DC=com;
schemaNamingContext: CN=Schema,CN=Configuration,DC=ad,DC=pumahub,DC=com;
serverName: CN=V8XIHHEM-YEF2AP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=pumahub,DC=com;
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=ad,DC=pumahub,DC=com;
supportedCapabilities (6): 1.2.840.113556.1.4.800 = ( ACTIVE_DIRECTORY ); 1.2.840.113556.1.4.1670 = ( ACTIVE_DIRECTORY_V51 ); 1.2.840.113556.1.4.1791 = ( ACTIVE_DIRECTORY_LDAP_INTEG ); 1.2.840.113556.1.4.1935 = ( ACTIVE_DIRECTORY_V61 ); 1.2.840.113556.1.4.2080
= ( ACTIVE_DIRECTORY_V61_R2 ); 1.2.840.113556.1.4.2237 = ( ACTIVE_DIRECTORY_W8 );
supportedControl (37): 1.2.840.113556.1.4.319 = ( PAGED_RESULT ); 1.2.840.113556.1.4.801 = ( SD_FLAGS ); 1.2.840.113556.1.4.473 = ( SORT ); 1.2.840.113556.1.4.528 = ( NOTIFICATION ); 1.2.840.113556.1.4.417 = ( SHOW_DELETED ); 1.2.840.113556.1.4.619 = ( LAZY_COMMIT
); 1.2.840.113556.1.4.841 = ( DIRSYNC ); 1.2.840.113556.1.4.529 = ( EXTENDED_DN ); 1.2.840.113556.1.4.805 = ( TREE_DELETE ); 1.2.840.113556.1.4.521 = ( CROSSDOM_MOVE_TARGET ); 1.2.840.113556.1.4.970 = ( GET_STATS ); 1.2.840.113556.1.4.1338 = ( VERIFY_NAME
); 1.2.840.113556.1.4.474 = ( RESP_SORT ); 1.2.840.113556.1.4.1339 = ( DOMAIN_SCOPE ); 1.2.840.113556.1.4.1340 = ( SEARCH_OPTIONS ); 1.2.840.113556.1.4.1413 = ( PERMISSIVE_MODIFY ); 2.16.840.1.113730.3.4.9 = ( VLVREQUEST ); 2.16.840.1.113730.3.4.10 = ( VLVRESPONSE
); 1.2.840.113556.1.4.1504 = ( ASQ ); 1.2.840.113556.1.4.1852 = ( QUOTA_CONTROL ); 1.2.840.113556.1.4.802 = ( RANGE_OPTION ); 1.2.840.113556.1.4.1907 = ( SHUTDOWN_NOTIFY ); 1.2.840.113556.1.4.1948 = ( RANGE_RETRIEVAL_NOERR ); 1.2.840.113556.1.4.1974 = ( FORCE_UPDATE
); 1.2.840.113556.1.4.1341 = ( RODC_DCPROMO ); 1.2.840.113556.1.4.2026 = ( DN_INPUT ); 1.2.840.113556.1.4.2064 = ( SHOW_RECYCLED ); 1.2.840.113556.1.4.2065 = ( SHOW_DEACTIVATED_LINK ); 1.2.840.113556.1.4.2066 = ( POLICY_HINTS_DEPRECATED ); 1.2.840.113556.1.4.2090
= ( DIRSYNC_EX ); 1.2.840.113556.1.4.2205 = ( UPDATE_STATS ); 1.2.840.113556.1.4.2204 = ( TREE_DELETE_EX ); 1.2.840.113556.1.4.2206 = ( SEARCH_HINTS ); 1.2.840.113556.1.4.2211 = ( EXPECTED_ENTRY_COUNT ); 1.2.840.113556.1.4.2239 = ( POLICY_HINTS ); 1.2.840.113556.1.4.2255;
1.2.840.113556.1.4.2256;
supportedLDAPPolicies (19): MaxPoolThreads; MaxPercentDirSyncRequests; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxBatchReturnMessages; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MinResultSets;
MaxResultSetsPerConn; MaxNotificationPerConn; MaxValRange; MaxValRangeTransitive; ThreadMemoryLimit; SystemMemoryLimitPercent;
supportedLDAPVersion (2): 3; 2;
supportedSASLMechanisms (4): GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;
And I am getting below while binding the user
53 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User=’ldaptest@pradippatelc2gmailcom.onmicrosoft.com’; Pwd=<unavailable>; domain = ‘ad.pumahub.com’}
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 80090346: LdapErr: DSID-0C09056D, comment: AcceptSecurityContext error, data 80090346, v2580
Error 0x80090346 Client’s supplied SSPI channel bindings were incorrect.
While binding user I am selecting bind type Bind with credentials.
The user with which I am binding is Cloud AD user and also present in Administrator group. I have also reset the password of this user so AD DS can store password hashes but nothing worked.