Question & Answer
Question
After enabling Global Security to an LDAP and restarting the IBM WebSphere Application Server, the following error occurs on server startup: SECJ0352E: Could not get the users matching the pattern JoeUser because of the following exception javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]
Cause
Following instructions in the MustGather: Security problems, the trace.log shows the following:
[10/19/07 12:04:28:037 EDT] 7a39ad4c LdapRegistryI > getUsers
JoeUser
2
[10/19/07 12:04:28:037 EDT] 7a39ad4c LdapRegistryI > search
[10/19/07 12:04:28:037 EDT] 7a39ad4c LdapRegistryI d DN: DC=IBM,DC=COM
[10/19/07 12:04:28:037 EDT] 7a39ad4c LdapRegistryI d Search scope: 2
[10/19/07 12:04:28:037 EDT] 7a39ad4c LdapRegistryI d Filter: (&(CN=JoeUser)(objectcategory=user))
...
[10/19/07 12:04:28:047 EDT] 7a39ad4c LdapRegistryI A Fail connect to ldap://MyLdap.raleigh.ibm.com:389
[10/19/07 12:04:28:047 EDT] 7a39ad4c LdapRegistryI d javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]
...
[10/19/07 12:04:28:147 EDT] 7a39ad4c LdapRegistryI E SECJ0352E: Could not get the users matching the pattern JoeUser because of the following exception javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3005)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2951)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2752)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2666)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:307)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:190)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:208)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:151)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:81)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:675)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:257)
at javax.naming.InitialContext.init(InitialContext.java:233)
at javax.naming.InitialContext.<init>(InitialContext.java:209)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:94)
at com.ibm.ws.security.registry.ldap.LdapRegistryImpl.getDirContext(LdapRegistryImpl.java:2353)
at com.ibm.ws.security.registry.ldap.LdapRegistryImpl.search(LdapRegistryImpl.java:1850)
An LDAPSearch for the same user fails with:
ldapsearch -h MyLdap.raleigh.ibm.com -p 389 -b "DC=IBM,DC=COM" CN=JoeUser
ldap_search: Operations error
ldap_search: additional info: 00000000: LdapErr: DSID-0C090627, comment:
In order to perform this operation a successful bind must be completed
on the connection., data 0, vece
Answer
The problem is the LDAP is not setup for anonymous binds. To resolve this problem, either change the LDAP to allow anonymous binds, or specify a Bind Distinguished Name and Bind password in the WebSphere Application Server LDAP User Registry settings.
For more information about setting the Bind DN and Bind Password, see instructions 9 & 10 in the Configuring Lightweight Directory Access Protocol user registries topic.
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21284770