Troubleshooting
Problem
You configure WebSphere Liberty to use LDAP to authenticate users in Active Directory, by adding an <ldapRepository> element to server.xml. When users try to log in with Active Directory credentials, authentication fails. An error appears in the Opal logs directory:
on Windows: C:\IBM\i2analyze.old\deploy\wlp\usr\servers\opal-server\logs
on Linux: /opt/IBM/i2analyze/deploy/wlp/usr/servers/opal-server/logs
The error in the logs is similar to:
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090446, comment: AcceptSecurityContext error, data 52e
Diagnosing The Problem
LDAP error 49 is a standard LDAP error, LDAP_INVALID_CREDENTIALS, defined in RFC 2251, Section 44.1.10:
4.1.10. Result Message
The LDAPResult is the construct used in this protocol to return success or failure indications from servers to clients.
In response to various requests servers will return responses containing fields of type LDAPResult to indicate the final status of a protocol operation request.
LDAPResult ::= SEQUENCE { resultCode ENUMERATED {
success (0),
operationsError (1),
....
invalidCredentials (49),
The data in the error is 0x52e. In decimal, this is equal to 1326. This is defined by Microsoft in WinError.h as
ERROR_LOGON_FAILURE
1326 (0x52E)
The user name or password is incorrect.
In short, the error tells us the user name or password used to BIND to Active Directory was incorrect.
Resolving The Problem
Inspect the bindDN and bindPassword attributes of the <ldapRegistry> element in server.xml. Verify they contain the right values, and correct them if necessary.
<ldapRegistry id="ldap" realm="MyRealm"
[ ... ]
bindDN="cn=i2User,dc=intell, dc=example,dc=com"
bindPassword="P@$$Word01"
bindPassword="P@$$Word01"
[ ... ]
</ldapregistry>
After the correct user name and pasword are specified, Liberty is able to BIND to the Active Directory tree; and users can log in normally.
Note that these attributes require the user name and password of the Active Directory BIND context; they are not the user name and password of the interactive user, logging in.
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSXVTH","label":"i2 Analyze"},"ARM Category":[{"code":"a8m0z000000cwitAAA","label":"i2 Enterprise Insight Analysis->Authentication"}],"ARM Case Number":"TS005170223","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Historical Number
TS005170223
Was this topic helpful?
Document Information
Modified date:
09 March 2021
UID
ibm16427903