LDAP Error: Invalid credentials

From CMOD.wiki
Jump to: navigation, search

What was the error?

Message Number: 384

Message Severity: Error (Corrective action is required to continue)

Message Name: ARS0384E

Message Text:

LDAP Error: Invalid Credentials -- ldap_rc=<RC> -- extended+rc=<RC>, Success -- ldap_errno=<RC>, extra_rc=<RC> File=arsldap.c, Line=<LineNo>

where <RC> is the return code, and <LineNo> is the line in the source code where the error was caught. See below for more information on common return codes and their meanings.

Related Errors

ARS0436E

What were you doing?

Probably attempting to configure LDAP on Content Manager OnDemand for the first time, or a user attempted to authenticate with a bad user id or password on an LDAP-enabled CMOD server.

What happened?

The LDAP server couldn't authorize the user to perform an action, because the User ID or password they provided was not correct. It may also indicate an error in your LDAP configuration.

Example

arssockd (ARCHIVE): 2015-04-29 10:54:03.274673 42422 CMODUSER  2 384 ARS0384E LDAP Error: Invalid credentials -- ldap_rc=49,  -- extended_rc=0, Success -- ldap_errno=0, extra_rc=0, File=arsldap.c, Line=1308

Troubleshooting

You may need to Disable IBM CMOD LDAP Authentication in order to return the server to operation.


Ensure you are using the correct User ID or password

  • Content Manager OnDemand uses non-case sensitive passwords by default, while LDAP servers store passwords in a case-sensitive manner.
  • In order to do this, CMOD converts the passwords to uppercase ("PassWord" is changed to "PASSWORD") before hashing them and storing them in the database.
  • Inside the Administrative Client, under System Parameters -> Login Details, in the top-right pane, select "Passwords Case Sensitive". Any accounts that are excluded from password authentication (ie, the 'admin' account) will need to have their passwords entered in uppercase until they're reset.

Verify your stash file

  • You may have incorrect configuration data in your stash file. See arsstash for an explanation of stash files, or LDAP and Content Manager OnDemand for a tutorial.
  • Work with your LDAP administrators to determine the proper LDAP string to use in your stash file configuration.

The return code 49 indicates that you likely have an incorrect User ID or password, or possibly a restriction on the LDAP account which is causing the authentication request to fail. If you're using Microsoft Active Directory, you will need to change your ars.cfg file to include:

 ARS_LDAP_BIND_ATTRIBUTE=sAMAccountName                                  
 ARS_LDAP_MAPPED_ATTRIBUTE=sAMAccountName                                


Activate System Trace on CMOD

Enabling System Trace to troubleshoot LDAP issues

Change the trace.settings configuration file to include the following string:

 TRACE_FILE_LEVELS=ALL=3,LDAP=15

And make the change to tracing through the Content Manager OnDemand Administrative Client.

LDAP Return Codes

Common Active Directory return codes:
525 user not found
52e invalid credentials
530 not permitted to logon at this time
531 not permitted to logon at this workstation
532 password expired
533 account disabled
534 The user has not been granted the
requested logon type at this machine
701 account expired
773 user must reset password
775 user account locked