- Remove From My Forums
-
Question
-
Hello,
What does the following error code data 534 mean?
LDAP: error code 49 — 8009030C: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 534, v1db0^@]
Answers
-
Hi,
Thanks for your patience.
The error code 49 related to LDAP is caused by the invalid credentials. Please refer to the following most possible causes.
1. The DN path or password which you have specified for the administrator is invalid. Any of the below will result in this error:
1). Pointed to non-user DN
- 2). Pointed to a non-existent user, but in existing DN
- 3). Pointed to non existent DN
- 4). Pointed to an existing user, but non existing DN
- 5). Pointed to an incorrect admin DN, uid instead of cn
- 6). Pointed to a non administrator user
- 7). Pointed to a valid admin but password is incorrect
2. Could not authenticate the user trying to login. This can be the result of an incorrect username or password, or an incorrect prefix and/or suffix specified in the Settings tab, depending on the type of LDAP/AD system. Could also mean the authentication
type is incorrect.Best regards,
Ann Zhu
-
Marked as answer by
Tuesday, March 4, 2014 8:41 AM
Всем привет.
Код: Выделить всё
# Модуль авторизации клиентов через Ldap #
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
# Имя контроллера домена
$Self->{'Customer::AuthModule::LDAP::Host'} = 'dom1.k12.local';
# Параметры домена
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=k12,dc=local';
# Идентификатор пользователя в виде его доменного имени
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'dc=k12,dc=local';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::UserSuffix'} = '@k12.local';
# Расположение учетной записи администратора домена пользователей и пароль
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=otrs,ou=otrs,ou=k12,dc=k12,dc=local';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'qwerty123';
# Параметры подключения по LDAP
$Self->{'Customer::AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# Пользовательский бэкенд LDAP #
$Self->{CustomerUser} = {
# Имя бэкенда
Name => 'Active Directory',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
# Имя контроллера домена
Host => 'dom1.k12.local',
# Где расположены клиенты
BaseDN => 'dc=k12,dc=local',
SSCOPE => 'sub',
UserDN => 'cn=otrs,ou=otrs,ou=k12,dc=k12,dc=local',
UserPw => 'qwerty123',
# Фильтр
AlwaysFilter => '(&(objectcategory=person)(objectclass=user)(mail=*)(!(description=built-In))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))',
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
},
ReadOnly => 1,
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['givenname', 'sn', 'mail'],
CustomerUserSearchFields => ['displayName','sAMAccountName','givenName', 'sn', 'mail','description'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserPostMasterSearchFields => ['displayName','sAMAccountName','givenName','sn','mail','description'],
CustomerUserNameFields => ['givenname', 'sn'],
CustomerUserExcludePrimaryCustomerID => 0,
CacheTTL => 120,
Map => [
[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenName', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephoneNumber', 1, 0, 'var' ],
[ 'UserAddress', 'Address', 'postalAddress', 1, 0, 'var' ],
[ 'UserStreet', 'Street', 'streetAddress', 1, 0, 'var' ],
[ 'UserCity', 'City', 'l', 1, 0, 'var' ],
[ 'UserZip', 'ZIP', 'postalCode', 1, 0, 'var' ],
[ 'UserCountry', 'Country', 'co', 1, 0, 'var' ],
[ 'UserComment', 'Comment', 'wWWHomePage', 1, 0, 'var' ],
],
};Issue
- Why below error is reported while trying to list the domain users after keystone integration with AD ?
[root@myvm ~(keystone_admin)]# openstack user list --domain TEST
ERROR: openstack An unexpected error prevented the server from fulfilling your request: {'info': '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1', 'desc': 'Invalid credentials'} (Disable debug mode to suppress these details.) (HTTP 500) (Request-ID: req-ca7182e7-7f56-4542-9eb5-a68645e90353)
- Why I am not able to list the domain user in openstack setup ?
Environment
- Red Hat Enterprise Linux OpenStack Platform 7.
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
Current Customers and Partners
Log in for full access
Log In
I am trying to configure otrs to use LDAP for agent login to the webpage. I have done the following in Config.PM
#Enable LDAP authentication for Customers / Users
$Self->{‘AuthModule’} = ‘Kernel::System::Auth::LDAP’;
$Self->{‘AuthModule::LDAP::Host’} = ‘172.*.*.84’;
$Self->{‘AuthModule::LDAP::BaseDN’} = ‘dc=vsc,dc=com’;
$Self->{‘AuthModule::LDAP::UID’} = ‘sAMAccountName’;
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group OTRS_Agents to use otrs)
$Self->{‘AuthModule::LDAP::GroupDN’} = ‘cn=otrs_allow_Agents,cn=builtin,dc=vsc,dc=com’;
$Self->{‘AuthModule::LDAP::AccessAttr’} = ‘member’;
$Self->{‘AuthModule::LDAP::UserAttr’} = ‘DN’;
# Bind credentials to log into AD
$Self->{‘AuthModule::LDAP::SearchUserDN’} = ‘cn=otrs_ldap,cn=builtin,dc=vsc,dc=com’;
$Self->{‘AuthModule::LDAP::SearchUserPw’} = ‘*******’;
$Self->{‘AuthModule::LDAP::Params’} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
Whenever I try to log into the otrs webpage I get the following errors in apache/error.log
ERROR: OTRS-CGI-10 Perl: 5.12.4 OS: linux Time: Thu Jul 14 14:45:03 2011
Message: First bind failed! 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db0
Traceback (5137):
Module: Kernel::System::Auth::LDAP::Auth (v1.59) Line: 187
Module: Kernel::System::Auth::Auth (v1.50) Line: 181
Module: Kernel::System::Web::InterfaceAgent::Run (v1.58.2.1) Line: 201
Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler (unknown version) Line: 46
Module: (eval) (v1.89.2.1) Line: 204
Module: ModPerl::RegistryCooker::run (v1.89.2.1) Line: 204
Module: ModPerl::RegistryCooker::default_handler (v1.89.2.1) Line: 170
Module: ModPerl::Registry::handler (v1.99) Line: 31
ERROR: OTRS-CGI-10 Perl: 5.12.4 OS: linux Time: Thu Jul 14 14:45:15 2011
Message: First bind failed! 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db0
Traceback (5137):
Module: Kernel::System::Auth::LDAP::Auth (v1.59) Line: 187
Module: Kernel::System::Auth::Auth (v1.50) Line: 181
Module: Kernel::System::Web::InterfaceAgent::Run (v1.58.2.1) Line: 201
Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler (unknown version) Line: 46
Module: (eval) (v1.89.2.1) Line: 204
Module: ModPerl::RegistryCooker::run (v1.89.2.1) Line: 204
Module: ModPerl::RegistryCooker::default_handler (v1.89.2.1) Line: 170
Module: ModPerl::Registry::handler (v1.99) Line: 31
ERROR: OTRS-CGI-10 Perl: 5.12.4 OS: linux Time: Thu Jul 14 14:45:15 2011
Message: No UserID found for ‘dlarson@vsc.com’!
Traceback (5137):
Module: Kernel::System::User::UserLookup (v1.114.2.2) Line: 746
Module: Kernel::System::Auth::Auth (v1.50) Line: 216
Module: Kernel::System::Web::InterfaceAgent::Run (v1.58.2.1) Line: 201
Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler (unknown version) Line: 46
Module: (eval) (v1.89.2.1) Line: 204
Module: ModPerl::RegistryCooker::run (v1.89.2.1) Line: 204
Module: ModPerl::RegistryCooker::default_handler (v1.89.2.1) Line: 170
Module: ModPerl::Registry::handler (v1.99) Line: 31
I’m not sure what I have misconfigured.
Hi,
i am running Zimbra Release 8.6.0.GA.1153.UBUNTU14.64 UBUNTU14_64 FOSS edition, Patch 8.6.0_P6.
The user get authenticated against a Windows 2008R2 DC (LDAP Port 3268).
This works most time.
Sometime random user try to login and get immediatly «error in network service»
After waiting some time the login is working again.
in the mailbox.log i see
2016-05-11 08:20:57,051 INFO [qtp509886383-1216983:http://127.0.0.1:80/service/soap/AuthRequest] [name=mgloss@mydomain.hq;oip=10.58.0.91;ua=zclient/8.6.0_GA_1194;] SoapEngine — handler exception: authentication failed for [mgloss@mydomain.hq], external LDAP auth failed, LDAP error: — unable to ldap authenticate: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
2016-05-11 08:20:57,051 INFO [qtp509886383-1216983:http://127.0.0.1:80/service/soap/AuthRequest] [name=mgloss@mydomain.hq;oip=10.58.0.91;ua=zclient/8.6.0_GA_1194;] soap — AuthRequest elapsed=5
2016-05-11 08:21:00,922 INFO [qtp509886383-1216982:http://127.0.0.1:80/service/soap/AuthRequest] [] misc — Access to IP 10.58.50.91suspended, for repeated failed login.
There are NO authentication errors before!
The interesting part is:
Code: Select all
zmprov gacf |grep -i InvalidLoginFilter
zimbraInvalidLoginFilterDelayInMinBetwnReqBeforeReinstating: 15
zimbraInvalidLoginFilterMaxFailedLogin: 10
zimbraInvalidLoginFilterMaxSizeOfFailedIpDb: 7000
zimbraInvalidLoginFilterReinstateIpTaskIntervalInMin: 5
so the question is:
what is the timerange for the 10 invalid logins?
How can it happen, after the first invalid login to hit the CSFE_SVC_ERROR ?
best regards
Thomas
Hi
I’m trying to get the LDAP authentication to work. I’m using the following LDAP settings
Bind Search:
{"filter": "(&(objectclass=person)(sAMAccountName=#{username}))", "scope": "sub", "userDN": "bind@domain.local", "password": "passwd"}
Distinguished Name (DN):
When I try logging in, I get the «username not found or incorrect password».
If I type the incorrect password (seems like LDAP is correct):
Bind before search bind@domain.local passwd
LDAP search dn DC=domain,DC=local
LDAP search options { filter: '(&(objectclass=person)(sAMAccountName=john))',
scope: 'sub' }
Attempt to bind CN=John Doe,OU=Users,OU=Parent,DC=domain,DC=local
{ [InvalidCredentialsError: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
dn: [Getter],
code: [Getter],
name: [Getter],
message: [Getter] }
{ [Error: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 [49]]
error: 49,
reason: '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1u0000',
details: undefined,
message: '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1u0000 [49]',
errorType: 'Meteor.Error' }
Which is kinda expected, but it shows that the LDAP search is working. Now, if I type the correct password:
Bind before search bind@domain.local passwd
LDAP search dn DC=domain,DC=local
LDAP search options { filter: '(&(objectclass=person)(sAMAccountName=john))',
scope: 'sub' }
Attempt to bind CN=John Doe,OU=Users,OU=Parent,DC=domain,DC=local
And there it stops, and I receive (client side) the same error as if the password was incorrect.
Am I missing something, or is this a bug?
Product:
Cognos Business Intelligence (BI) 10.2.2 Fix pack 6
Microsoft Windows 2012 R2 server
Issue:
When adding a new domain to the list of namespaces in Cognos BI, during test or startup it give a error message.
New domain have in our example the name ExtAD
Error message:
[‘ExtAD’]
[ ERROR ] CAM-AAA-0146 The namespace ‘ExtAD’ is not available.
[ ERROR ] CAM-AAA-0064 The function ‘Configure’ failed.
[ ERROR ] CAM-AAA-0089 The provider is not initialized.
[ ERROR ] CAM-AAA-0036 Unable to authenticate because the credentials are invalid.
[ ERROR ] ADSI Error:
8009030C: LdapErr: DSID-0C09053E, comment: AcceptSecurityContext error, data 52e, v1db1
System Error:
The user name or password is incorrect.
Possible Solution:
The user logged into the Windows server where you have Cognos Configuration, does not have a account (or trust) in the new domain, so the test fail and the new Active Directory namespace is not shown.
Start Cognos Configuration and update the new namespace values
Enter a windows service account in the Bindings Credentials row in Cognos Configuration for the new namespace.
Enter in the format: domain.comusername
and the password (because it is a service account the password will never change).
Save the changes and restart the Cognos BI service where the content manager are.
Test to surf to the gateway again.
If Cognos 8 is running on the machine in the same forest as the configured domain/forest, you do not need to specifically set the bind credentials. However, if you run cross forest, then, you must provide the bind credentials
You would also need the binding credentials if AD is not configured to allow anonymous bind
More Information:
If the password is correct:
-2146893044 => 8009030C: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 775, v1db1 (account locked out)
If the pwd is incorrect returns:
-2146893044 => 8009030C: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 (unknown username or bad password)
https://social.technet.microsoft.com/Forums/lync/en-US/c1d8d706-a506-4973-9542-1e88a2a66ac0/ad-lds-and-locked-out-accounts-response-codes?forum=winserverDS
http://www-01.ibm.com/support/docview.wss?uid=swg21428900
http://www-01.ibm.com/support/docview.wss?uid=swg21432574
http://www-01.ibm.com/support/docview.wss?uid=swg21335624
https://www.ibm.com/support/knowledgecenter/SSEP7J_10.2.0/com.ibm.swg.ba.cognos.inst_cr_winux.10.2.0.doc/t_ap_active_dir_srvr.html