Difference between revisions of "LDAP Error: Invalid credentials"
m (Added example.) |
(major Re-write of Troubleshooting section) |
||
| Line 25: | Line 25: | ||
== Troubleshooting == | == Troubleshooting == | ||
=== Ensure you are using the correct User ID or password === | |||
*Content Manager OnDemand uses non-case sensitive passwords by default, while LDAP servers store passwords in a case-sensitive manner. | |||
*In order to do this, CMOD converts the passwords to uppercase ("PassWord" is changed to "PASSWORD") before hashing them and storing them in the database. | |||
*Inside the Administrative Client, under System Parameters -> Login Details, in the top-right pane, select "Passwords Case Sensitive". Any accounts that are excluded from password authentication (ie, the 'admin' account) will need to have their passwords entered in uppercase until they're reset. | |||
=== Verify your stash file === | |||
* You may have incorrect configuration data in your stash file. See [[arsstash]] for an explanation of stash files, or [[LDAP and Content Manager OnDemand]] for a tutorial. | |||
* Work with your LDAP administrators to determine the proper LDAP string to use in your stash file configuration. | |||
The return code 49 indicates that you likely have an incorrect User ID or password, or possibly a restriction on the LDAP account which is causing the authentication request to fail. If you're using Microsoft Active Directory, you will need to change your [[ars.cfg]] file to include: | |||
ARS_LDAP_BIND_ATTRIBUTE=sAMAccountName | |||
ARS_LDAP_MAPPED_ATTRIBUTE=sAMAccountName | |||
=== Turn on server tracing === | |||
[[File:Trace LDAP.png|right|thumb|500px|Enabling System Trace to troubleshoot LDAP issues]] | |||
Change the trace.settings configuration file to include the following string: | |||
TRACE_FILE_LEVELS=ALL=3,LDAP=15 | |||
And make the change to tracing through the Content Manager OnDemand Administrative Client. | |||
=== LDAP Return Codes === | |||
{| class="wikitable" | {| class="wikitable" | ||
Revision as of 01:26, 7 May 2015
What was the error?
Message Number: 384
Message Severity: Error (Corrective action required to proceed)
Message Name: ARS0384E
Message Text:
LDAP Error: Invalid Credentials -- ldap_rc=<RC> -- extended+rc=<RC>, Success -- ldap_errno=<RC>, extra_rc=<RC> File=arsldap.c, Line=<LineNo>
where <RC> is the return code, and <LineNo> is the line in the source code where the error was caught. See below for more information on common return codes and their meanings.
Related Errors
What were you doing?
Probably attempting to configure LDAP on Content Manager OnDemand for the first time, or a user attempted to authenticate with a bad user id or password on an LDAP-enabled CMOD server.
What happened?
The LDAP server couldn't authorize the user to perform an action, because the User ID or password they provided was not correct. It may also indicate an error in your LDAP configuration.
Example
arssockd (ARCHIVE): 2015-04-29 10:54:03.274673 42422 CMODUSER 2 384 ARS0384E LDAP Error: Invalid credentials -- ldap_rc=49, -- extended_rc=0, Success -- ldap_errno=0, extra_rc=0, File=arsldap.c, Line=1308
Troubleshooting
Ensure you are using the correct User ID or password
- Content Manager OnDemand uses non-case sensitive passwords by default, while LDAP servers store passwords in a case-sensitive manner.
- In order to do this, CMOD converts the passwords to uppercase ("PassWord" is changed to "PASSWORD") before hashing them and storing them in the database.
- Inside the Administrative Client, under System Parameters -> Login Details, in the top-right pane, select "Passwords Case Sensitive". Any accounts that are excluded from password authentication (ie, the 'admin' account) will need to have their passwords entered in uppercase until they're reset.
Verify your stash file
- You may have incorrect configuration data in your stash file. See arsstash for an explanation of stash files, or LDAP and Content Manager OnDemand for a tutorial.
- Work with your LDAP administrators to determine the proper LDAP string to use in your stash file configuration.
The return code 49 indicates that you likely have an incorrect User ID or password, or possibly a restriction on the LDAP account which is causing the authentication request to fail. If you're using Microsoft Active Directory, you will need to change your ars.cfg file to include:
ARS_LDAP_BIND_ATTRIBUTE=sAMAccountName ARS_LDAP_MAPPED_ATTRIBUTE=sAMAccountName
Turn on server tracing
Change the trace.settings configuration file to include the following string:
TRACE_FILE_LEVELS=ALL=3,LDAP=15
And make the change to tracing through the Content Manager OnDemand Administrative Client.
LDAP Return Codes
| 525 | user not found |
| 52e | invalid credentials |
| 530 | not permitted to logon at this time |
| 531 | not permitted to logon at this workstation |
| 532 | password expired |
| 533 | account disabled |
| 534 | The user has not been granted the requested logon type at this machine |
| 701 | account expired |
| 773 | user must reset password |
| 775 | user account locked |