Hello,
We are having the following error show up for users (both new accounts in AD and existing accounts).
LDAP invalid credentials on ldaps://PDC_IP/: {'info': '80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 701, v1772', 'desc': 'Invalid credentials'} (facility='user_bind on u'CN=DISPLAY_NAME,CN=Users,DC=DOMAIN,DC=com' via search (u'DC=DOMAIN, DC=com', 2, u'(&(sAMAccountName=LOGIN_ID)(memberOf=CN=VPNUsers, CN=Users, DC=DOMAIN, DC=com))')')
I have verified the credentials are correct for the existing user having issues. I have also created a brand new user account, and the login still fails with the above error.
I have the following set on the LDAP Configuration page on the Web GUI.
Primary Server: PDC_IP
Secondary Server: SDC_IP
User SSL to connect to LDAP servers: (checked)
Using Domain Administrator Credentials for initial Bind
Base DN for User entries: DC=DOMAIN, DC=com
Username Attribute: sAMAccountName
Additional LDAP Requirement: memberOf=CN=VPNUsers, CN=Users, DC=DOMAIN, DC=com
LDAP Errors
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: LDAP Errors
Initially posted in "Forum and Website support".
Please Identify the Openvpn Product you are using.
Please Identify the Openvpn Product you are using.
-
- OpenVpn Newbie
- Posts: 4
- Joined: Tue Nov 08, 2016 3:21 pm
Re: LDAP Errors
Sure thing.
We are using the OpenVPN Virtual Appliance VMware ESXI (Ubuntu 14), directly from the OpenVPN site.
Our appliance Version is 2.1.4
We are using the OpenVPN Virtual Appliance VMware ESXI (Ubuntu 14), directly from the OpenVPN site.
Our appliance Version is 2.1.4
-
- OpenVpn Newbie
- Posts: 4
- Joined: Tue Nov 08, 2016 3:21 pm
Re: LDAP Errors
Any suggestions?
- novaflash
- OpenVPN Inc.
- Posts: 1073
- Joined: Fri Apr 13, 2012 8:43 pm
Re: LDAP Errors
Sounds to me like the credentials are invalid. Or the user account is expired or the password is expired and needs changing.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.
-
- OpenVpn Newbie
- Posts: 3
- Joined: Wed Jul 10, 2019 10:48 pm
Re: LDAP Errors
The bind DN is like this:
CN=firstname lastname, CN=domain_ou, DC=domain, DC=tld
So the first DN is not the user name, but the Display Name.
CN=firstname lastname, CN=domain_ou, DC=domain, DC=tld
So the first DN is not the user name, but the Display Name.
-
- OpenVpn Newbie
- Posts: 3
- Joined: Fri May 19, 2023 6:02 pm
Re: LDAP Errors
Ldap errors are mostly caused by the Access server not able to resolve the IP of the ldap server, and you would need to add the IP address of the ldap server in the host file, the following is the example of one of those errors:
LDAP invalid credentials on server: LDAPInvalidCredentialsResult - 49 - invalidCredentials - None - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563 - bindResponse - None (facility='initialize [Server]')
LDAP invalid credentials on server: LDAPInvalidCredentialsResult - 49 - invalidCredentials - None - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563 - bindResponse - None (facility='initialize [Server]')
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: LDAP Errors
Hello anazary,
If the LDAP server cannot be reached you get errors like:
The error you pasted contains an actual response from the LDAP server itself, and the LDAP server is giving you error codes. These error codes do not come from the Access Server, they come from the LDAP server. Codes like LDAPInvalidCredentialsResult and 52e and so on. Since these error codes are coming from an LDAP server, obviously the connection to the LDAP server is actually working.
So I am not sure what problem you are experiencing, and it is certainly worth a try to use an IP instead of a hostname to connect to an LDAP server, but I am not sure your statement about that exact error message meaning that the server hostname could not be resolved is entirely accurate.
Kind regards,
Johan
If the LDAP server cannot be reached you get errors like:
Code: Select all
2023-05-20T12:33:25+0000 [stdout#info] [WEB] OUT: '2023-05-20T12:33:25+0000 [stdout#info] Web login authentication failed: {\'status\': 2, \'user\': \'ldap\', \'reason\': "Cannot connect to LDAP server ldap://x.x.x.x: socket connection error while opening: [Errno 111] Connection refused (facility=\'initialize [x.x.x.x]\')"}'
So I am not sure what problem you are experiencing, and it is certainly worth a try to use an IP instead of a hostname to connect to an LDAP server, but I am not sure your statement about that exact error message meaning that the server hostname could not be resolved is entirely accurate.
Kind regards,
Johan
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support