LDAP Errors

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
jreach
OpenVpn Newbie
Posts: 4
Joined: Tue Nov 08, 2016 3:21 pm

LDAP Errors

Post by jreach » Tue Nov 08, 2016 3:32 pm

Hello,

We are having the following error show up for users (both new accounts in AD and existing accounts).

LDAP invalid credentials on ldaps://PDC_IP/: {'info': '80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 701, v1772', 'desc': 'Invalid credentials'} (facility='user_bind on u'CN=DISPLAY_NAME,CN=Users,DC=DOMAIN,DC=com' via search (u'DC=DOMAIN, DC=com', 2, u'(&(sAMAccountName=LOGIN_ID)(memberOf=CN=VPNUsers, CN=Users, DC=DOMAIN, DC=com))')')

I have verified the credentials are correct for the existing user having issues. I have also created a brand new user account, and the login still fails with the above error.

I have the following set on the LDAP Configuration page on the Web GUI.

Primary Server: PDC_IP
Secondary Server: SDC_IP
User SSL to connect to LDAP servers: (checked)
Using Domain Administrator Credentials for initial Bind

Base DN for User entries: DC=DOMAIN, DC=com
Username Attribute: sAMAccountName
Additional LDAP Requirement: memberOf=CN=VPNUsers, CN=Users, DC=DOMAIN, DC=com

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: LDAP Errors

Post by TinCanTech » Tue Nov 08, 2016 3:50 pm

Initially posted in "Forum and Website support".

Please Identify the Openvpn Product you are using.

jreach
OpenVpn Newbie
Posts: 4
Joined: Tue Nov 08, 2016 3:21 pm

Re: LDAP Errors

Post by jreach » Tue Nov 08, 2016 4:15 pm

Sure thing.

We are using the OpenVPN Virtual Appliance VMware ESXI (Ubuntu 14), directly from the OpenVPN site.
Our appliance Version is 2.1.4

jreach
OpenVpn Newbie
Posts: 4
Joined: Tue Nov 08, 2016 3:21 pm

Re: LDAP Errors

Post by jreach » Fri Nov 11, 2016 4:00 pm

Any suggestions?

User avatar
novaflash
OpenVPN Inc.
Posts: 1073
Joined: Fri Apr 13, 2012 8:43 pm

Re: LDAP Errors

Post by novaflash » Fri Nov 11, 2016 5:26 pm

Sounds to me like the credentials are invalid. Or the user account is expired or the password is expired and needs changing.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.

vicenac
OpenVpn Newbie
Posts: 3
Joined: Wed Jul 10, 2019 10:48 pm

Re: LDAP Errors

Post by vicenac » Tue Sep 10, 2019 3:12 pm

The bind DN is like this:
CN=firstname lastname, CN=domain_ou, DC=domain, DC=tld
So the first DN is not the user name, but the Display Name.

anazary
OpenVpn Newbie
Posts: 3
Joined: Fri May 19, 2023 6:02 pm

Re: LDAP Errors

Post by anazary » Fri May 19, 2023 6:06 pm

Ldap errors are mostly caused by the Access server not able to resolve the IP of the ldap server, and you would need to add the IP address of the ldap server in the host file, the following is the example of one of those errors:

LDAP invalid credentials on server: LDAPInvalidCredentialsResult - 49 - invalidCredentials - None - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563 - bindResponse - None (facility='initialize [Server]')

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: LDAP Errors

Post by openvpn_inc » Sat May 20, 2023 12:36 pm

Hello anazary,

If the LDAP server cannot be reached you get errors like:

Code: Select all

2023-05-20T12:33:25+0000 [stdout#info] [WEB] OUT: '2023-05-20T12:33:25+0000 [stdout#info] Web login authentication failed: {\'status\': 2, \'user\': \'ldap\', \'reason\': "Cannot connect to LDAP server ldap://x.x.x.x: socket connection error while opening: [Errno 111] Connection refused (facility=\'initialize [x.x.x.x]\')"}'
The error you pasted contains an actual response from the LDAP server itself, and the LDAP server is giving you error codes. These error codes do not come from the Access Server, they come from the LDAP server. Codes like LDAPInvalidCredentialsResult and 52e and so on. Since these error codes are coming from an LDAP server, obviously the connection to the LDAP server is actually working.

So I am not sure what problem you are experiencing, and it is certainly worth a try to use an IP instead of a hostname to connect to an LDAP server, but I am not sure your statement about that exact error message meaning that the server hostname could not be resolved is entirely accurate.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply