OpenVPN Support Forum

Posted: **Tue Nov 08, 2016 3:32 pm**

Hello,

We are having the following error show up for users (both new accounts in AD and existing accounts).

LDAP invalid credentials on ldaps://PDC_IP/: {'info': '80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 701, v1772', 'desc': 'Invalid credentials'} (facility='user_bind on u'CN=DISPLAY_NAME,CN=Users,DC=DOMAIN,DC=com' via search (u'DC=DOMAIN, DC=com', 2, u'(&(sAMAccountName=LOGIN_ID)(memberOf=CN=VPNUsers, CN=Users, DC=DOMAIN, DC=com))')')

I have verified the credentials are correct for the existing user having issues. I have also created a brand new user account, and the login still fails with the above error.

I have the following set on the LDAP Configuration page on the Web GUI.

Primary Server: PDC_IP
Secondary Server: SDC_IP
User SSL to connect to LDAP servers: (checked)
Using Domain Administrator Credentials for initial Bind

Base DN for User entries: DC=DOMAIN, DC=com
Username Attribute: sAMAccountName
Additional LDAP Requirement: memberOf=CN=VPNUsers, CN=Users, DC=DOMAIN, DC=com

Posted: **Tue Nov 08, 2016 3:50 pm**

Initially posted in "Forum and Website support".

Please Identify the Openvpn Product you are using.

Posted: **Tue Nov 08, 2016 4:15 pm**

Sure thing.

We are using the OpenVPN Virtual Appliance VMware ESXI (Ubuntu 14), directly from the OpenVPN site.
Our appliance Version is 2.1.4

Posted: **Fri Nov 11, 2016 4:00 pm**

Any suggestions?

Posted: **Fri Nov 11, 2016 5:26 pm**

Sounds to me like the credentials are invalid. Or the user account is expired or the password is expired and needs changing.

Posted: **Tue Sep 10, 2019 3:12 pm**

The bind DN is like this:
CN=firstname lastname, CN=domain_ou, DC=domain, DC=tld
So the first DN is not the user name, but the Display Name.

Posted: **Fri May 19, 2023 6:06 pm**

Ldap errors are mostly caused by the Access server not able to resolve the IP of the ldap server, and you would need to add the IP address of the ldap server in the host file, the following is the example of one of those errors:

LDAP invalid credentials on server: LDAPInvalidCredentialsResult - 49 - invalidCredentials - None - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563 - bindResponse - None (facility='initialize [Server]')

Posted: **Sat May 20, 2023 12:36 pm**

Hello anazary,

If the LDAP server cannot be reached you get errors like:

Code: Select all

2023-05-20T12:33:25+0000 [stdout#info] [WEB] OUT: '2023-05-20T12:33:25+0000 [stdout#info] Web login authentication failed: {\'status\': 2, \'user\': \'ldap\', \'reason\': "Cannot connect to LDAP server ldap://x.x.x.x: socket connection error while opening: [Errno 111] Connection refused (facility=\'initialize [x.x.x.x]\')"}'

The error you pasted contains an actual response from the LDAP server itself, and the LDAP server is giving you error codes. These error codes do not come from the Access Server, they come from the LDAP server. Codes like LDAPInvalidCredentialsResult and 52e and so on. Since these error codes are coming from an LDAP server, obviously the connection to the LDAP server is actually working.

So I am not sure what problem you are experiencing, and it is certainly worth a try to use an IP instead of a hostname to connect to an LDAP server, but I am not sure your statement about that exact error message meaning that the server hostname could not be resolved is entirely accurate.

Kind regards,
Johan

OpenVPN Support Forum

LDAP Errors

LDAP Errors

Re: LDAP Errors

Re: LDAP Errors

Re: LDAP Errors

Re: LDAP Errors

Re: LDAP Errors

Re: LDAP Errors

Re: LDAP Errors