Summary:
SsoConfig > Test LDAP displays the following error:
Enter username > ldapuser
Enter password >
We will now attemp to bind to the supplied LDAP server using the LdapConnectionUser and LdapConnectionPassword supplied in the SSO Config utility.
ldapSearchDomain = LDAP://myldapservername.corp.com/
DirContext.SECURITY_AUTHENTICATION = simple
Could not read the provided ldapEncryption mechanism. Defaulting to SIMPLE authentication
DirContext.SECURITY_PRINCIPAL = ldapuser
DirContext.SECURITY_CREDENTIALS set
Could not obtain a DirectoryContext.
javax.naming.AuthenticationException:
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 ]
Logon failure: unknown user name or bad password.
Bind to the directory failed.
Solution:
The Test LDAP error code 49 - 80090308 may occur in an LDAP configuration when the Connection User is set to 'dynamic' represented by {0}, in conjunction with Encryption set to False or left blank. In such configurations, the Encryption setting must be set with the encryption type or the Connection User setting needs to be set with a static LDAP user name.
Solution 1: Set Encryption option to DIGEST-MD5, GSSAPI or SSHA if supported by the LDAP server.
Example on setting the Encryption with NFA:
1. Launch the %NFAHOMEPATH%\Portal\SSO\bin\SsoConfig
SSO Configuration:
1. CA Performance Center
2. CA Network Flow Analysis
Choose an option >2
SSO Configuration/CA Network Flow Analysis:
1. LDAP Authentication
2. SAML2 Authentication
3. Performance Center
4. Single Sign-On
5. Test LDAP
6. Export SAML2 Service Provider Metadata
Choose an option >1
SSO Configuration/CA Network Flow Analysis/LDAP Authentication:
Connection User: {0}
Connection Password: ***
Search Domain: LDAP://myldapservername.corp.com/DC=CORP,DC=com
Search String: (sAMAccountName={0})
Search Scope: Subtree
User Bind: Disabled
Encryption: False
Account User: {sAMAccountName}
Account User Default Clone: user
Group:
Krb5ConfigFile:
1. Remote Value
2. Local Override
Choose an option >2
SSO Configuration/CA Network Flow Analysis/LDAP Authentication/Local Override:
1. Connection User:
2. Connection Password:
3. Search Domain:
4. Search String:
5. Search Scope:
6. User Bind:
7. Encryption:
8. Account User:
9. Account User Default Clone:
10. Group:
11. Krb5ConfigFile:
Select a Property > 7
Enter U to update this value
Enter new value > DIGEST-MD5
The following displays with the DIGEST-MD5 configured
SSO Configuration/CA Network Flow Analysis/LDAP Authentication/Local Override:
1. Connection User:
2. Connection Password:
3. Search Domain:
4. Search String:
5. Search Scope:
6. User Bind:
7. Encryption: DIGEST-MD5
8. Account User:
9. Account User Default Clone:
10. Group:
11. Krb5ConfigFile:
Run Test LDAP and confirm that authentication is successful
Solution 2: Set the Connection User with a static LDAP user name and Connection Password if the available Encryption types are not supported or the Encryption type is unknown. In this configuration the User Bind setting should also be enabled.
NFA example on configuring a static Connection User, Connection Password and User Bind
1. Launch the %NFAHOMEPATH%\Portal\SSO\bin\SsoConfig
SSO Configuration:
1. CA Performance Center
2. CA Network Flow Analysis
Choose an option >2
SSO Configuration/CA Network Flow Analysis:
1. LDAP Authentication
2. SAML2 Authentication
3. Performance Center
4. Single Sign-On
5. Test LDAP
6. Export SAML2 Service Provider Metadata
Choose an option >1
SSO Configuration/CA Network Flow Analysis/LDAP Authentication:
Connection User: {0}
Connection Password: ***
Search Domain: LDAP://myldapservername.corp.com/DC=CORP,DC=com
Search String: (sAMAccountName={0})
Search Scope: Subtree
User Bind: Disabled
Encryption: False
Account User: {sAMAccountName}
Account User Default Clone: user
Group:
Krb5ConfigFile:
1. Remote Value
2. Local Override
Choose an option >2
SSO Configuration/CA Network Flow Analysis/LDAP Authentication/Local Override:
1. Connection User:
2. Connection Password:
3. Search Domain:
4. Search String:
5. Search Scope:
6. User Bind:
7. Encryption:
8. Account User:
9. Account User Default Clone:
10. Group:
11. Krb5ConfigFile:
Select a Property > 1
Enter U to update this value
Enter new value > CN=ldapuser,OU=Users,OU=NAM,DC=corp,DC=com
After configuring the Connection User, choose option 2 to set the Connection Password.
Example:
SSO Configuration/CA Network Flow Analysis/LDAP Authentication/Local Override:
1. Connection User: CN=ldapuser,OU=Users,OU=NAM,DC=corp,DC=com
2. Connection Password:
3. Search Domain:
4. Search String:
5. Search Scope:
6. User Bind:
7. Encryption:
8. Account User:
9. Account User Default Clone:
10. Group:
11. Krb5ConfigFile:
Select a Property > 2
Enter U to update this value
Enter new value >(note you will not see the letters being typed in)
After configuring the Connection Password, choose option 6 to enable the User Bind
Example:
SSO Configuration/CA Network Flow Analysis/LDAP Authentication/Local Override:
1. Connection User: CN=ldapuser,OU=Users,OU=NAM,DC=corp,DC=com
2. Connection Password: *******
3. Search Domain:
4. Search String:
5. Search Scope:
6. User Bind:
7. Encryption:
8. Account User:
9. Account User Default Clone:
10. Group:
11. Krb5ConfigFile:
Select a Property > 6
Enter U to update this value
Valid values:
0. Disabled
1. Enabled
Choose an option > 1
The following displays:
SSO Configuration/CA Network Flow Analysis/LDAP Authentication/Local Override:
1. Connection User: CN=ldapuser,OU=Users,OU=NAM,DC=corp,DC=com
2. Connection Password: *******
3. Search Domain:
4. Search String:
5. Search Scope:
6. User Bind: Enabled
7. Encryption:
8. Account User:
9. Account User Default Clone:
10. Group:
11. Krb5ConfigFile:
Run Test LDAP and confirm that authentication is successful.
This has also been posted in the Knowledge Base on Support.ca.com TEC1142597