Symantec Access Management

  • 1.  LDAP bind error on smps

    Posted Nov 20, 2018 01:38 AM

    Hi,

     

    I have recently done installation of CA Single Sign On 12.8 and CA Directory 14.0 on Linux servers.

    Post that, when trying to access a protected application I am getting the below error in smps.log file on policy server,

     

    [12168/139947420665600][Tue Nov 20 2018 07:30:56][SmDsLdapConnMgr.cpp:1207][ERROR][sm-Ldap-02230] Error# '1' during search: 'error: Operations error extended error: 000004DC: LdapErr: DSID-0C0907C2, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580' Search Query = '(&(sAMAccountName=***)(objectclass=user)(!(useraccountcontrol=514))(!(useraccountcontrol=546)))'
    [12168/139947378702080][Tue Nov 20 2018 07:31:44][SmDsLdapConnMgr.cpp:1207][ERROR][sm-Ldap-02230] Error# '1' during search: 'error: Operations error extended error: 000004DC: LdapErr: DSID-0C0907C2, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580' Search Query = '(&(sAMAccountName=***)(objectclass=user)(!(useraccountcontrol=514))(!(useraccountcontrol=546)))'

     

    I am able to ping to the AD server I am connecting to on port 3269.

    The connection is successful on the existing setup of CA Single Sign On 12.52 SP1 CR9.

     

    I am not sure if I am missing something here to make the required connection with AD.

     

    Can someone please suggest what might be the issue and how can it resolved.

     

    Regards,

    Pankaj Sharma



  • 2.  Re: LDAP bind error on smps

    Broadcom Employee
    Posted Nov 21, 2018 01:23 AM

    Hi Pankaj,

    Most probably this is with your AD's user being used by Policy Server to connect/bind to the AD which is lacking privilege. Could you use other tool such us JXplorer (JXplorer - an open source LDAP browser) to verify if you have set correct user in the User Store settings?

     

    Regards,

    Widjaja 



  • 3.  Re: LDAP bind error on smps

    Posted Nov 21, 2018 05:06 AM

    Hi Widjaja,

     

    I am using the same user account using which I am connecting with AD from my existing setup.

    Not sure what is missing here.

     

    Regards,

    Pankaj Sharma



  • 4.  Re: LDAP bind error on smps

    Broadcom Employee
    Posted Nov 21, 2018 11:09 AM

    Pankaj, Can you try ldapsearch command and see if you can  bind successfully for that user on the specific AD/ LDAP server/port you're using?

    Also, does this MS article help?

    Global Catalog and LDAP Searches | Microsoft Docs 

    Regards. Vijay



  • 5.  Re: LDAP bind error on smps

    Posted Nov 27, 2018 02:09 AM

    Hi Vijay,

     

    On executing ldapsearch I get invalid creds error,
    ldap_bind: Invalid credentials (49)
    additional info: 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580

     

    But I checked and the userid and pwd used to connect with LDAP is correct and I am able to make the connection in my existing setup.

     

    Regards,

    Pankaj Sharma



  • 6.  Re: LDAP bind error on smps

    Posted Nov 29, 2018 04:42 PM

    The "data 52e" part of the error message is a generic "invalid credentials" code.  But it does indicate there is still something wrong with either your username or password.  What format are you using for the username?  Try entering the LDAP fully qualified name.  You indicated you are using port 3269.  Is the account you are using in the same domain as the server?  If there is a mismatch, try using a domain controller from the same domain as the account.

     

    Good luck



  • 7.  Re: LDAP bind error on smps

    Posted Dec 03, 2018 12:15 AM

    Hi Greg,

     

    I am using the fully qualified name of the userid only. I tried by changing the port to 389 and make a non-SSL connection but the error is same.

     

    I am not sure, if there is something a miss at my end or is it something to do with AD.

     

    Regards,

    Pankaj Sharma