Error validating ldap url and credentials
Introduction Connecting to an LDAP ID store in OAM 11g over SSL (LDAPS) is a common scenario that many customers may need to implement.
Unfortunately the documentation on this subject is scant and can be misleading.
These are the same error codes which would be returned by otherwise invoking the Win32 Logon User API call.
The list below summarizes a range of common values with hex and decimal values: 525 user not found (1317) 52e invalid credentials (1326) 530 not permitted to logon at this time (1328) 531 not permitted to logon at this workstation (1329) 532 password expired (1330) 533 account disabled (1331) 701 account expired (1793) 773 user must reset password (1907) 775 user account locked (1909) Unfortunately there is no “simple” way to check a users credentials on AD.
For example, the default embedded LDAP host might be: ldap://localhost:7001 You can also specify ldaps://, which supports SSL_NO_AUTH. Good luck 🙂 So what does it all mean and what do I do if the LDAPS connection fails?
SSL_NO_AUTH basically means a self signed certificate, no authentication required.
Any help with this issue would be greatly appreciated.
I have tried Active Directory over LDAP & Active Directory (Integrated Windows Authentication).With v Cloud Director & v CAC 6.2 I experienced no AD bind issues at all.When I check my domain controller I do see that there has been a computer object created in the Computers OU but it is created as Disabled - I have tried to enable it but this doesn't help the issue.Specifically, Table 3-2 describes all the possible elements required to register.Looking at the ‘LDAP URL’ element we have the following: The URL for the LDAP host, including the port number.1-way and 2-way SSL modes are not supported at this time.Once you setup the identity store using LDAPS you should always test the connection via the ‘Test Conenction’ button located at the top as shown here: If there are any issues with the connection you will see an error like the one below: You may also find an exception in the oam-diagnostic logs as follows: ####:636 [Root exception is ssl. Validator Exception: PKIX path building failed: sun.security.provider.certpath.The Base DN and Bind DN configurations I am using all work when I click the Test Connection button.I have seen various v RA 7 setup guides online (with screenshots even) and there has been no mention of any tricks or difficulty trying to get this to work properly.So as part of the OAM 11g Academy series, I’d like to discuss this commom scenario.To view the first post on the OAM 11g policy model, as well as the index to the entire OAM 11g Academy series, click here.