Error 533 in Active Directory LDAP - active-directory

I am trying to configure Active Directory (AD LDS) for use with my application. I am using ForeignJNDIProvider in Weblogic app server to configure the settings for AD. From my Java based application, I do a lookup on InitialContext as shown below:
InitialContext iCtx = new InitialContext();
DirContext dir = (DirContext) iCtx.lookup(<JNDI name>);
The second code line above fails with the following error:
javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 533, v1db1 ]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3067)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3013)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2815)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2729)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:296)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.<init>(InitialContext.java:197)
at weblogic.jndi.internal.ForeignOpaqueReference.getReferent(ForeignOpaqueReference.java:70)
at weblogic.jndi.internal.WLNamingManager.getObjectInstance(WLNamingManager.java:96)
at weblogic.jndi.internal.ServerNamingNode.resolveObject(ServerNamingNode.java:377)
at weblogic.jndi.internal.BasicNamingNode.resolveObject(BasicNamingNode.java:856)
at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:209)
at weblogic.jndi.internal.WLEventContextImpl.lookup(WLEventContextImpl.java:254)
at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:411)
at javax.naming.InitialContext.lookup(InitialContext.java:392)
I tried looking up what error 533 in AD meant. The only answer I got was that it meant "Account Disabled". I am not sure this is the case. How can I fix this?

Got it...solved the problem by changing the value for attribute msDS-UserAccountDisabled to false. AD accounts when created are disabled by default.
Resource: http://technet.microsoft.com/en-us/library/cc725934

For me, the error was in the attribute "userAccountControl". I had to change it from 546 (ACCOUNTDISABLE | PASSWD_NOTREQD | NORMAL_ACCOUNT) to 512 (NORMAL_ACCOUNT). Also see: http://support.microsoft.com/kb/305144/de

Related

Getting deleted users from Active Directory using Java JNDI

I want to get all details of AD users which are being deleted .
As per my info when users are deleted from Active Directory they are stored in container with CN=Deleted Objects
Now When i search Users with searchBase = "DC=domain, DC=local".Everything works fine and i get data for all users with their name , mobile etc.
But when i apply searchBase ="CN=Deleted Objects,DC=azdomain, DC=local" i get error as
javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
'CN=Deleted Objects,DC=azdomain, DC=local'
what does this error means ? , Also i am not able find any post related to same issue on internet .
Please help me with this .

LDAP - cannot enable user using spring java ldap api

Trying to enable user account and getting below error. If I go to directly to that windows machine after creating user (using java api) and update password (manually using UI on windows machine) like "password1" and then try to enable password using java it works fine.
Here is how I am setting password while creating user
BasicAttribute basicAttribute1=new BasicAttribute("userPassword","password1".getBytes(StandardCharsets.US_ASCII));
context.setAttribute(basicAttribute1);
Then trying to change useraccount control to 512 and getting
"errorMessage": "[LDAP: error code 53 - 0000052D: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0\n\u0000]; nested exception is javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0\n\u0000]; remaining name 'CN=SachinVTendulkar,OU=SDCWASD001,OU=Users,OU=Mycity,OU=Enterprise Support'"
Seems I am not setting password correctly while creating user with java - I am creating user with userAccountControl-514 and with password along with other attributes like names etc (first I want to create in disable mode)
Then when I just try to enable user, getting this problem. And for same user if I go to windows machine and update password and then try to enable with java it works fine - so that rule out other issues like ldaps etc.
Logs when I create user for reference:
log of creating user : creating new user : JohnSmith , in DN : CN=JohnSmith,OU=SDCWASD001,OU=Users,OU=MyCity,OU=Enterprise Support , with context: org.springf.ldap.core.DirContextAdapter: dn=CN=JohnSmith,OU=SDCWASD001,OU=Users,OU=MyCity,OU=Enterprise Support {mail=adsadsa51#test.com, Description=Test account, CN=JohnSmith, objectclass[0]=top, objectclass[1]=Person, objectclass[2]=organizationalPerson, objectclass[3]=user, userPassword=summer01, sAMAccountName=adsadsa51, userPrincipalName=adsadsa51#test.com, givenName=John, displayName=JohnSmith, name=JOHNSMITH, physicalDeliveryOfficeName=0, sn=Smith, userAccountControl=514}
Then to enable user, I do following and getting that error (I do this in seperate call)
ModificationItem[] mods=new ModificationItem[1];
mods[0]=new ModificationItem(DirContext.REPLACE_ATTRIBUTE,new BasicAttribute("userAccountControl",Integer.toString(512)));
ldapTemplate.modifyAttributes(dn, mods);
Try setting the unicodePwd value on the account. Something like:
final byte[] quotedPasswordBytes = ('"'+password+'"').getBytes("UTF-16LE");
container.put(new BasicAttribute("unicodePwd", quotedPasswordBytes));
Resolution is to use SSL for password attribute updates.
Can you be more specific about what this entails?

: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 773, v1db1 ]

I am getting the following error in the logs. Though we are supplying the correct user name and password to login to the website. The LDAP is giving this error.
: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 773, v1db1 ]
Any suggestions would be really appreciable.
The login was working fine previously. We are suddenly facing this issue. And getting the above mentioned error.
data 773 means you need to reset the password
Please check this article for further knowledge :
http://www-01.ibm.com/support/docview.wss?uid=swg21290631
This link is helpful :)
http://ldapwiki.willeke.com/wiki/Common%20Active%20Directory%20Bind%20Errors
Your problem is due to:
'Password Expiration: Entry's password must be changed before logging on LDAP pwdLastSet: value of 0 indicates admin-required password change - MUST_CHANGE_PASSWD'

LDAP Error "User Name Not Found"

When users try to log onto my web app, an LDAP error, code 49 data 525, occurs, which means username not found. LDAP Errors
I don't know if my resource account, which authenticates to my LDAP server, has a bad username OR whether it's the users trying to log onto my system.
How can I figure this out?
> org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment:
> AcceptSecurityContext error, data 525, v1772^#]; nested exception is
> javax.naming.AuthenticationException: [LDAP: error code 49 - 800\
> 90308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772^#]
> at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:182)
> at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:266)
> at org.springframework.ldap.core.support.AbstractContextSource.getContext(AbstractContextSource.java:106)
> at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:125)
> at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:287)
> at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:361)
> at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:215)
For my issue, I had incorrectly entered the DN of the particular LDAP user. I had failed to escape the comma in CN=Smith\, John.
After adding the backslash, I got another LDAP error error code 49 data 52e, whcih means bad username & password.
Nonetheless, it was an escaping issue.

CAS AD LDAP 32 error

I am seeing this when I try to login with CAS which is authenticating against AD over LDAP.
SEVERE: Servlet.service() for servlet cas threw exception
javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001E5, problem 2001 (NO_OBJECT), data 0, best match of:
''
]; remaining name '/'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3092)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3013)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2820)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1829)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1752)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:338)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:257)
at org.springframework.ldap.core.LdapTemplate$3.executeSearch(LdapTemplate.java:231)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:293)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:237)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:588)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:546)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:401)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:421)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:441)
Up to that point I was authenticated by the BindLdapAuthenticationHandler, resolved, it generated a query builder and then threw this.
I think it is failing when it is trying to get attributes back. Why is the remaining name '/'?
Remaining name is a part of a DN that wasn't actually found at a certain level of a DIT. For example when you search cn=johns,ou=marketing,dc=example,dc=com and ou=marketing,dc=example,dc=com exists but cn=johns does not exists inside of ou=marketing then the remaning name would be cn=johns.
'/' does not look like a valid RDN. I would recommend to verify what you pass as a search base. Most likely it's an invalid DN string.
LDAP error code 32 means "no such object", in this case, perhaps the base object of the search did not exist.

Resources