Can't bind: LDAP_INVALID_CREDENTIALS 49

I’m running Request Tracker 3.4.5 on a FreeBSD 5.4 server with Apache
1.3.34 and MySQL 4.1.13. The installation went smooth, and my team is
very happy with RT over our current home brew ticketing application.

I’m running into trouble with LDAP authentication against a Windows 2003
domain controller. I’ve followed the
instructions found at:

http://wiki.bestpractical.com/?LDAP
http://wiki.bestpractical.com/index.cgi?LdapUserLocalOverlay
http://wiki.bestpractical.com/index.cgi?LdapSiteConfigSettings

I’ve got loggin cranked up, and I’m seeing the following:

[Tue Jun 6 01:51:01 2006] [critical]: RT::User::LookupExternalUserInfo
Can’t bind: LDAP_INVALID_CREDENTIALS 49
(/usr/local/rt3/lib/RT/User_Local.pm:475)

Any suggestions on what might be causing this, and how to resolve?

Regards,

Wade Naveja wade@naveja.net

I’ve got loggin cranked up, and I’m seeing the following:

[Tue Jun 6 01:51:01 2006] [critical]: RT::User::LookupExternalUserInfo
Can’t bind: LDAP_INVALID_CREDENTIALS 49
(/usr/local/rt3/lib/RT/User_Local.pm:475)

Error 49 is the generic LDAP error returned when the account you’re
using to bind (NOT the account you’re trying to authenticate) has
invalid credentials, usually a bad or expired password but not always.
Active Directory returns a cryptic sub-error code:

http://forum.java.sun.com/thread.jspa?forumID=51&threadID=658510

… excerpt:

The AD-specific error code is the one after “data” and before “vece” or
"v893" in the actual error string returned to the binding process (if
you can get a look at that message):

  * 525 - user not found
  * 52e - invalid credentials
  * 530 - not permitted to logon at this time
  * 532 - password expired
  * 533 - account disabled
  * 701 - account expired
  * 773 - user must reset password


Hope that's useful,
	Ole

/Ole Craig
Security Engineer

303-381-3802 (main support hotline)
303-381-3824 (my direct line)
303-381-3801 (fax)

www.stillsecure.com
. . .

[…]

Error 49 is the generic LDAP error returned when the account you’re
using to bind (NOT the account you’re trying to authenticate) has
invalid credentials, usually a bad or expired password but not always.
Active Directory returns a cryptic sub-error code:

http://forum.java.sun.com/thread.jspa?forumID=51&threadID=658510
[…]

Hmm. That link has changed since I scraped it into an internal technote,
or else I pasted the wrong link. For anyone who might find it useful,
here’s a more complete version, and my heartfelt thanks go to whomever
was the original poster on the java forum.

Following are the results of somebody’s “experimentation” with a W2k
Domain Controller…

Common Active Directory LDAP bind errors:

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
HEX: 0x525 - user not found
DEC: 1317 - ERROR_NO_SUCH_USER (The specified account does not exist.)
NOTE: Returns when username is invalid.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 52e, v893
HEX: 0x52e - invalid credentials
DEC: 1326 - ERROR_LOGON_FAILURE (Logon failure: unknown user name or bad password.)
NOTE: Returns when username is valid but password/credential is invalid. Will prevent most other errors from being displayed as noted.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 530, v893
HEX: 0x530 - not permitted to logon at this time
DEC: 1328 - ERROR_INVALID_LOGON_HOURS (Logon failure: account logon time restriction violation.)
NOTE: Returns only when presented with valid username and password/credential.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 531, v893
HEX: 0x531 - not permitted to logon from this workstation
DEC: 1329 - ERROR_INVALID_WORKSTATION (Logon failure: user not allowed to log on to this computer.)
LDAP[userWorkstations: ]
NOTE: Returns only when presented with valid username and password/credential.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 532, v893
HEX: 0x532 - password expired
DEC: 1330 - ERROR_PASSWORD_EXPIRED (Logon failure: the specified account password has expired.)
LDAP[userAccountControl: <bitmask=0x00800000>] - PASSWORDEXPIRED
NOTE: Returns only when presented with valid username and password/credential.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 533, v893
HEX: 0x533 - account disabled
DEC: 1331 - ERROR_ACCOUNT_DISABLED (Logon failure: account currently disabled.)
LDAP[userAccountControl: <bitmask=0x00000002>] - ACCOUNTDISABLE
NOTE: Returns only when presented with valid username and password/credential.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 701, v893
HEX: 0x701 - account expired
DEC: 1793 - ERROR_ACCOUNT_EXPIRED (The user’s account has expired.)
LDAP[accountExpires: <value of -1, 0, or extemely large value indicates account will not expire>] - ACCOUNTEXPIRED
NOTE: Returns only when presented with valid username and password/credential.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 773, v893
HEX: 0x773 - user must reset password
DEC: 1907 - ERROR_PASSWORD_MUST_CHANGE (The user’s password must be changed before logging on the first time.)
LDAP[pwdLastSet: <value of 0 indicates admin-required password change>] - MUST_CHANGE_PASSWD
NOTE: Returns only when presented with valid username and password/credential.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 775, v893
HEX: 0x775 - account locked out
DEC: 1909 - ERROR_ACCOUNT_LOCKED_OUT (The referenced account is currently locked out and may not be logged on to.)
LDAP[userAccountControl: <bitmask=0x00000010>] - LOCKOUT
NOTE: Returns even if invalid password is presented

/Ole Craig
Security Engineer

303-381-3802 (main support hotline)
303-381-3824 (my direct line)
303-381-3801 (fax)

www.stillsecure.com
. . .

Hello!

Bless you for all the precise information below. =]On 6/5/06, Wade Naveja wade@naveja.net wrote:

I’m running Request Tracker 3.4.5 on a FreeBSD 5.4 server with Apache
1.3.34 and MySQL 4.1.13. The installation went smooth, and my team is
very happy with RT over our current home brew ticketing application.

I’m running into trouble with LDAP authentication against a Windows 2003
domain controller. I’ve followed the
instructions found at:

http://wiki.bestpractical.com/?LDAP
http://wiki.bestpractical.com/index.cgi?LdapUserLocalOverlay
http://wiki.bestpractical.com/index.cgi?LdapSiteConfigSettings

I’ve got loggin cranked up, and I’m seeing the following:

[Tue Jun 6 01:51:01 2006] [critical]: RT::User::LookupExternalUserInfo
Can’t bind: LDAP_INVALID_CREDENTIALS 49
(/usr/local/rt3/lib/RT/User_Local.pm:475)

Hmmm. I’m hoping that Ole’s messages were helpful to you as my only
guess is that your LDAP server (aka AD server) won’t accept anonymous
(unauthenticated) bindings. Here’s the code in and around the
complaining line:

my $msg = undef;
if ($ldap_user) {
    $msg = $ldap->bind($ldap_user, password => $ldap_pass);
} else {
    $msg = $ldap->bind;
}

unless ($msg->code == LDAP_SUCCESS) {
    $RT::Logger->critical((caller(0))[3], "Can't bind:",
                         ldap_error_name($msg->code), $msg->code);
} else {
    ...

Have you set LdapUser and LdapPass in RT_SiteConfig.pm? If not, try
setting them to a user/pass combo that should allow you to bind to the
server and let me know how it goes.

Thanks!

–j
Jim Meyer, Geek at Large purp@acm.org

Jim - Thanks for the feedback. I’m sure you’re right about the AD server
not accepting anonymous binding.

I’ve got the values populated for
LdapUser and LdapPass. We have a service account that we use for Apache
LDAP authentication, so the username/password are definitely valid.

I’m wondering if this bit from my RT_SiteConfig.pm looks okay:

The basics; if set, these override $RT::LdapAuth* and $RT::LdapInfo*

Set($LdapServer, ‘server.example.com’);
Set($LdapBase, ‘cn=Users,dc=subdomain,dc=example,dc=com’);
Set($LdapFilter, “(objectclass=user)”);
Set($LdapUser, ‘genericid’);
Set($LdapPass, ‘sekrit_password’);

Any suggestions?

Regards,

Wade Naveja wade@naveja.netOn Tue, 6 Jun 2006, Jim Meyer wrote:

Hello!

Bless you for all the precise information below. =]

On 6/5/06, Wade Naveja wade@naveja.net wrote:

I’m running Request Tracker 3.4.5 on a FreeBSD 5.4 server with Apache
1.3.34 and MySQL 4.1.13. The installation went smooth, and my team is
very happy with RT over our current home brew ticketing application.

I’m running into trouble with LDAP authentication against a Windows 2003
domain controller. I’ve followed the
instructions found at:

http://wiki.bestpractical.com/?LDAP
http://wiki.bestpractical.com/index.cgi?LdapUserLocalOverlay
http://wiki.bestpractical.com/index.cgi?LdapSiteConfigSettings

I’ve got loggin cranked up, and I’m seeing the following:

[Tue Jun 6 01:51:01 2006] [critical]: RT::User::LookupExternalUserInfo
Can’t bind: LDAP_INVALID_CREDENTIALS 49
(/usr/local/rt3/lib/RT/User_Local.pm:475)

Hmmm. I’m hoping that Ole’s messages were helpful to you as my only
guess is that your LDAP server (aka AD server) won’t accept anonymous
(unauthenticated) bindings. Here’s the code in and around the
complaining line:

my $msg = undef;
if ($ldap_user) {
    $msg = $ldap->bind($ldap_user, password => $ldap_pass);
} else {
    $msg = $ldap->bind;
}

unless ($msg->code == LDAP_SUCCESS) {
    $RT::Logger->critical((caller(0))[3], "Can't bind:",
                         ldap_error_name($msg->code), $msg->code);
} else {
    ...

Have you set LdapUser and LdapPass in RT_SiteConfig.pm? If not, try
setting them to a user/pass combo that should allow you to bind to the
server and let me know how it goes.

Thanks!

–j

Jim Meyer, Geek at Large purp@acm.org

I found my mistake. My RT_SiteConfig.pm contained the following:

Set($LdapBase, ‘cn=Users,dc=subdomain,dc=example,dc=com’);
Set($LdapUser, ‘genericid’);

Changing those lines to something like this worked:

Set($LdapBase, ‘dc=subdomain,dc=example,dc=com’);
Set($LdapUser, ‘cn=genericid,cn=Users,dc=subdomain,dc=example,dc=com’);

Thanks for the guidance. Now, on to other RT configuration issues!

Regards,

Wade Naveja wade@naveja.netOn Tue, 6 Jun 2006, Wade Naveja wrote:

Jim - Thanks for the feedback. I’m sure you’re right about the AD server
not accepting anonymous binding.

I’ve got the values populated for
LdapUser and LdapPass. We have a service account that we use for Apache
LDAP authentication, so the username/password are definitely valid.

I’m wondering if this bit from my RT_SiteConfig.pm looks okay:

The basics; if set, these override $RT::LdapAuth* and $RT::LdapInfo*

Set($LdapServer, ‘server.example.com’);
Set($LdapBase, ‘cn=Users,dc=subdomain,dc=example,dc=com’);
Set($LdapFilter, “(objectclass=user)”);
Set($LdapUser, ‘genericid’);
Set($LdapPass, ‘sekrit_password’);

Any suggestions?

Regards,

Wade Naveja wade@naveja.net