Common LDAP authentication errors
A user exists in the ObjectServer but not in LDAP- A user exists in LDAP but the wrong password is specified
- A user name exists in multiple LDAP directories
- The ObjectServer cannot contact the LDAP server
- The LDAP search syntax is incorrect
- An LDAP search times out
- LDAP authentication fails with Unicode characters
LDAP performance is dependent on the particular LDAP server environment that you are using. Your LDAP administrator is your first point of contact for authentication and performance issues.
A user exists in the ObjectServer but not in LDAP
2013-01-02T09:34:14: Error: E-ALD-102-027: No LDAP user found with base dn ou=Tivoli,ou=SWG,o=ibm and filter (cn=Notin Ldap)
2013-01-02T09:34:14: Error: E-ALD-102-027: No LDAP user found with base dn ou=Tivoli,ou=SWG,o=ibm and filter (cn=Notin Ldap)
2013-01-02T09:34:14: Information: I-SEC-104-003: Cannot authenticate user "Notin Ldap" with external source. Error = "User not found"
2013-01-02T09:34:14: Information: I-SEC-104-002: Cannot authenticate user "Notin Ldap": Not authenticated
2013-01-02T09:34:14: Error: E-OBX-102-023: Failed to authenticate user Notin Ldap. (-3602:Not authenticated)
2013-01-02T09:34:14: Error: E-OBX-102-057: User Notin Ldap@examplehost.ibm.com failed to login:
Not authenticated2013-01-02T09:31:00: Error: E-SEC-010-002: authentication failure - cannot authenticate user "Notin Ldap" : Not authenticatedTo resolve the problem, contact the LDAP administrator and determine whether the user exists in LDAP and that the ObjectServer has search access to that user. If the user exists in LDAP, verify that you are using the correct base distinguished name and search filter. Check the values that are specified for the LDAPSearchBase and LDAPSearchFilter properties.
If the LDAP search and filter properties are correct, verify with your LDAP administrator that the user account specified by the LDAPBindDn and LDAPBindPassword properties has authority to run LDAP searches. If the ObjectServer is anonymously binding to LDAP, verify that the directory and users that you want to search are configured to allow anonymous read access.
A user exists in LDAP but the wrong password is specified
2013-01-02T16:13:39: Information: I-ALD-104-006: About to bind to LDAP server for user cn=User One,ou=OMNIbus,ou=Tivoli,ou=SWG,o=ibm
2013-01-02T16:13:39: Error: E-ALD-102-016: Failed to bind to LDAP server for user cn=User One,ou=OMNIbus,ou=Tivoli,ou=SWG,o=ibm. (49:Invalid credentials)
2013-01-02T16:13:39: Error: E-ALD-102-011: LDAP Server message received during bind.
2013-01-02T16:13:39: Information: I-ALD-104-006: About to bind to LDAP server for user cn=User One,ou=OMNIbus,ou=Tivoli,ou=SWG,o=ibm
2013-01-02T16:13:39: Error: E-ALD-102-016: Failed to bind to LDAP server for user cn=User One,ou=OMNIbus,ou=Tivoli,ou=SWG,o=ibm. (49:Invalid credentials)
2013-01-02T16:13:39: Error: E-ALD-102-011: LDAP Server message received during bind.
2013-01-02T16:13:39: Information: I-SEC-104-003: Cannot authenticate user "User One" with external source. Error = 'Invalid credentials'.2013-01-02T16:13:39: Information: I-SEC-104-002: Cannot authenticate user "User One": Not authenticatedTo resolve the problem, provide the correct password.
A user name exists in multiple LDAP directories
2013-01-02T16:13:52: Error: E-ALD-102-028: Multiple LDAP users with base DN 'ou=Tivoli,ou=SWG,o=ibm' and filter '(cn=User Two)'
2013-01-02T16:13:52: Error: E-ALD-102-028: Multiple LDAP users with base DN 'ou=Tivoli,ou=SWG,o=ibm' and filter '(cn=User Two)'
2013-01-02T16:13:52: Information: I-SEC-104-003: Cannot authenticate user "User Two" with external
source. Error = 'LDAP user not unique'.
2013-01-02T16:13:52: Information: I-SEC-104-002: Cannot authenticate user "User Two": Not authenticated
2013-01-02T16:13:52: Error: E-OBX-102-023: Failed to authenticate user User Two. (-3602:Not authenticated)
2013-01-02T16:13:52: Error: E-OBX-102-057: User User Two@examplehost.ibm.com failed to login
: Not authenticated2013-01-02T16:13:39: Information: I-SEC-104-002: Cannot authenticate user "User Two": Not authenticatedTo resolve the problem, contact your LDAP administrator.
The ObjectServer cannot contact the LDAP server
2013-01-04T16:17:57: Error: E-ALD-102-026: Failed to perform search on LDAP server with base dn 'ou=bluepages,o=ibm.com' and filter '(cn=Test User)': 81:Can't contact LDAP server
2013-01-04T16:17:57: Information: I-SEC-104-003: Cannot authenticate user "Test User" with external source. Error = 'Can't contact LDAP server'2013-01-04T16:34:42: Error: E-ALD-102-012: ldap_open failed to LDAP server. Host exampleserver.ibm.com. Port 389. Error - 145:Connection timed out.To resolve the problem, verify that the LDAP server is running, that the connection is not blocked by a firewall, and that the correct LDAP port is specified for the Port property in the LDAP properties file.
These messages can also be logged when the LDAP server requires bind security but the ObjectServer is configured for anonymous bind. If the ObjectServer is configured for anonymous bind, contact your LDAP administrator to check whether the LDAP setup requires bind security.
The LDAP search syntax is incorrect
2013-01-07T11:34:46: Debug: D-ALD-105-005: About to issue LDAP search with filter '(&(cn=User Five)(|(ou=Tivoli)(ou=Webtop))'
2013-01-07T11:34:46: Error: E-ALD-102-026: Failed to perform search on LDAP server with base dn 'ou="Tivoli",ou=SWG,o=ibm' and filter '(&(cn=User Five)(|(ou=Tivoli)(ou=Webtop))': 87:Bad search filterldapsearch: ldap_search_ext: Bad search filter (-7)To resolve the problem, contact your LDAP administrator for help with formulating the search query.
An LDAP search times out
2013-01-07T15:16:08: Error: E-AUT-102-026: Failed to perform search on LDAP server with base dn 'ou="Tivoli",ou=SWG,o=ibm' and filter '(cn=A User)': 85:Timed outTo resolve the problem, contact your LDAP administrator for help with improving query performance.
LDAP authentication fails with Unicode characters
On Windows operating systems, you must save the LDAP properties file in UTF-8 encoding when the ObjectServer is configured to run with UTF-8 enabled.
2013-05-23T10:45:27: Warning: W-ETC-102-003: Invalid character 0xf4 found when converting to Unicode.
2013-05-23T10:45:27: Warning: W-ETC-102-003: Invalid character 0xf4 found when converting to Unicode.
2013-05-23T10:45:27: Warning: W-ETC-102-003: Invalid character 0xf4 found when converting to Unicode.
...
...
2013-05-23T10:45:54: Debug: D-AUT-105-005: About to issue LDAP search with filter ’(uid=yaya)’ and base dn ’ou=plut...t,dc=HURSLEY,dc=IBM,dc=COM’
2013-05-23T10:45:54: Error: E-AUT-102-034: LDAPSearch returned ’NO_SUCH_OBJECT’. Verify that LDAPSearchBase has been correctly specified and the base DN object ’ou=plut...t,dc=HURSLEY,dc=IBM,dc=COM’ existsTo encode the properties file as UTF-8, open it in Windows Notepad and use the Save As... command to save a new version. Use the existing file name, ldap.props. You must then restart the ObjectServer so that it reads the updated properties file.