Common LDAP Server Issues

The causes of the exceptions are discussed in brief. If you have anything to add, feel free to comment!

com.bea.security.providers.xacml.store.ldap.LDAPException:
netscape.ldap.LDAPException: error result (49)

This exception is encountered when the password of the principal trying to connect to the LDAP Server is wrong.

The AD-specific error code is the one after “data” and before “vece” or “v893” in the actual error string returned to the binding process

525​ user not found ​
52e​ invalid credentials ​
530​ not permitted to logon at this time​
531​ not permitted to logon at this workstation​
532​ password expired ​
533​ account disabled ​
701​ account expired ​
773​ user must reset password ​
775​ user account locked​

Caused by: netscape.ldap.LDAPException: Connection refused (91)

The exception is usually encounterd due to wrong configuration parameters, especially hostname or port of the LDAP Server.

netscape.ldap.LDAPException: error result (32);
This exception is usually due to faulty synchronization of LDAP updates on the managed server. It occurs on reading a record on the LDAP Server which no longer exists due to concurrent updates. Enabling Refresh Replica At Startup from the console enables the Managed Server to get the latest ldap data at the time of startup.

[Security:090252]advance error for cursor name Users2053917525..
netscape.ldap.LDAPException: error result (4)

This is caused after browsing through 1000 (default MaxPageSize on AD) Users/Groups.
To overcome this we need to increase the MaxPage Size on Active Directory.

Common Active Directory LDAP bind errors:

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
HEX: 0x525 – user not found
DEC: 1317 – ERROR_NO_SUCH_USER
(The specified account does not exist.)
NOTE: Returns when username is invalid.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 52e, v893
HEX: 0x52e – invalid credentials
DEC: 1326 – ERROR_LOGON_FAILURE
(Logon failure: unknown user name or bad password.)
NOTE: Returns when username is valid but password/credential is invalid. Will prevent most other errors from being displayed as noted.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 530, v893
HEX: 0x530 – not permitted to logon at this time
DEC: 1328 – ERROR_INVALID_LOGON_HOURS
(Logon failure: account logon time restriction violation.)
NOTE: Returns only when presented with valid username and password/credential.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 531, v893
HEX: 0x531 – not permitted to logon from this workstation
DEC: 1329 – ERROR_INVALID_WORKSTATION
(Logon failure: user not allowed to log on to this computer.)
LDAP[userWorkstations: <multivalued list of workstation names>]
NOTE: Returns only when presented with valid username and password/credential.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 532, v893
HEX: 0x532 – password expired
DEC: 1330 – ERROR_PASSWORD_EXPIRED
(Logon failure: the specified account password has expired.)
LDAP[userAccountControl: <bitmask=0x00800000>] – PASSWORDEXPIRED
NOTE: Returns only when presented with valid username and password/credential.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 533, v893
HEX: 0x533 – account disabled
DEC: 1331 – ERROR_ACCOUNT_DISABLED
(Logon failure: account currently disabled.)
LDAP[userAccountControl: <bitmask=0x00000002>] – ACCOUNTDISABLE
NOTE: Returns only when presented with valid username and password/credential.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 701, v893
HEX: 0x701 – account expired
DEC: 1793 – ERROR_ACCOUNT_EXPIRED
(The user’s account has expired.)
LDAP[accountExpires: <value of -1, 0, or extemely large value indicates account will not expire>] – ACCOUNTEXPIRED
NOTE: Returns only when presented with valid username and password/credential.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 773, v893
HEX: 0x773 – user must reset password
DEC: 1907 – ERROR_PASSWORD_MUST_CHANGE
(The user’s password must be changed before logging on the first time.)
LDAP[pwdLastSet: <value of 0 indicates admin-required password change>] – MUST_CHANGE_PASSWD
NOTE: Returns only when presented with valid username and password/credential.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 775, v893
HEX: 0x775 – account locked out
DEC
: 1909ERROR_ACCOUNT_LOCKED_OUT (The referenced account is currently locked out and may not be logged on to.)
LDAP[userAccountControl: <bitmask=0x00000010>] – LOCKOUT
NOTE: Returns even if invalid password is presented

The DEC: values are not presented in Portal logs; however, review of LDAP activity combined with analysis of SystemOut.log and relevant configuration tasks can help narrow down the root cause.

Resolving the problem

Use the codes above to verify the settings and users in LDAP.

 

<java.lang.NullPointerException
at weblogic.security.providers.authentication.LDAPAtnDelegate.getDNForUser(LDAPAtnDelegate.java:3861)
at weblogic.security.providers.authentication.LDAPAtnDelegate.authenticate(LDAPAtnDelegate.java:3679)
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:233)
Please apply Patch 20109709. This occurs when you have cache enabled.

7 comments

  1. <The DeployableAuthorizer "myrealm_weblogic.security.providers.xacml.authorization.XACMLAuthorizationProviderImpl"returned an error: weblogic.security.spi.ResourceCreationException: [Security:090310]Failed to create resource.

    Solution: go to WL_HOME/servers/name/data/ldap and remove ldapfiles and name.ldif

  2. Can someone please explain more about this error.

    netscape.ldap.LDAPException: error result (32);

    I am getting same exception on console while veiwing users in weblogic console.
    WLS 8.1. SP6.

    1. Hi Priyanka,

      netscape.ldap.LDAPException: error result (32);

      This exception is usually due to faulty synchronization of LDAP updates on the managed server. It occurs on reading a record on the LDAP Server which no longer exists due to concurrent updates.
      Enabling Refresh Replica At Startup from the console enables the Managed Server to get the latest ldap data at the time of startup.

      Refer the below article.

      http://docs.oracle.com/cd/E13222_01/wls/docs81/secmanage/ldap.html

      Regards,
      Anandraj

  3. Can someone please explain more about this error:

    com.bea.security.providers.xacml.store.ldap.LDAPException:
    netscape.ldap.LDAPException: error result (49)

    This exception is encountered when the password of the principal trying to connect to the LDAP Server is wrong.

    trying to connect to wls 10.3.5 embedded ldap using apache

    thanks

    1. “The exception is [LDAP: error code 49 – 80090308: LdapErr: DSID-0Cxxxxxx, comment: AcceptSecurityContext error, data xxx, vece ].”

      However, there are several values that can indicate what LDAP function is causing the issue. Here are some general references for Microsoft Active Directory:

      The AD-specific error code is the one after “data” and before “vece” or “v893” in the actual error string returned to the binding process

      525​ user not found ​
      52e​ invalid credentials ​
      530​ not permitted to logon at this time​
      531​ not permitted to logon at this workstation​
      532​ password expired ​
      533​ account disabled ​
      701​ account expired ​
      773​ user must reset password ​
      775​ user account locked​

      One way to simply the configuration is first try connecting to LDAP using a LDAP browser such as softerra.

      If you are able to connect using the LDAP Browser, use the same CN , UserBase DN, GoupBaseDN, Principle, Host and Port in apache server configuration.

      You can download the softerra LDAP browser from the below site.

      http://www.ldapbrowser.com/

      Regards,
      Anandraj

  4. I would like to ask you a question about embeded LDAP: Is there a way to configure a user’s password to expire through the weblogic console?

    Thanks in advance.

Leave a Reply