PingOne

Troubleshooting LDAP authentication

Use the information in this section to troubleshoot any LDAP authentication issues.

Users receive an error when signing on or changing their password

A user receives the following error message when signing on or trying to change their password:

A system error occurred when accessing your account for authentication. Contact your administrator.

If this error occurs, check for the following:

  • Check if the user’s account needs to be updated in the external Lightweight Directory Access Protocol (LDAP) directory server. If you have an LDAP gateway configured, ensure that it’s configured properly.

  • If Update PingOne user attributes as users sign on is enabled in the PingOne admin console, check the audit logs for any update failures.

I’m getting an Active Directory password modify error

For LDAP gateway connections using Active Directory (AD), you might see password modify errors in your LDAP gateway client logs.

This error can appear as a failure to change a password using a service account in AD. The error appears as either of the following:

LDAP password change result requestId=be2f0fb3-a090-4bf5-ab9c-97a9e480f6e3,
resultCode=19 (constraint violation), resultDetails=LDAPResult(resultCode=19 (constraint violation),
diagnosticMessage='00000005: AtrErr: DSID-03191080, #1: 0: 00000005: DSID-03191080, problem 1005
(CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)')
LDAP password change result requestId=be2f0fb3-a090-4bf5-ab9c-97a9e480f6e3,
resultCode=50 (insufficient access rights), resultDetails=LDAPResult(resultCode=50 (insufficient access rights),
diagnosticMessage='00000005: SecErr: DSID-031A11B9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0')

Learn more about the recommended configuration for the service account in AD in Best practices for configuring Active Directory for LDAP gateways.

How do I know if a user has entered an incorrect username?

If the LDAP gateway connects to AD, when the provided username cannot locate a user record in AD, look for two DEBUG messages similar to the following samples in the gateway client application log:

DEBUG 2024-10-10T13:06:30.495Z c.p.l.l.RawLdapSearchesThenOpRequestHandler - Processing message=rawLdapSearchesThenOpRequest requestId=853ea174-6ccf-475d-9db3-a5f38edde100 searches=[SearchRequest(baseDN='CN=Users,DC=example,DC=local', scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=0, filter='(|(sAMAccountName=non-existent)(mail=non-existent))', attrs={*, +})]
DEBUG 2024-10-10T13:06:30.516Z c.p.l.r.internal.SerializationUtils - Search result has entryCount=0
The “non-existent” message and the “Search result has entryCount=0” message indicate the user has entered an incorrect username (or the user record has been deleted in Active Directory).

If the LDAP gateway connects to PingDirectory, similar messages are also recorded to the gateway client application log.

How do I know if a user has entered an incorrect password?

If the LDAP gateway connects to AD, when the provided username is valid but the provided password is not, look for a DEBUG message similar to the following sample in the gateway client application log:

WARN  2024-10-11T14:09:25.545Z c.p.l.l.RawLdapSearchesThenOpRequestHandler - Received ldap result for requestId=a8336c85-6980-4436-82a2-3f2fcdb3c454, resultCode=49 (invalid credentials), resultDetails=BindResult(resultCode=49 (invalid credentials), messageID=3, diagnosticMessage='80090308: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563 ', hasServerSASLCredentials=false)

The resultCode=49 message indicates the user has entered an incorrect password.

If the LDAP gateway connects to PingDirectory, a similar resultCode=49 message is also recorded to the gateway client application log.

My LDAP gateway user migration failed

If your LDAP gateway user migration fails, search for the Gateway User Migration Failed event in the list of Audit Reporting Events. This event is triggered when a just-in-time (JIT) migration is attempted but rejected by the PingOne API.

The event message Migration for Gateway User <username> failed through Gateway <gateway ID> using User Type <user type ID> due to error: <error message> shows the following details:

  • username: The username retrieved from the on-prem LDAP server.

  • error: The error returned when attempting to import the user using the PingOne API.

Common failure scenarios include:

  • Username and password sign-on: The user authenticated against LDAP, but PingOne couldn’t create a profile for them in the cloud.

  • Kerberos authentication: The Kerberos token was validated, but the JIT provisioning step failed due to missing or malformed attributes.