Troubleshooting LDAP authentication
Use the information in this section to troubleshoot any LDAP authentication issues.
Users receive an error when signing on or changing their password
A user receives the following error message when signing on or trying to change their password:
A system error occurred when accessing your account for authentication. Contact your administrator.
This error can indicate that the user’s account needs to be updated in the external Lightweight Directory Access Protocol (LDAP) directory server. Check the user’s account in the external directory server. If you have an LDAP gateway configured, ensure that it’s configured properly.
I’m getting an Active Directory password modify error
For LDAP gateway connections using Active Directory (AD), you might see password modify errors in your LDAP gateway client logs.
This error can appear as a failure to change a password using a service account in AD. The error appears as either of the following:
LDAP password change result requestId=be2f0fb3-a090-4bf5-ab9c-97a9e480f6e3, resultCode=19 (constraint violation), resultDetails=LDAPResult(resultCode=19 (constraint violation), diagnosticMessage='00000005: AtrErr: DSID-03191080, #1: 0: 00000005: DSID-03191080, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)')
LDAP password change result requestId=be2f0fb3-a090-4bf5-ab9c-97a9e480f6e3, resultCode=50 (insufficient access rights), resultDetails=LDAPResult(resultCode=50 (insufficient access rights), diagnosticMessage='00000005: SecErr: DSID-031A11B9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0')
Learn more about the recommended configuration for the service account in AD in Best practices for configuring Active Directory for LDAP gateways.
How do I know if a user has entered an incorrect username?
If the LDAP gateway connects to Active Directory, when the provided username cannot locate a user record in AD, look for two DEBUG messages similar to the following samples in the gateway client application log:
DEBUG 2024-10-10T13:06:30.495Z c.p.l.l.RawLdapSearchesThenOpRequestHandler - Processing message=rawLdapSearchesThenOpRequest requestId=853ea174-6ccf-475d-9db3-a5f38edde100 searches=[SearchRequest(baseDN='CN=Users,DC=example,DC=local', scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=0, filter='(|(sAMAccountName=non-existent)(mail=non-existent))', attrs={*, +})]
DEBUG 2024-10-10T13:06:30.516Z c.p.l.r.internal.SerializationUtils - Search result has entryCount=0 The “non-existent” message and the “Search result has entryCount=0” message indicate the user has entered an incorrect username (or the user record has been deleted in Active Directory).
If the LDAP gateway connects to PingDirectory, similar messages are also recorded to the gateway client application log.
How do I know if a user has entered an incorrect password?
If the LDAP gateway connects to AD, when the provided username is valid but the provided password is not, look for a DEBUG message similar to the following sample in the gateway client application log:
WARN 2024-10-11T14:09:25.545Z c.p.l.l.RawLdapSearchesThenOpRequestHandler - Received ldap result for requestId=a8336c85-6980-4436-82a2-3f2fcdb3c454, resultCode=49 (invalid credentials), resultDetails=BindResult(resultCode=49 (invalid credentials), messageID=3, diagnosticMessage='80090308: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563 ', hasServerSASLCredentials=false)
The resultCode=49 message indicates the user has entered an incorrect password.
If the LDAP gateway connects to PingDirectory, a similar resultCode=49 message is also recorded to the gateway client application log.