Pivotal Knowledge Base

Follow

LDAP User Login Error: "LDAP: Error Code 49 - Invalid Credentials"

Environment

 Product  Version
 Pivotal Cloud Foundry  1.6.x, 1.7.x
 OS  All Supported OS

Symptom

When a customer tries cf login with a LDAP user, it fails:

# cf login
API endpoint: https://api.system.example.com
Email> bbb@example.com
Password>
Authenticating...
Credentials were rejected, please try again.
...

API endpoint: https://api.system.example.com (API version: 2.54.0)
Not logged in. Use 'cf login' to log in.
FAILED
Unable to authenticate. 

In the UAA log, there's a detailed error message:

[2016-09-27 06:31:25.681] uaa - 31377 [http-bio-8080-exec-4] .... DEBUG --- LdapAuthenticationProvider: Processing authentication request for user: bbb@example.com
[2016-09-27 06:31:25.681] uaa - 31377 [http-bio-8080-exec-4] .... DEBUG --- FilterBasedLdapUserSearch: Searching for user 'bbb@example.com', with user search [ searchFilter: 'cn={0}', searchBase: 'ou=uiusers,ou=dac,dc=example,dc=com', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
...
[2016-09-27 06:31:25.687] uaa - 31377 [http-bio-8080-exec-4] .... DEBUG --- BackwardsCompatibleTokenEndpointAuthenticationFilter: Authentication request for failed: org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - Invalid Credentials]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]

Cause

The error listed in this article can be triggered in a few different scenarios. We have primarily seen this occur when Ops Manager & ERT have been configured to use LDAP. The configuration is successfully deployed and working, however, at some point after the deployment, the credentials for the LDAP bind user are changed and Ops Manager & ERT are not updated. UAA may continue to function if it can bind anonymously to your LDAP server, however, if anonymous bind is disabled, the UAA server will fail to authenticate users, logging the message listed above.

Other possible triggers could be the password being incorrectly updated in Ops Manager and applied to the environment, or if a user modified the UAA configuration file manually and restarted UAA.

Resolution

1. Refer to this article and install ldapsearch. To make sure the user's password is correct, we create a new user with email user1@example.com using a simple password. Then run ldapsearch with exactly the same search base and filter in the UAA log:

ldapsearch -H "ldap://192.0.2.0:389" -D "cn=pcfldap,ou=sysusers,dc=example,dc=com" 
-W -b "ou=uiusers,ou=dac,dc=example,dc=com" 'cn=user1@example.com' 

It returns the user information successfully which ends with #numEntries: 1.

2. The above step helps confirm that the user exists in LDAP and that the ldapsearch command can get the user successfully with exactly the same search base, and search filter used by cf login

3. The Invalid Credentials error message may indicate that the admin user's password is wrong. So please go to Ops Manager, update the password and click on Apply Change. Please contact support if you have any problems updating the credentials through Ops Manager. We may need to check the /var/vcap/jobs/uaa/config/uaa.yml file in UAA VM and provide a workaround.  

 

Comments

Powered by Zendesk