Support Questions

WELI · ‎12-07-2015

07 Dec 2015 11:33:12  INFO UserGroupSync [UnixUserSyncThread] - initializing sink: org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder
07 Dec 2015 11:33:13  INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder created
07 Dec 2015 11:33:13  INFO UserGroupSync [UnixUserSyncThread] - initializing source: org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
07 Dec 2015 11:33:13  INFO UserGroupSync [UnixUserSyncThread] - Begin: initial load of user/group from source==>sink
07 Dec 2015 11:33:13  INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder updateSink started
07 Dec 2015 11:33:13  INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization started
07 Dec 2015 11:33:13 ERROR UserGroupSync [UnixUserSyncThread] - Failed to initialize UserGroup source/sink. Will retry after 30000 milliseconds. Error details:
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903CF, comment: AcceptSecurityContext error, data 52e, v2580^@]
  at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3135)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2883)
  at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2797)
  at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
  at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
  at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
  at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
  at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
  at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
  at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
  at javax.naming.InitialContext.init(InitialContext.java:244)
  at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
  at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149)
  at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:262)
  at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
  at java.lang.Thread.run(Thread.java:745)

spolavarapu · ‎12-07-2015

Mike,

This error usually occurs if the bind credentials (bind dn and/or bind password) are incorrect. Can you please verify those?

View solution in original post

nsabharwal · ‎12-07-2015

@Mike Li please check the credentials and ldap configs

http://www-01.ibm.com/support/docview.wss?uid=swg21290631

nsabharwal · ‎12-07-2015

@Mike Li

https://confluence.atlassian.com/display/CONFKB/User+directory+sync+fails+with+LDAP+Error+Code+49

52e = invalid credentials

LDAP: error code 49-80090308:LdapErr: DSID-0C0903CF, comment:AcceptSecurityContext error, data 52e,

WELI · ‎12-07-2015

Thanks all for providing possible reasons and solutions. I verified the user and password, they are correct. The only thing I can think of now is that whether from SysAdmin/Unix side, they need doing something, like to grant these users/goups to access the boxes??

nsabharwal · ‎12-07-2015

@Mike Li

Yes..thats true. Look into sssd or nslcd.

Are you able to access LDAP broweser using LDAP credentials?

WELI · ‎12-08-2015

Yes. I can use LDAP browser\Editor using the same credential.

WELI · ‎12-09-2015

Neeraj,

You are right the password got messed up. After correcting it, it starts to sync users/groups with AD.

Mike

nsabharwal · ‎12-09-2015

@Mike Li Did it help to resolve the issue? Thanks for confirming and updating the thread.

spolavarapu · ‎12-07-2015

Mike,

This error usually occurs if the bind credentials (bind dn and/or bind password) are incorrect. Can you please verify those?

WELI · ‎12-08-2015

But I am sure my user and credentials are right, since I can use the credential in LDAP browser.

WELI · ‎12-09-2015

Thank you.

emaxwell · ‎12-07-2015

The cause of the LDAP 49 error can vary. You need to check the data code to determine what the actual cause is. Here is a table of the various 49 errors/data codes and what they mean:

49 - LDAP_INVALID_CREDENTIALS - Indicates that during a bind operation one of the following occurred: The client passed either an incorrect DN or password, or the password is incorrect because it has expired, intruder detection has locked the account, or another similar reason. See the data code for more information.

49 / 52e - AD_INVALID CREDENTIALS - Indicates an Active Directory (AD) AcceptSecurityContexterror, which is returned when the username is valid but the combination of password and user credential is invalid. This is the AD equivalent of LDAP error code 49.

49 / 525 - USER NOT FOUND - Indicates an Active Directory (AD) AcceptSecurityContextdata error that is returned when the username is invalid.

49 / 530 - NOT_PERMITTED_TO_LOGON_AT_THIS_TIME - Indicates an Active Directory (AD) AcceptSecurityContextdata error that is logon failure caused because the user is not permitted to log on at this time. Returns only when presented with a valid username and valid password credential.

49 / 531 - RESTRICTED_TO_SPECIFIC_MACHINES - Indicates an Active Directory (AD) AcceptSecurityContextdata error that is logon failure caused because the user is not permitted to log on from this computer. Returns only when presented with a valid username and valid password credential.

49 / 532 - PASSWORD_EXPIRED - Indicates an Active Directory (AD) AcceptSecurityContextdata error that is a logon failure. The specified account password has expired. Returns only when presented with valid username and password credential.

49 / 533 - ACCOUNT_DISABLED - Indicates an Active Directory (AD) AcceptSecurityContextdata error that is a logon failure. The account is currently disabled. Returns only when presented with valid username and password credential.

49 / 568 - ERROR_TOO_MANY_CONTEXT_IDS - Indicates that during a log-on attempt, the user's security context accumulated too many security IDs. This is an issue with the specific LDAP user object/account which should be investigated by the LDAP administrator.

49 / 701 - ACCOUNT_EXPIRED - Indicates an Active Directory (AD) AcceptSecurityContextdata error that is a logon failure. The user's account has expired. Returns only when presented with valid username and password credential.

49 / 773 - USER MUST RESET PASSWORD - Indicates an Active Directory (AD) AcceptSecurityContextdata error. The user's password must be changed before logging on the first time. Returns only when presented with valid user-name and password credential.

shashankkumar_m · ‎03-17-2018

Thank you @emaxwell it worked for me.

Support Questions

Ranger user sync error: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903CF