Support Questions
Find answers, ask questions, and share your expertise

Ranger user sync error: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903CF

Explorer
07 Dec 2015 11:33:12  INFO UserGroupSync [UnixUserSyncThread] - initializing sink: org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder
07 Dec 2015 11:33:13  INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder created
07 Dec 2015 11:33:13  INFO UserGroupSync [UnixUserSyncThread] - initializing source: org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
07 Dec 2015 11:33:13  INFO UserGroupSync [UnixUserSyncThread] - Begin: initial load of user/group from source==>sink
07 Dec 2015 11:33:13  INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder updateSink started
07 Dec 2015 11:33:13  INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization started
07 Dec 2015 11:33:13 ERROR UserGroupSync [UnixUserSyncThread] - Failed to initialize UserGroup source/sink. Will retry after 30000 milliseconds. Error details:
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903CF, comment: AcceptSecurityContext error, data 52e, v2580^@]
  at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3135)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2883)
  at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2797)
  at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
  at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
  at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
  at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
  at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
  at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
  at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
  at javax.naming.InitialContext.init(InitialContext.java:244)
  at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
  at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149)
  at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:262)
  at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
  at java.lang.Thread.run(Thread.java:745)
12 REPLIES 12

Explorer

Thank you.

The cause of the LDAP 49 error can vary. You need to check the data code to determine what the actual cause is. Here is a table of the various 49 errors/data codes and what they mean:

49 - LDAP_INVALID_CREDENTIALS - Indicates that during a bind operation one of the following occurred: The client passed either an incorrect DN or password, or the password is incorrect because it has expired, intruder detection has locked the account, or another similar reason. See the data code for more information.

49 / 52e - AD_INVALID CREDENTIALS - Indicates an Active Directory (AD) AcceptSecurityContexterror, which is returned when the username is valid but the combination of password and user credential is invalid. This is the AD equivalent of LDAP error code 49.

49 / 525 - USER NOT FOUND - Indicates an Active Directory (AD) AcceptSecurityContextdata error that is returned when the username is invalid.

49 / 530 - NOT_PERMITTED_TO_LOGON_AT_THIS_TIME - Indicates an Active Directory (AD) AcceptSecurityContextdata error that is logon failure caused because the user is not permitted to log on at this time. Returns only when presented with a valid username and valid password credential.

49 / 531 - RESTRICTED_TO_SPECIFIC_MACHINES - Indicates an Active Directory (AD) AcceptSecurityContextdata error that is logon failure caused because the user is not permitted to log on from this computer. Returns only when presented with a valid username and valid password credential.

49 / 532 - PASSWORD_EXPIRED - Indicates an Active Directory (AD) AcceptSecurityContextdata error that is a logon failure. The specified account password has expired. Returns only when presented with valid username and password credential.

49 / 533 - ACCOUNT_DISABLED - Indicates an Active Directory (AD) AcceptSecurityContextdata error that is a logon failure. The account is currently disabled. Returns only when presented with valid username and password credential.

49 / 568 - ERROR_TOO_MANY_CONTEXT_IDS - Indicates that during a log-on attempt, the user's security context accumulated too many security IDs. This is an issue with the specific LDAP user object/account which should be investigated by the LDAP administrator.

49 / 701 - ACCOUNT_EXPIRED - Indicates an Active Directory (AD) AcceptSecurityContextdata error that is a logon failure. The user's account has expired. Returns only when presented with valid username and password credential.

49 / 773 - USER MUST RESET PASSWORD - Indicates an Active Directory (AD) AcceptSecurityContextdata error. The user's password must be changed before logging on the first time. Returns only when presented with valid user-name and password credential.

Thank you @emaxwell it worked for me.