We hope you'll join us for our 4/23 webinar on using data tables to apply reference ranges and AE codes in OC4. For more information and to register, visit https://register.gotowebinar.com/register/2882170018956684555

Error on lookup of LDAP user

I tried to configure LDAP authentication but get stuck with an error message when trying to lookup for users:

Create User Account -> Lookup LDAP user -> Enter search string -> click on "Find" -> Error: "Oops! An error has occurred"

The error message in /var/log/tomcat7/localhost.2015-11-20.log is:

SCHWERWIEGEND: Servlet.service() for servlet [pages] in context with path [/OpenClinica] threw exception [Request processing failed; nested exception is org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903CF, comment: AcceptSecurityContext error, data 52e, v2580]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903CF, comment: AcceptSecurityContext error, data 52e, v2580]] with root cause

My LDAP configuration in datainfo.properties:

ldap.enabled=true
ldap.host=ldap://ads01:389
ldap.userDn=CN=kjpproxy,OU=Benutzer,OU=Klinik fuer Kinder- und Jugendpsychiatrie,OU=Zentrum für Psychosoziale Medizin,OU=Departments Kliniken Zentren,OU=Klinikum Heidelberg,DC=ads,DC=krz,DC=uni-heidelberg,DC=de
ldap.password=*****
ldap.userSearch.baseDn=DC=ads,DC=krz,DC=uni-heidelberg,DC=de
ldap.userSearch.query=(sAMAccountName=*{0}*)

Searching LDAP users on the host works, for example with:

ldapsearch -H ldap://ads01:389 -b DC=ads,DC=krz,DC=uni-heidelberg,DC=de -D "CN=KJPProxy,OU=Benutzer,OU=Klinik fuer Kinder- und Jugendpsychiatrie,OU=Zentrum für Psychosoziale Medizin,OU=Departments Kliniken Zentren,OU=Klinikum Heidelberg,DC=ads,DC=krz,DC=uni-heidelberg,DC=de" -w ***** "(sAMAccountName=*peter*)" | grep sAMAccountName:

My system: Ubuntu 14.04, OC 3.8, Active Directory

Comments

  • Colin_SuttonColin_Sutton Posts: 15
    Is the CN case sensitive? KJPProxy or kjpproxy?
  • parzerparzer Posts: 5
    The CN is not case sensitve. I also works with all lowercase:

    ldapsearch -H ldap://ads01:389 -b dc=ads,dc=krz,dc=uni-heidelberg,dc=de -D "cn=kjpproxy,ou=benutzer,ou=klinik fuer kinder- und jugendpsychiatrie,ou=zentrum für psychosoziale medizin,ou=departments kliniken zentren,ou=klinikum heidelberg,dc=ads,dc=krz,dc=uni-heidelberg,dc=de" -w *** "(samaccountname=*peter*)" | grep sAMAccountName:


  • [Deleted User][Deleted User] Posts: 0
    We had the same problem when authenticating against our Microsoft ADS environment. When we changed the ldap.UserDN parameter to use a fully qualified username instead of the CN,OU,DC version we had no problem authenticating.

    Your fully qualified ldap.UserDn should probably look something like this:

    [email protected]
  • parzerparzer Posts: 5
    That solved the problem. Thank you very much.
This discussion has been closed.