0

I am trying to auth users through secured adlds server from a spring boot application, and I am facing an issue for 2 weeks now, and no solutions found in the internet worked for me.

First I had an error that says that I need to bind the authentication before successful operation. I added the right properties to the context source but now I am getting an error code 80 which gives me no clues on the error.

Here is my code:

Application.yml

spring:
  ldap:
    url: ldaps://<hostname>:636
    base: DC=<dc>>,DC=<dc>
    username: CN=<cn>>,OU=Privileged,OU=<ou>,OU=<ou>,OU=<ou>,DC=<dc>,DC=<dc>
    password: <secret>
    base-environment:
      com.sun.jndi.ldap.connect.timeout: 500
management:
  health:
    ldap:
      enabled: false

Configuration.java

@Bean
@DependsOn("frameworkInstance")
public LdapContextSource contextSource() {
    LdapContextSource contextSource = new LdapContextSource();
    contextSource.setUrl("ldaps://<hostname>:636");
    contextSource.setBase("<base>");
    contextSource.setUserDn("CN=<cn>,OU=<ou>>,OU=<ou>>,OU=<ou>>,OU=<ou>,DC=<dc>,DC=<dc>>");
    contextSource.setPassword("<secret>");
    contextSource.afterPropertiesSet();
    return contextSource;
}

@Bean
@DependsOn("frameworkInstance")
public LdapTemplate ldapTemplate() {
    return new LdapTemplate(contextSource());
}

My auth process :

Filter filter = new EqualsFilter("cn", "<cn>");
ldapTemplate.authenticate(LdapUtils.emptyLdapName(), filter.encode(), "<secret>");

The error code is :

Uncategorized exception occured during LDAP processing; nested exception is javax.naming.NamingException: [LDAP: error code 80 - 80090304: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 20ee, v3839\u0000]

I tried everything for a couple of days but nothing ... The account used for the "bind" and for the authentication is the same, to ensure that the auth will be succesfull. Keep in mind that the words between chevrons are hidden because of production environment, I am not allowed to display credentials, etc.

Do you have please any clues to resolve that issue ? it's very critical

Best regards,

Hamza Khattabi
  • 549
  • 4
  • 11
  • I would use a known LDAP tool to make the connection. ldapsearch (command line utility) or https://directory.apache.org/studio/. The error code NOT and LDAP error and some server error code so I am guessing it is something in the setup. Also look at: https://social.technet.microsoft.com/Forums/en-US/0a66d236-7416-40b7-a01d-d68aa187b029/ad-lds-unable-to-bind-with-the-domainadministrator?forum=winserverDS – jwilleke Jan 01 '22 at 10:38
  • LDAP: error code 80 - The password provided by the user did not match any password(s) stored in the user's entry Worker . Any idea about this error ? – rinilnath Jul 21 '22 at 06:48

1 Answers1

0

In the error message, the data 20ee indicates the Windows System Error Code. According to the Microsoft documentation, that is:

ERROR_DS_INTERNAL_FAILURE

8430 (0x20EE)

The directory service encountered an internal failure.

I don't think that indicates any problem with your code. It sounds more like a problem with your Active Directory environment.

Have you tried connecting via regular LDAP rather than LDAPS? (ldap://<hostname>). If that works, then it would indicate a problem with the LDAPS configuration.

As a side note, if you indicate ldaps:// in the path, you don't need to include :636, since that is the default LDAPS port.

Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84
  • Hi, thank you for your answer. I will try to connect without LDAPS, but I think I am not authorized as it is a production AD. But the Microsoft Documentation helped me a lot, I will discuss with the AD administrator. Thanks. – Hamza Khattabi Jan 03 '22 at 08:05
  • LDAP: error code 80 - The password provided by the user did not match any password(s) stored in the user's entry Worker . Any idea about this error – rinilnath Jul 21 '22 at 06:48
  • @rinilnath No, I have no idea. That doesn't sound like a message from Active Directory. You would be better off to ask your own question and show your code. – Gabriel Luci Jul 21 '22 at 12:52