[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: When login from one application, "error=49" error show up, but other application's login are all right.



On Fri, Mar 04, 2011 at 11:01:28AM +0000, mahaoboy@gmail.com wrote:
> To: openldap-its@openldap.org

This is not a bug-report at this stage so I am directing replies to
openldap-technical@openldap.org.

> This user can logged in confluence successfully, but when could not log in
> fisheye.

> Log of confluence logging:

>  conn=5 op=8052 SRCH base="ou=eejira,o=nsn" scope=2 deref=3
> filter="(&(objectClass=person)(uid=jirasupport))" 

>  conn=5 op=8052 ENTRY dn="cn=jirasupport,ou=people,ou=eejira,o=nsn" 
>  conn=5 op=8052 SEARCH RESULT tag=101 err=0 nentries=1 text= 

>  conn=8 op=0 BIND dn="cn=jirasupport,ou=people,ou=eejira,o=nsn" method=128 
>  conn=8 op=0 BIND dn="cn=jirasupport,ou=People,ou=eejira,o=nsn" mech=SIMPLE ssf=0 
>  conn=8 op=0 RESULT tag=97 err=0 text= 

All OK so far.

> Log of fisheye logging:

>  conn=5 op=8051 SRCH base="ou=eejira,o=nsn" scope=2 deref=3
> filter="(&(objectClass=person)(uid=jirasupport))" 

>  conn=5 op=8051 ENTRY dn="cn=jirasupport,ou=people,ou=eejira,o=nsn" 
>  conn=5 op=8051 SEARCH RESULT tag=101 err=0 nentries=1 text= 

>  conn=7 op=0 BIND dn="cn=jirasupport,ou=people,ou=eejira,o=nsn" method=128 
>  conn=7 op=0 RESULT tag=97 err=49 text= 

Error 49 (decimal) is 0x31 (hex) which is LDAP_INVALID_CREDENTIALS
so the password does not match.

> And other users are all right for logging in all applications.

My guess would be that there is something odd about this user's
password. Be aware that most existing LDAP client software treats
passwords as strings of binary without consideration of character set
encoding. This can lead to problems where an account has a password that
cannot be represented in 7-bit ASCII. There is nothing that the LDAP
server can do about this, as it does not know what character set the
application is using.

I would suggest changing this account's password to a new one using
only printable 7-bit characters. You can maintain good security by
making the password longer (but beware that the old Unix-crypt hash
scheme only uses the first 8 characters so avoid that if you can: SSHA1
is far better).

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------