9 Replies Latest reply: May 23, 2012 1:00 PM by 811798 RSS

    simple bind failed - Invalid credentials

    807573
      Hello yet again,

      I'm struggling to figure out some intermittent authentication failures that are being reported by my userbase and I've started to notice the following errors coming up periodically in /var/adm/messages on the LDAP client systems:

      Jul 25 16:01:48 host1 sshd[13131]: [ID 293258 auth.error] libsldap: Status: 49 Mesg: openConnection: simple bind failed - Invalid credentials

      ...I have no idea why this would happen only sporadically, since the proxyagent password (all of my clients are using proxy auth...I'd like to move to pam_ldap if anyone wants to help explain how! :) ) is stored in /var/ldap/ldap_client_file, right? The password is definitely there, and it hasn't changed at all in over 3 months (and I'm the only LDAP admin at the moment, so nobody else even has access).

      Note that in the error message, it's sshd that's spitting that out, which to me means that it's not possible that it's a proxyagent thing, but what I'm trying to figure out is whether this error is indicative of a login failure by a user (and if so, why isn't there a more detailed error, possibly indicating username and host from which they're attempting the connection?).

      All help and other brainstorming appreciated!

      Patrick
        • 1. Re: simple bind failed - Invalid credentials
          807573
          I suspect the password of proxyAgent had expired.

          Did you play with the Global Password Policy? If you did, some operational attributes will be there in cn=proxyAgent.

          Take a look at cn=proxyAgent, using "Edit with Generic Editor", if there is one such attribute called passwordexpirationtime, set its value to many years later, eg: 20381231000000Z

          Gary
          • 2. Re: simple bind failed - Invalid credentials
            807573
            I suspect the password of proxyAgent had expired.
            I don't think so:

            passwordexpirationtime=20050829212334Z

            That's 8/29 of this year. Not expired, yet (that's definitely something I gotta deal with now, but it's not the cause of the problem at hand)
            Did you play with the Global Password Policy? If you
            did, some operational attributes will be there in
            cn=proxyAgent.
            I did update the password policy using the console, but didn't do anything that explicitly affected the proxyagent user. I set up account lockouts, password attempts, etc.

            --

            Also, note that I did find out that a password failure when attempting to log in via ssh will yield the error message that I mentioned. I'm just trying to figure out where the actual login failure message is logged. I looked through my access logs on the DS server and found the bind and such, but I never found any errors to indicate that anything was wrong (!) .

            Patrick
            • 3. Re: simple bind failed - Invalid credentials
              807573
              Someone had posted some hints to troubleshoot BIND and SRCH issues in access log, not sure if it would help you.

              Troubleshooting LDAP Search issue in access log
              (From Fedora Directory Server mail list archive)

              ===
              Look in the access log on the FDS server for connections from that workstation (grep on the IP of that workstations, or one of the user id's that are trying to auth, etc). When you find it, grep out conn=xxx (where xxx is the connection # from that IP) so you get the complete connection from start to finish.

              - Look at the BIND lines to see what that workstation is binding as.

              - Look at the SRCH lines, to see what basedn and filter is being used.

              - Look at the result line (right after the SRCH line) to see what the results are (though you'll probably just see err=32, which is no such object). If there are multiple SRCH lines, check each one.

              - Check the ACI's set on your suffix - in console, click on the

              Directory tab then right click on the top entry in your tree, and select "set permissions" (something like that - doing this from memory). Make sure the appropriate access is set.

              You may have to look throughout your tree for aci's to be sure you find everything.

              (ldapsearch -D cn=directory manager -w - ... -b "your basedn" "(aci=*)" "aci" to find 'em all.)

              ===
              • 4. Re: simple bind failed - Invalid credentials
                807573
                Hey Patrick,

                I'm a little late to this forum, but I'm posting my fix anyway since I had the exact same problem and Google brought me here first!

                I was also seeing the following error in /var/adm/messages:
                Oct 27 14:48:19 vpd1th2no sshd[14529]: [ID 293258 auth.error] libsldap: Status: 49  Mesg: openConnection: simple bind failed - Invalid credentials
                After a couple hours of digging and being unable to reproduce the error with any reliability, I discovered the solution. This is the error that's created when someone logs in with an incorrect password! It's perfectly normal!

                Message was edited by:
                brad.bender@sjrb.ca
                • 5. Re: simple bind failed - Invalid credentials
                  807573
                  Can anyone pls help? this problem is still there.IS there anything to be done with PAM?
                  • 6. Re: simple bind failed - Invalid credentials
                    807573
                    http://www.sun.com/bigadmin/features/articles/nis_ldap_part2.jsp
                    • 7. Re: simple bind failed - Invalid credentials
                      807573
                      I've been struggling with the same error:
                      solaris10-test nscd[132]: [ID2933258 user.error] libsldap: Status 49 Mesg: openConnection: simple bind failed - Invalid credentials
                      I can't get my ldapclient works with AD authentication. I doubled check with binding account is correct. I'm successfully to get the kerberos working by using kinit command, but this error keep showing up in my /var/adm/messages when I try to use command getent passwd aduser. Any suggestions? Thanks
                      • 8. Re: simple bind failed - Invalid credentials
                        807573
                        This is bind dn authentication problem

                        this works
                        ldapsearch -v -h 196.x.x.x -b OU=users,OU=dotcom,DC=pankajgautam,DC=com -D'cn=$pankaj,ou=ServiceAccounts,dc=pankajgautam,dc=com' -w 'xxxxx' "samAccountName=pg"


                        this doesn't
                        ldapsearch -v -h 196.x.x.x -b OU=users,OU=dotcom,DC=pankajgautam,DC=com -D "cn=$pankaj,ou=ServiceAccounts,dc=pankajgautam,dc=com" -w 'xxxxx' "samAccountName=pg"

                        It needs the exact the bind dn user address from the AD/LDAP
                        and also watch the double quotes
                        • 9. Re: simple bind failed - Invalid credentials
                          811798
                          Yes I saw the same thing on my hosts. In my case, it was telnet. When a login via telnet entered an incorrect password, the message appeared in the log.