When I use EMS to connect Windows LDAP server via SSL, why I always encounter the "LDAP authentication failed for user 'XXX', status = 35" error?
Article ID: KB0092551
Updated On:
| Products | Versions |
|---|---|
| TIBCO Enterprise Message Service | - |
| Not Applicable | - |
Description
Resolution:
There are several points may cause the "LDAP authentication failed for user 'XXX', status = 35" error:
1. Common Name of the certificate must be the machine name of Windows LDAP server.
2. Must use full domain name, such as harvey-w2k.cdc.tibco.com, in ldap_url parameter.
3. The EMS server machine can resolve and access the Windows LDAP server via its full domain name, such as harvey-w2k.cdc.tibco.com.
4. Must use Base64 encoding format certificate for ldap_tls_cacert_file parameter.
5. Must use the root certificate which signs the certificate used in Windows CA for ldap_tls_cacert_file parameter.
6. The user name used to connect EMS server by EMS client must be the "Display Name" (not the login name) of the user in Windows.
Below is the example of EMS settings to conect Windows LDAP server via SSL:
Note:
1. Windows domain name is "cdc.tibco.com"
2. Windows LDAP server machine name is "harvey-w2k"
3. Windows system admin user name is "Administrator", password is 1234
[tibemsd.conf]
# Must provide user_auth in order for the server to use LDAP
authorization = enabled
user_auth = LDAP,LOCAL
################ Sample LDAP Configuration for Microsft Active Directory
ldap_url = ldaps://harvey-w2k.cdc.tibco.com:636
ldap_principal = "CN=Administrator,CN=Users,DC=cdc,DC=tibco,DC=com"
ldap_credential = 1234
ldap_conn_type = ldaps
ldap_tls_cacert_file = D:/CA/root.cer
ldap_user_class = user
ldap_user_attribute = cn
ldap_user_filter = (&(cn=%s)(objectclass=user))
ldap_user_base_dn = "DC=cdc,DC=tibco,DC=com"
ldap_user_scope = subtree
ldap_group_base_dn = "DC=cdc,DC=tibco,DC=com"
ldap_group_scope = subtree
ldap_group_filter = "(&(cn=%s)(objectClass=group))"
ldap_static_group_class = group
ldap_static_group_attribute = cn
ldap_static_member_attribute = member
ldap_static_group_member_filter = (&(member=%s)(objectclass=group))
There are several points may cause the "LDAP authentication failed for user 'XXX', status = 35" error:
1. Common Name of the certificate must be the machine name of Windows LDAP server.
2. Must use full domain name, such as harvey-w2k.cdc.tibco.com, in ldap_url parameter.
3. The EMS server machine can resolve and access the Windows LDAP server via its full domain name, such as harvey-w2k.cdc.tibco.com.
4. Must use Base64 encoding format certificate for ldap_tls_cacert_file parameter.
5. Must use the root certificate which signs the certificate used in Windows CA for ldap_tls_cacert_file parameter.
6. The user name used to connect EMS server by EMS client must be the "Display Name" (not the login name) of the user in Windows.
Below is the example of EMS settings to conect Windows LDAP server via SSL:
Note:
1. Windows domain name is "cdc.tibco.com"
2. Windows LDAP server machine name is "harvey-w2k"
3. Windows system admin user name is "Administrator", password is 1234
[tibemsd.conf]
# Must provide user_auth in order for the server to use LDAP
authorization = enabled
user_auth = LDAP,LOCAL
################ Sample LDAP Configuration for Microsft Active Directory
ldap_url = ldaps://harvey-w2k.cdc.tibco.com:636
ldap_principal = "CN=Administrator,CN=Users,DC=cdc,DC=tibco,DC=com"
ldap_credential = 1234
ldap_conn_type = ldaps
ldap_tls_cacert_file = D:/CA/root.cer
ldap_user_class = user
ldap_user_attribute = cn
ldap_user_filter = (&(cn=%s)(objectclass=user))
ldap_user_base_dn = "DC=cdc,DC=tibco,DC=com"
ldap_user_scope = subtree
ldap_group_base_dn = "DC=cdc,DC=tibco,DC=com"
ldap_group_scope = subtree
ldap_group_filter = "(&(cn=%s)(objectClass=group))"
ldap_static_group_class = group
ldap_static_group_attribute = cn
ldap_static_member_attribute = member
ldap_static_group_member_filter = (&(member=%s)(objectclass=group))
Issue/Introduction
When I use EMS to connect Windows LDAP server via SSL, why I always encounter the "LDAP authentication failed for user 'XXX', status = 35" error?
Feedback
Yes
No
Powered by
