LDAP authentication for a user with EMS server fails with “ldap_search_ext_s failed: Operations error”.
Article ID: KB0088849
Updated On:
| Products | Versions |
|---|---|
| TIBCO Enterprise Message Service | - |
| Not Applicable | - |
Description
Resolution:
This error occurs in the EMS server logs while trying to connect to the EMS server with a valid username and password defined in the Microsoft Active Directory LDAP server if the ldap_group_base_dn in the EMS server configuration points to a wider scope, like at DC level.
Prior to EMS 5.x, this may have caused EMS server to stall while waiting for the search operation to be complete. Since EMS 5.x, we introduced a new feature to avoid this stall, so that if the search takes a long time, it will timeout, but the authentication will not happen.
Environment:
TIBCO EMS Server 5.x
Microsoft Active Directory LDAP Server
Symptoms:
1. The user cannot connect to the EMS server with “Invalid user or password” error/exception.
2. When the ldap_debug logging is enabled in the EMS server, the EMS server logs shows the following error sequence.
ERROR: ldap_search_ext_s failed: Operations error
ERROR: LDAP authentication failed for user 'username', status = 120
[username@hostname]: connect failed: not authorized to connect
Cause:
The current scope of the ldap_group_base_dn is too wide.
Resolution:
Change the ldap_group_base_dn to point is to a narrower scope, i.e. if earlier, it was pointing to DC level, point it to the OU level, so that the search will be narrower and will finish quicker.
This error occurs in the EMS server logs while trying to connect to the EMS server with a valid username and password defined in the Microsoft Active Directory LDAP server if the ldap_group_base_dn in the EMS server configuration points to a wider scope, like at DC level.
Prior to EMS 5.x, this may have caused EMS server to stall while waiting for the search operation to be complete. Since EMS 5.x, we introduced a new feature to avoid this stall, so that if the search takes a long time, it will timeout, but the authentication will not happen.
Environment:
TIBCO EMS Server 5.x
Microsoft Active Directory LDAP Server
Symptoms:
1. The user cannot connect to the EMS server with “Invalid user or password” error/exception.
2. When the ldap_debug logging is enabled in the EMS server, the EMS server logs shows the following error sequence.
ERROR: ldap_search_ext_s failed: Operations error
ERROR: LDAP authentication failed for user 'username', status = 120
[username@hostname]: connect failed: not authorized to connect
Cause:
The current scope of the ldap_group_base_dn is too wide.
Resolution:
Change the ldap_group_base_dn to point is to a narrower scope, i.e. if earlier, it was pointing to DC level, point it to the OU level, so that the search will be narrower and will finish quicker.
Issue/Introduction
LDAP authentication for a user with EMS server fails with “ldap_search_ext_s failed: Operations error”.
Feedback
Yes
No
Powered by
