IdP 3.4.3 attribute-resolver.xml LDAP DataConnector errors

Glanville, Peter C. pcglanville at
Wed Apr 10 10:32:59 EDT 2019

Well let me back up here. 

If I leave the attribute-resolver.xml defaulted. My LDAP configuration does authenticate with my AD server and returns at least a "yes this account exists" with the BindDN and BindDNCredential. 

However, when using the dataconnector for the attributes, there are a lot of LDAP variables that don't seem to carry over. For example: 


(Which per Scott I get because this is "supported" by the library but not something we should be doing. And honestly I am planning to use some variation on openLDAP to disambiguate AD from this in the future for dependency reasons.) 

But also 

idp.authn.LDAP.dnFormat (which in this case, is being used so that my bindDN can just be sAMAccountName at instead of the complete DN. )

If this is also not something that is not recommended, I totally get that and will get it going in the most generalized LDAP way I can. 

Peter Glanville
Enterprise Infrastructure Manager
Office of Information Technology
Marie V. McDemmond Center for Applied Research
555 Park Avenue, Suite 401
Norfolk, Virginia 23504
(757) 823-8098 (Office)
(757) 823-2128 (Fax)
pcglanville at

-----Original Message-----
From: users <users-bounces at> On Behalf Of Peter Schober
Sent: Wednesday, April 10, 2019 10:22 AM
To: users at
Subject: Re: IdP 3.4.3 attribute-resolver.xml LDAP DataConnector errors

This email may be spoofed.

* Peter Schober <peter.schober at> [2019-04-10 16:17]:
> * Glanville, Peter C. <pcglanville at> [2019-04-10 15:50]:
> > resultCode=49 (invalid credentials), diagnosticMessage='80090308:
> >         LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext
> The actual error you're getting here means "wrong DN/password", though.
> Plus whatever details M$ adds there in the diagnosticMessage stuff.
> Did you look those up?

I failed to include one of the relevant bits when quoting above:
According to random web search results[1] the "52e" bit of the error message you got means the username/DN is valid, but the password is wrong.

So AFAICT this has nothing to do with even resolving attributes, yet.


For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list