IdP Connection to Active Directory

Peter Schober peter.schober at
Wed Apr 29 15:16:11 EDT 2020

* Nate Keegan <nate.keegan at> [2020-04-29 19:25]:
> our users will access a web service provided by company X, will use
> SAML/Shibboleth to login and authenticate against our Active
> Directory
> [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment:
> AcceptSecurityContext error, data 52e, v1db1
> Google work shows this type of error is related to LDAP credentials

No need for Google (or other web searches), result code 49 means
"invalidCredentials", straight from the LDAP specification:

The rest of that message /may/ give some additional details, though,
you'd have to either search for those or use the MS-AD documentation.

> running tests using the same base info via ldapsearch works across
> methods - vanilla LDAP, StartTLS, LDAPS, etc.

Java seemingly behaves differently than the OS's ldapsearch.
That happens, e.g. when referrals are involved. Is the MS-AD a single
system? Or part of a larger "forrest" or whatever they call it?

But start by lookup up those weird codes MS-AD returned with the
invalidCredentials response. Those may or may not include more info.

> idp.authn.LDAP.authenticator = bindSearchAuthenticator

Why not use the adAuthenticator when using MS-AD?
Just wondering.

> idp.authn.LDAP.returnAttributes = employeeNumber

Don't change that. This doesn't do what you think it does.

> idp.authn.LDAP.bindDNCredential = KRSOne

A fan of old-school hip hop?

>  <!-- Remember to remove "trustFile" and "useStartTLS" if you use plain
> LDAP connection -->
>   <DataConnector
>     id="myLDAP"
>     xsi:type="LDAPDirectory"
>     ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
>     baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
>     useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
>     trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
>     principal="%{idp.attribute.resolver.LDAP.bindDN}"
>     principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}">

Funny. Do you notice the comment on top that says:
  Remember to remove "trustFile" and "useStartTLS" if you use plain
  LDAP connection
That's there so that you remember to remove the lines with "trustFile"
and "useStartTLS" (still there above) if you use plain LDAP

>     <ReturnAttributes>*</ReturnAttributes>

If employeeNumber is literally the only thing this IDP will ever
return from LDAP that's where you'd put it. Then LDAP will only ever
be asked for that and nothing else.

Since you're not using any form of transport security it should be
easy to make out the difference when using ldapsearch vs using Java,
e.g. using tcpdump and then feeding that into a wireshark GUI.
You can also add more command line options to ldapsearch, d.g. -d-1
which will tell you pretty much everything tcpdump would, though not
in a form that's easily comparable with what Java does.


More information about the users mailing list