Trouble authenticating active directory access account via LDAP request

Jason Wandel May 27, 2012

Hi all,

I'm trying to set up our Bamboo 4.0.1 instance to access our Active Directory server to create user accounts and then authenticate them. The computer that is running Bamboo is on the same subnet as the Domain Controller, and for pretty much every network access to it we simply just use the server name. I've tried using this, and tried using the DC=network,DC=local values everywhere, both with and without the server name as an additional DC.

I'm using the AD username and password that our IT department supplied. When I use the JXplorer tool it authenticates just fine (I can see the AD setup), but when I use the Paddle tool, I get the following output:

################################################################################
###########################################

LDAP Support Tool version 2.0

################################################################################
###########################################

Failed to connect to LDAP server: Username or password is incorrect. Please check them again.
com.atlassian.paddle.connection.ConnectionException: Username or password is incorrect. Please check them again.
at com.atlassian.paddle.connection.DefaultConnectionFactory.createFriendlyLdapException(DefaultConnectionFactory.java:43)
at com.atlassian.paddle.connection.DefaultConnectionFactory.createConnection(DefaultConnectionFactory.java:34)
at com.atlassian.paddle.task.DefaultTaskRunner.runTask(DefaultTaskRunner.java:33)
at com.atlassian.paddle.Paddle.main(Paddle.java:64)
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
at com.atlassian.paddle.connection.DefaultConnectionFactory.createConnection(DefaultConnectionFactory.java:27)
... 2 more

I'm fairly sure that I've got the atlassian-user.xml set up correctly, but our IT dept is unfamiliar with Bamboo and I'm unfamiliar with LDAP as well as being reasonably new to Bamboo. I have done a lot of reading over the last few days, but unfortunately haven't found anything other than that AD requires some form of ou entry but I'm not sure where to put that or what to use (I'm guessing I'd have to get that last bit from the IT dept???)

I've attached the atlassian-user.xml file (had to re-name it since wouldn't allow me to attach with .xml extension) as I've currently got it constructed - though I've blanked out the server name, access username and password for security reasons ;-) .

I'd be grateful for an assist if there's something obvious like missing dc or ou entries.

TIA,

Jason [SolveIT Software] (atlassian-user.xml.txt)

2 answers

1 accepted

13 votes
Answer accepted
NA March 7, 2013

Specifying principal in the form username@fulladdomain worked for me.

-Xavier.

Ishaq Khan October 2, 2017

Applying principal in the form username@fulladdomain worked for me as well.

Mehboob Khan November 21, 2017

worked for me, applying principle as test@test.com

Yash Patel January 25, 2018

Hi Can you tell me what do you mean by applying principal. I am having the same problem.

Like Wall Tearer likes this
Ryan Farran December 13, 2019

This worked for me too. 

I changed code from...

env.put(Context.SECURITY_PRINCIPAL, enteredUsername);

To...

env.put(Context.SECURITY_PRINCIPAL, enteredUsername + "@companydomain.com");

And it worked great for me! Also just in case it helps anyone, here is my function to authenticate users on Active Directory...

private boolean authenticateUserInActiveDirectory(String enteredUsername, String enteredPassword) {
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://x.x.x.x:389");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, enteredUsername + "@companydomain.com");
env.put(Context.SECURITY_CREDENTIALS, enteredPassword);
env.put(Context.REFERRAL, "follow");
DirContext ctx = null;
try {
ctx = new InitialDirContext(env);
} catch (javax.naming.AuthenticationException e) {
e.printStackTrace();
} catch (javax.naming.NamingException e) {
e.printStackTrace();
}
if (ctx != null) {
System.out.println("Username and Password matches in AD.");
}
return ctx != null;
}

 Be sure to replace x.x.x.x with the proper IP address and companydomain with the proper domain name

Dale Moore March 1, 2020

This worked for me for another LDAP Import, for importing into Insight.

Thanks.

1 vote
Septa Cahyadiputra
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 27, 2012

Hi Jason,

As describe on this knowledge base:

The cause of the issue seems to be "invalid credential". However it is weird that you are able to access it successfully using your JXplorer tool but not with Bamboo, especially if the configuration is identical.

The only reason that I could think of, Bamboo might refer to a duplicate user located on another tree which of course use a different credential. Could you please try to use FQDN (Fully Qualified Domain Name) and see if the problem persist.

Hope it helps.

Cheers,
Septa Cahyadiputra

Jason Wandel May 27, 2012

FQDN doesn't work, changing dc's to "dc=<server>,dc=<network>,dc=local" doesn't work, regardless of whether I fully qualify the server name in the host tag.

Septa Cahyadiputra
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 27, 2012

So changing the username to bind the LDAP server to FQDN does not work. That's weird since the ERROR code is very specific (LDAP: error code 49: Data 52e = incorrect credential).

Could you please double check the credential again

Jason Wandel May 31, 2012

The FQDN I was supplied initially was incorrect, there did need to be an ou entry... changing the access to "ou=<server>,dc=<network>,dc=local" solved the problem.

Septa Cahyadiputra
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 31, 2012

Great to hear that you found the cause of your issue.

Cheers.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events