Due to a very complex multi-domain environment we have an OpenLDAP server running, which acts as a reverse proxy for components that only allow the integration of one domain.
This has worked very well so far, but now we come accross a strange issue when a user has to change his password.
If we make a ldapbind directly with the backend DC with valid credentials, we get the error message "Invalid credentials(49)" BUT, and that's the point, we also get additional infos where we can see the context error "773", which let us know, that the provided credentials were correct, but the user needs to change his password.
ldapsearch -H ldaps://SubCompanyADServer -b "dc=subcompany2,dc=local" -D "cn=Mustermann MAX,ou=Users,dc=subcompany2,DC=local" "samAccountName=mustermann" -x -w CORRECTPW
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C090442, comment: AcceptSecurityContext error, data 773, v3839
If I do the same with the OpenLDAP server, I only receive the error message "ldap_bind: Invalid credentials (49)" without further information.
ldapsearch -H ldaps://OPENLDAPSERVER -b "dc=companygroup,dc=local" -D "cn=Mustermann MAX,ou=Users,dc=subcompany2,dc=companygroup,dc=local" "samAccountName=mustermann" -x -w CORRECTPW
"ldap_bind: Invalid credentials (49)"
OpenLDAP Configuration:
Do you know a way to configure OpenLDAP to forward also the additional info?
Question - when putting in the password, are their special characters? If so, you may need to utilize the escape character \
--- example for the password !!P@ssword12345!!
We were trying to setup our ldapbind and ran into a similar issue with the authentication and that proved to be our issue with the password.