An example to show how to use 3rd party tools to diagnose Agile PLM LDAP problem
By Jie Chen-Oracle on Jul 28, 2014
If all LDAP configuration set up correctly in Agile PLM and expected LDAP user accounts synchronized to system as well, but ldap user is still not able to logon Agile system, it may be caused by wrong setting on LDAP Server itself. This article demonstrates how to use different kinds of 3rd party tools to diagnose such LDAP authentication issue.
We usually get below error trace from Agile PLM server log, but it does not help to us because the real error message (and error code) is wrapped and customized by Agile, and invisible to external.
Login failed for user : fg3bvj Actual message : Authentication Failed. Please make sure the username and password are correct! Job was cancelled due to this error! 14/07/09 00:48:11 Authentication Failed. Please make sure the username and password are correct! Job was cancelled due to this error! 14/07/09 00:48:11 com.agile.util.exception.CMAppException: Authentication Failed. Please make sure the username and password are correct! Job was cancelled due to this error! 14/07/09 00:48:11 at com.agile.admin.ldap.DirService.getFailOverDirContext(DirService.java:300) 14/07/09 00:48:11 at com.agile.admin.ldap.DirService.checkUserAuthentication(DirService.java:1480) 14/07/09 00:48:11 at com.agile.admin.ldap.DirService.validateCredentials(DirService.java:246)
In this case, we have to use Wireshark (or tcpdump on Linux) to collect all TCP package data for troubleshooting. First, we validate if Agile hands over the right ldap user account with correct password to LDAP Server.
From above screenshot we know yes it is.
As an Acknowledge response to package 7702, the package 7703 contains the feedback of authentication from LDAP Server. And it says invalidCredentials(49) which means LDAP Server rejects the authentication internally.
LDAPMessage bindResponse(1) invalidCredentials (80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 531, v1db1)
We have the error data 531 which is defined by LDAP Server vendor only. Since this is Microsoft Active Directory, we need to go to Microsoft to analyze the error code. We download the Err program from link http://www.microsoft.com/en-us/download/details.aspx?id=985 and get the error detailed explanation.
err 0x531 # for hex 0x531 / decimal 1329 : ERROR_INVALID_WORKSTATION winerror.h # Logon failure: user not allowed to log on to this computer. # 1 matches found for "0x531"
The "computer" here is not the user‘s working machine, it is the Agile Application Server machine where Agile communicates with LDAP server in back end. In this scenario, the Agile server is Linux. It could be the problem that the LDAP Server does not allow user to logon AD from a Linux machine. If go through all the AD attribute on Microsoft website http://msdn.microsoft.com/en-us/library/ms680868(v=vs.85).aspx , we get the attribute User-Workstations and it says
User-Workstations attribute Contains the NetBIOS or DNS names of the computers running Windows NT Workstation or Windows 2000 Professional from which the user can log on. Each NetBIOS name is separated by a comma. Multiple names should be separated by commas.
Again we use another tool Softera LDAP Browser to get the attributes definition of the problematic user "fg3bvj" and get below value.
Absolutely the AD Administrator prevents user from logon AD on other unauthenticated machines. Solution is to add the Agile Server linux host name to userWorkstations or remove its all the values.