NetWorker: authc_config scripts/commands to modify external authority fail with LDAP error 49 data 52e
Summary: Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) is being added to the NetWorker server using the authc_config scripts. The script fails with LDAP error 49 Data 52e. This is a credential-related error; however, the LDAP bind account credentials specified are correct. ...
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
- The NetWorker authentication server (AUTCH) is installed on a Linux operating system.
- The AUTHC external authority scripts or
authc_configcommand is being used to integrate or update the NetWorker external authority resource. - The script fails with due to incorrect service account password:
/opt/nsr/authc-server/scripts/authc-create-ad-config.sh
Enter password:
Error executing command. Failure: 400 Bad Request. Server message: Failed to verify configuration lab: An authentication error occurred while accessing the naming or directory service: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090421, comment: AcceptSecurityContext error, data 52e, v23f0]
NOTE: This is an LDAP bind error. Error code 49 52e indicates that the username is correct but the password is incorrect. See: NetWorker: AD/LDAP Integration Failing with Common LDAP Error Codes "LDAP: error code 49"
- The password is correct, the same credentials can be used to successfully authenticate on another system.
Cause
There is an operating system security setting preventing the password from being specified as plain text; subsequently, this impacts the AD and LDAP configuration scripts and commands. The bind account password must be specified in the authc_config command when creating or modifying the external authority resource.
Resolution
There are two options available.
Option 1:
Use the NetWorker Management Console (NMC) or NetWorker Web User Interface (NWUI) to integrate AD or LDAP with the NetWorker server:
- NetWorker: How To Set up AD/LDAP Authentication
- NetWorker: How to configure "AD over SSL" (LDAPS) from The NetWorker Web User Interface (NWUI)
The user interface methods are not impacted by this symptom since no password is being specified as plain text on a shell prompt.
Option 2:
1. Confirm that the credentials are correct without using NetWorker (for example: ldapsearch).
Syntax:
ldapsearch [-V[V]] [-d debuglevel] [-n] [-v] [-c] [-u] [-t[t]] [-T path] [-F prefix] [-A] [-L[L[L]]] [-S attribute] [-b searchbase] [-s {base|one|sub|children}] [-a {never|always|search|find}] [-l timelimit] [-z sizelimit] [-f file] [-M[M]] [-x] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P {2|3}] [-e [!]ext[=extparam]] [-E [!]ext[=extparam]] [-o opt[=optparam]] [-O security-properties] [-I] [-Q] [-N] [-U authcid] [-R realm] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...]
Example:
ldapsearch -h dc -D "amer\Administrator" -x -W > ldap_details.txt Enter LDAP Password: ************
A file is created containing your AD info.
NOTE:
ldapsearch is not a NetWorker command. It can be installed separately. If you choose not to use ldapsearch, validate that you can log in to another system using the same bind credentials from the authc_config script.
head ldap_details.txt # extended LDIF # # LDAPv3 # base <dc=amer,dc=lan> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # amer.lan dn: DC=amer,DC=lanIf the output file contains your AD info, then the credentials are correct.
2. Once the above has been completed, create a hidden file that contains the service account password. This file can be deleted after AUTHC external AD/LDAP authentication has been configured.
a. Using vi create a hidden file /.sapass.txt:
vi /.sapass.txt
OPTIONAL: If you want to keep the file on the server after a password change, restrict its access. Set permissions so only root can read, write, or execute:
chmod 700 /.sapass.txt
b. Populate the default
authc_config script template with the values for configuring your AD/LDAP external auth.
Location: /opt/nsr/authc-server/scripts
For more information about this script and how to populate the fields, see:
c. Add a variable to pull the information from the
/.sapass.txt file and then use the variable in the script instead of specifying the password.Example:
PASSWD=`cat /.sapass.txt` authc_config -u administrator -e add-config \ -D "config-tenant-id=1" \ -D "config-active-directory=y" \ -D "config-name=amerad" \ -D "config-domain=amer.lan" \ -D "config-server-address=ldap://dc.amer.lan:389/DC=amer,DC=lan" \ -D "config-user-dn=CN=Administrator,CN=Users,DC=amer,DC=lan" \ -D "config-user-dn-password=$PASSWD" \ -D "config-user-search-path=CN=Users" \ -D "config-user-id-attr=sAMAccountName" \ -D "config-user-object-class=user" \ -D "config-group-search-path=CN=NetWorker Admins" \ -D "config-group-name-attr=cn" \ -D "config-group-object-class=group" \ -D "config-group-member-attr=member" \ -D "config-user-search-filter=" \ -D "config-group-search-filter=" \ -D "config-search-subtree=y" \ -D "config-user-group-attr=memberOf" \ -D "config-object-class=objectClass"
d. Run the configuration script specifying the NMC Administrator Password outside of the script. For example:
/opt/nsr/authc-server/scripts/authc-create-ad-config.sh Enter password: ************ Configuration amerad is created successfully.
e. Confirm that the configuration was successful by running:
nsrlogin -t tenant_name -d domain-name -u ad_user_name
Example:
nsrlogin -t default -d amer.lan -u bkupadmin 130136:nsrlogin: Please enter password: Authentication succeeded nsrlogout
Additional Information
Affected Products
NetWorkerProducts
NetWorker, NetWorker Management ConsoleArticle Properties
Article Number: 000048325
Article Type: Solution
Last Modified: 03 Jul 2025
Version: 4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.