NetWorker: authc_config scripts/commands to modify external authority fail with LDAP error 49 data 52e
概要: Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) is being added to the NetWorker server using the authc_config scripts. The script fails with LDAP error 49 Data 52e. This is a credential-related error; however, the LDAP bind account credentials specified are correct. ...
この記事は次に適用されます:
この記事は次には適用されません:
この記事は、特定の製品に関連付けられていません。
すべての製品パージョンがこの記事に記載されているわけではありません。
現象
- The NetWorker authentication server (AUTCH) is installed on a Linux operating system.
- The AUTHC external authority scripts or
authc_configcommand is being used to integrate or update the NetWorker external authority resource. - The script fails with due to incorrect service account password:
/opt/nsr/authc-server/scripts/authc-create-ad-config.sh
Enter password:
Error executing command. Failure: 400 Bad Request. Server message: Failed to verify configuration lab: An authentication error occurred while accessing the naming or directory service: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090421, comment: AcceptSecurityContext error, data 52e, v23f0]
NOTE: This is an LDAP bind error. Error code 49 52e indicates that the username is correct but the password is incorrect. See: NetWorker: AD/LDAP Integration Failing with Common LDAP Error Codes "LDAP: error code 49"
- The password is correct, the same credentials can be used to successfully authenticate on another system.
原因
There is an operating system security setting preventing the password from being specified as plain text; subsequently, this impacts the AD and LDAP configuration scripts and commands. The bind account password must be specified in the authc_config command when creating or modifying the external authority resource.
解決方法
There are two options available.
Option 1:
Use the NetWorker Management Console (NMC) or NetWorker Web User Interface (NWUI) to integrate AD or LDAP with the NetWorker server:
- NetWorker: How To Set up AD/LDAP Authentication
- NetWorker: How to configure "AD over SSL" (LDAPS) from The NetWorker Web User Interface (NWUI)
The user interface methods are not impacted by this symptom since no password is being specified as plain text on a shell prompt.
Option 2:
1. Confirm that the credentials are correct without using NetWorker (for example: ldapsearch).
Syntax:
ldapsearch [-V[V]] [-d debuglevel] [-n] [-v] [-c] [-u] [-t[t]] [-T path] [-F prefix] [-A] [-L[L[L]]] [-S attribute] [-b searchbase] [-s {base|one|sub|children}] [-a {never|always|search|find}] [-l timelimit] [-z sizelimit] [-f file] [-M[M]] [-x] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P {2|3}] [-e [!]ext[=extparam]] [-E [!]ext[=extparam]] [-o opt[=optparam]] [-O security-properties] [-I] [-Q] [-N] [-U authcid] [-R realm] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...]
Example:
ldapsearch -h dc -D "amer\Administrator" -x -W > ldap_details.txt Enter LDAP Password: ************
A file is created containing your AD info.
NOTE:
ldapsearch is not a NetWorker command. It can be installed separately. If you choose not to use ldapsearch, validate that you can log in to another system using the same bind credentials from the authc_config script.
head ldap_details.txt # extended LDIF # # LDAPv3 # base <dc=amer,dc=lan> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # amer.lan dn: DC=amer,DC=lanIf the output file contains your AD info, then the credentials are correct.
2. Once the above has been completed, create a hidden file that contains the service account password. This file can be deleted after AUTHC external AD/LDAP authentication has been configured.
a. Using vi create a hidden file /.sapass.txt:
vi /.sapass.txt
OPTIONAL: If you want to keep the file on the server after a password change, restrict its access. Set permissions so only root can read, write, or execute:
chmod 700 /.sapass.txt
b. Populate the default
authc_config script template with the values for configuring your AD/LDAP external auth.
Location: /opt/nsr/authc-server/scripts
For more information about this script and how to populate the fields, see:
c. Add a variable to pull the information from the
/.sapass.txt file and then use the variable in the script instead of specifying the password.Example:
PASSWD=`cat /.sapass.txt` authc_config -u administrator -e add-config \ -D "config-tenant-id=1" \ -D "config-active-directory=y" \ -D "config-name=amerad" \ -D "config-domain=amer.lan" \ -D "config-server-address=ldap://dc.amer.lan:389/DC=amer,DC=lan" \ -D "config-user-dn=CN=Administrator,CN=Users,DC=amer,DC=lan" \ -D "config-user-dn-password=$PASSWD" \ -D "config-user-search-path=CN=Users" \ -D "config-user-id-attr=sAMAccountName" \ -D "config-user-object-class=user" \ -D "config-group-search-path=CN=NetWorker Admins" \ -D "config-group-name-attr=cn" \ -D "config-group-object-class=group" \ -D "config-group-member-attr=member" \ -D "config-user-search-filter=" \ -D "config-group-search-filter=" \ -D "config-search-subtree=y" \ -D "config-user-group-attr=memberOf" \ -D "config-object-class=objectClass"
d. Run the configuration script specifying the NMC Administrator Password outside of the script. For example:
/opt/nsr/authc-server/scripts/authc-create-ad-config.sh Enter password: ************ Configuration amerad is created successfully.
e. Confirm that the configuration was successful by running:
nsrlogin -t tenant_name -d domain-name -u ad_user_name
Example:
nsrlogin -t default -d amer.lan -u bkupadmin 130136:nsrlogin: Please enter password: Authentication succeeded nsrlogout
その他の情報
対象製品
NetWorker製品
NetWorker, NetWorker Management Console文書のプロパティ
文書番号: 000048325
文書の種類: Solution
最終更新: 03 7月 2025
バージョン: 4
質問に対する他のDellユーザーからの回答を見つける
サポート サービス
お使いのデバイスがサポート サービスの対象かどうかを確認してください。