E-LDAP: PT 8.55 LDAP Code Doesn't Loop Through Multiple Domains so Failover is not Working Correctly and Users Get LDAP Error Code : 49 Even Though They Typed the Correct Password
(Doc ID 2383555.1)
Last updated on SEPTEMBER 17, 2021
Applies to:PeopleSoft Enterprise PT PeopleTools - Version 8.56 and later
Information in this document applies to any platform.
LDAP authentication giving Invalid Username\password with the Network ID exists in multiple domains.
Customer Network ID's are unique by domain\username. For instance domain1\username and domain2\username. After upgrading from 8.55.11 to 8.55.21 and 8.56.06, and even to PT 8.57 tools, users that have a username that exists in two domains are now getting authenticated and are getting the error Invalid Username\password.
After doing a trace within the code we are finding that when username (from domain1) logs into the system, the LDAP SEARCH code is validating against username in domain2 and therefore the user is getting error because the password for domain1\username doesn't equal the password for domain2\username.
- LDAP Error Message : 80090308: LdapErr: DSID-0C090400
- LDAP Error Code : 49
The issue can be reproduced at will with the following steps:
1. Setup LDAP authentication with one map and multiple LDAP servers.
2. User logs in with LDAP password but because there are similar LDAP users IDs in different locations, domain1 and domain2, the users have different passwords. The user from domain2 hits the domain1 LDAP server first, but instead of the code looping and checking the domain1 server, it fails the login and exits the code.
This was working correctly in PT 8.55.20 or earlier
Note: We have also seen this issue with customers who use a 2 factor authentication process as the first security check will fail and then not try again to authenticate the user because of this code change.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document