LDAP authentication error

Q. I am getting this error when I test the connection to our LDAP server using IMAUTH:

Authentication Failed (SASL(-1): generic failure: unable canonify user and get auxprops

A. IMAuth makes a login attempt for =username,, where prefix is the 'Name Field' in the web interface LDAP settings (defaults to 'cn'), and is the 'Base DN' field. It appears that your LDAP server isn't able to find the username corresponding to that DN. That can happen in a couple of ways:

1. The DN doesn't exist (usually because the 'Name Field' prefix is different)

2. When using SASL authentication (more secure), some LDAP servers need to have a rule set up in their configuration to translate the DN into a username. This varies between servers, and can also vary depending on how LDAP is storing the credentials.

If it's #2, you'll need to check the documentation for your LDAP server to see whether you need to add that translation rule. Maybe the default rule is just expecting the DN in a different form; i.e. a prefix of 'user' instead of 'cn'. In that case you could just change the 'Name Field' from the web interface.

Another option is to choose 'Only when using SSL' for the 'Use Plaintext' option, instead of 'Never'. Although passwords won't be hashed or encrypted in any way, the connection they're sent over will be encrypted with SSL, which is often good enough when running on a restricted-access network.

+1 800-328-1000

[email protected]

Infrastructure Protection & Data Security

Managed Security Services

Automation

IBM i