000023119 - How to make LDAP sync jobs work as they did before upgrading to RSA Authentication Manager 6.1

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000023119
Applies ToRSA Authentication Manager 6.1
sasl
IssueHow to make LDAP sync jobs work as they did before upgrading to RSA Authentication Manager 6.1
Sync jobs all show "ERROR" in job list, and test authentication to LDAP server fails as if invalid credentials were supplied
Packet traces show that LDAP server returns error: "LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece"
CauseRSA Authentication Manager 6.1 LDAP sync now uses SASL bind by default. If the LDAP server doesn't properly support SASL, bind fails as if invalid credentials were supplied.
ResolutionTo correct this issue, add a system environment variable to the RSA Authentication Manager server:

RSA_LDAP_NO_RIGID_SASL=1

Then restart Authentication Manager services. Now LDAP sync will fall back to using basic authentication if SASL bind fails.

NOTE: SASL authentication is a method of securely passing credentials over LDAP. Simple authentication submits passwords in cleartext, so be aware of the security impact of this change.
WorkaroundUpgraded from RSA ACE/Server or RSA Authentication Manager 6.0 to RSA Authentication Manager 6.1
Legacy Article IDa31359

Attachments

    Outcomes