We’ve setup one of our client’s Sonicwall TZ series routers to allow LDAP authentication for VPN connections. Occasionally we were getting alerts from the SonicWall with the following content:
Subject: *** Alert from SonicWALL *** [SONICWALL NAME]
12/14/2010 17:05:22.544 - Error - Remote Authentication - Bind to LDAP server failed - - Credentials not valid at LDAP server - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 775, v1772
This email was generated by: SonicOS Enhanced 126.96.36.199-40o (MAC-ADDRESS-NUMBER)
Of course we’d log in and check it out, we’d hop over to the LDAP section, check to make sure that the user account, password, search context and such were proper, and they were. We’d then run a test bind, and of course it would work fine. It stumped us for a few days but we were eventually able to figure out that the account that the SonicWall was using to bind to the LDAP server was getting locked out due to some other non SonicWall related event, and of course when the account was locked out the SonicWall could not perform an LDAP query, and the users could not VPN in. Once the lockout period expired the SonicWall was again able to perform queries, which explained why when we logged in to test, it was working properly.
The moral of the story? Make sure that the account you are using for LDAP on the SonicWall isn’t used for anything else, so that the chance of someone locking out the service account is low, or you could also remove it’s lockout policy and apply a very strong password.