LDAP fails with error 49 invalid credentials but integration key and key have been verified

Hi teams

I meet the issue same with below:

Even use simple username test, it still failed.
is anyone has experienced this issue.

[-2147483559] Session Start
[-2147483559] New request Session, context 0x00007f62b1c44838, reqType = Authentication
[-2147483559] Fiber started
[-2147483559] Creating LDAP context with uri=ldaps://n.n.n.n:636
[-2147483559] Connect to LDAP server: ldaps://n.n.n.n:636, status = Successful
[-2147483559] While getting rootDSE, LDAP server n.n.n.n returned code (53) Server is unwilling to perform
[-2147483559] This LDAP server does not support V3 protocol.
[-2147483559] Binding as ***
[-2147483559] Performing Simple authentication for *** to n.n.n.n
[-2147483559] Simple authentication for *** returned code (49) Invalid credentials
[-2147483559] Failed to bind as administrator returned code (-1) Can’t contact LDAP server
[-2147483559] Fiber exit Tx=224 bytes Rx=51 bytes, status=-2
[-2147483559] Session End

Thanks,
Saul

If this is the Cisco ASA direct connect to Duo via LDAPS configuration, where Duo performs secondary auth only, the password is the name of a Duo authentication factor (like push), not the actual user password from the identity store.

The user has to actually have a valid 2FA device of the type you specify as well. So if you type push the user must exist in Duo with a phone or tabled activated for Duo Mobile Push.

Hi thank you for your reply.
i have use the correct username and push to do the test.
but is still failed.

Thanks for testing again and the screenshots. I edited your post to remove the images because they contained identifying info unique to your organization and Duo account.

Does that user’s device show it is activated for Duo Push in the Admin Panel?

image|200

What if you create a bypass code for the user, and then do the ASA test with that bypass code as the password?

The failure message indicated that the Duo API host LDAP server would be removed. Might be worth going back into the AAA settings to make sure it’s still active before trying again. Also double-check the credentials used for the Duo LDAP AAA server (the login DN that incorporates your integration key, and the login password which is the secret key).