Sending BindResponse invalid credentials

Hi Guys,

Well I am in the process of setting up PrivacyIdea with an LDAP proxy and AD. Currently I have PrivacyIdea talking to the AD. I also have the LDAPProxy setup and can connect to it using LDP.exe and I look to be making request to AD. I can get user attributes returned.

LDP.EXE ==> LDAPProxy ==> AD
LDP.EXE ==> LDAPProxy ==> PrivanceIDEA ==> AD

The issue I am having is that I keep getting [pi_ldapproxy.proxy#info] sending BigResponse “invalid Credentials”: failed to authenticate.
Followed by
[twiste.web.client._http11clientfactory@info] stopping factory …

I am not sure what this means and what the invalid credentials are for. Is this the response from the PrivacyIdea or is this what LDAPproxy is sending to the LDP.exe client?

What credential are being checked?
What credential am I meant to be putting in the LDP.exe bind. Is it just the password, or should I be using an password OTP combination?

Run down on LDAP config file

endpoint = tcp:host=

password =“Password” (Have tried this with and without quotes)

endpoint = tcp:port=389

allow-search = true

strategy = Loopup
attribute = sAMAccount Name

strategy = static

everything else is default

If I test resolver is get all the expected accounts, and I have created the realm with the resolver attached.

Thanks in advance for any help.


The LDAP proxy send a BindResponse “Invalid Credentials” back to the LDAP client. In your case LDP.EXE.

It could be the service account and it could be an authentication request, that is handled in privacyIDEA.

Check the log of your LDAP server (if it exists) and the audit log of privacyIDEA. Then you will know which authentication fails.