You have only provided 1/2 of the picture. What is the error from the backend LDAP server?

What I don't understand is that the new version of gluu server removed the anonymous bind based on this : https://support.gluu.org/installation/7147/anonymous-ldap-binding/#at59316 but what I am seeing is the opposite behavior, when the anonymous access enabled on the backed LDAP server; the refresh works. However, when I disable the anonymous access, I am getting the following error: here is the error from oxtrust_persistence.log, 2020-04-14 18:02:43,628 ERROR [Thread-152] [gluu.persist.ldap.operation.impl.LdapConnectionProvider] (LdapConnectionProvider.java:83) - Failed to create connection pool with properties: {maxconnections=2, useSSL=false, servers=ip:port} com.unboundid.ldap.sdk.LDAPBindException: INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1374) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1256) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at com.unboundid.ldap.sdk.LDAPConnectionPool.<init>(LDAPConnectionPool.java:1197) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at com.unboundid.ldap.sdk.LDAPConnectionPool.<init>(LDAPConnectionPool.java:1050) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at com.unboundid.ldap.sdk.LDAPConnectionPool.<init>(LDAPConnectionPool.java:974) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at com.unboundid.ldap.sdk.LDAPConnectionPool.<init>(LDAPConnectionPool.java:904) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at com.unboundid.ldap.sdk.LDAPConnectionPool.<init>(LDAPConnectionPool.java:799) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at org.gluu.persist.ldap.operation.impl.LdapConnectionProvider.createConnectionPoolImpl(LdapConnectionProvider.java:268) ~[oxcore-persistence-ldap-4.1.0.Final.jar:?] at org.gluu.persist.ldap.operation.impl.LdapConnectionProvider.createConnectionPoolWithWaitImpl(LdapConnectionProvider.java:238) ~[oxcore-persistence-ldap-4.1.0.Final.jar:?] at org.gluu.persist.ldap.operation.impl.LdapConnectionProvider.init(LdapConnectionProvider.java:155) ~[oxcore-persistence-ldap-4.1.0.Final.jar:?] at org.gluu.persist.ldap.operation.impl.LdapConnectionProvider.create(LdapConnectionProvider.java:75) [oxcore-persistence-ldap-4.1.0.Final.jar:?] at org.gluu.persist.ldap.operation.impl.LdapAuthConnectionProvider.<init>(LdapAuthConnectionProvider.java:21) [oxcore-persistence-ldap-4.1.0.Final.jar:?] at org.gluu.persist.ldap.impl.LdapEntryManagerFactory.createEntryManager(LdapEntryManagerFactory.java:55) [oxcore-persistence-ldap-4.1.0.Final.jar:?] at org.gluu.persist.ldap.impl.LdapEntryManagerFactory.createEntryManager(LdapEntryManagerFactory.java:23) [oxcore-persistence-ldap-4.1.0.Final.jar:?] at org.gluu.persist.ldap.impl.LdapEntryManagerFactory$Proxy$_$$_WeldClientProxy.createEntryManager(Unknown Source) [oxcore-persistence-ldap-4.1.0.Final.jar:?] at org.gluu.oxtrust.ldap.cache.service.CacheRefreshTimer.prepareLdapServerConnection(CacheRefreshTimer.java:1155) [classes/:?] at org.gluu.oxtrust.ldap.cache.service.CacheRefreshTimer.prepareLdapServerConnection(CacheRefreshTimer.java:1127) [classes/:?] at org.gluu.oxtrust.ldap.cache.service.CacheRefreshTimer.prepareLdapServerConnections(CacheRefreshTimer.java:1115) [classes/:?] at org.gluu.oxtrust.ldap.cache.service.CacheRefreshTimer.processImpl(CacheRefreshTimer.java:271) [classes/:?] at org.gluu.oxtrust.ldap.cache.service.CacheRefreshTimer.processInt(CacheRefreshTimer.java:199) [classes/:?] at org.gluu.oxtrust.ldap.cache.service.CacheRefreshTimer$Proxy$_$$_WeldSubclass.processInt(Unknown Source) [classes/:?] at org.gluu.oxtrust.ldap.cache.service.CacheRefreshTimer.process(CacheRefreshTimer.java:183) [classes/:?] at org.gluu.oxtrust.ldap.cache.service.CacheRefreshTimer$Proxy$_$$_WeldSubclass.process$$super(Unknown Source) [classes/:?] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_222] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_222] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_222] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_222] at org.jboss.weld.interceptor.proxy.TerminalAroundInvokeInvocationContext.proceedInternal(TerminalAroundInvokeInvocationContext.java:51) [weld-core-impl-3.1.2.Final.jar:3.1.2.Final] at org.jboss.weld.interceptor.proxy.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:78) [weld-core-impl-3.1.2.Final.jar:3.1.2.Final] at org.gluu.service.cdi.async.AsynchronousInterceptor$1.get(AsynchronousInterceptor.java:36) [oxcore-service-4.1.0.Final.jar:?] at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1590) [?:1.8.0_222] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_222]

Same answer. Provide the error from the backend LDAP server log.

Hi, Tyson. Result code 49 should mean Invalid bind credentials, most likely that's your issue. Please share dump of your CR settings. Here are steps for LDAP-based Gluu Server setup: 1. Move into container 2. Put your LDAP admin's password in `/tmp/.dpw` (it's the same as default web UI admin's password was right after installation) 3. Dump the CR's properties: `#/opt/opendj/bin/ldapsearch -h 127.0.0.1 -p 1636 -s sub -Z -X -D 'cn=directory manager' -j /tmp/.dpw -b 'o=gluu' -z 5 '&(objectclass=oxtrustconfiguration)' oxTrustConfCacheRefresh` 4. Share it here. You may want to remove passwords from output Also, please provide the data Michael mentioned. Somewhere in your external LDAP directory there should be a log that may contain an error explaining the situation.

I don't see any movement in backend ldap server... here is the output from ldap search: ``` /opt/opendj/bin/ldapsearch -h 127.0.0.1 -p 1636 -s sub -Z -X -D 'cn=directory manager' -w 'pass' -b 'o=gluu' -z 5 '&(objectclass=oxtrustconfiguration)' oxTrustConfCacheRefresh dn: ou=oxtrust,ou=configuration,o=gluu oxTrustConfCacheRefresh: { "sourceConfigs": [ { "configId": "sandbox", "bindDN": "uid=admin,ou=system", "bindPassword": "pass", "servers": [ "ip:port" ], "maxConnections": 2, "useSSL": false, "baseDNs": [ "ou=people,o=Org" ], "primaryKey": null, "localPrimaryKey": null, "useAnonymousBind": false, "enabled": false, "version": 0, "level": 0 } ], "inumConfig": { "configId": "local_inum", "bindDN": "cn=directory manager", "bindPassword": "pass", "servers": [ "localhost:1636" ], "maxConnections": 10, "useSSL": true, "baseDNs": [ "ou=cache-refresh,o=site" ], "primaryKey": null, "localPrimaryKey": null, "useAnonymousBind": false, "enabled": true, "version": 0, "level": 0 }, "targetConfig": { "configId": null, "bindDN": null, "bindPassword": null, "servers": [], "maxConnections": 2, "useSSL": false, "baseDNs": [], "primaryKey": null, "localPrimaryKey": null, "useAnonymousBind": false, "enabled": false, "version": 0, "level": 0 }, "ldapSearchSizeLimit": 1000, "keyAttributes": [ "uid" ], "keyObjectClasses": [ "person" ], "sourceAttributes": [ "uid" ], "customLdapFilter": "(&(uid=*)(objectclass=inetOrgPerson))", "updateMethod": "copy", "defaultInumServer": true, "keepExternalPerson": true, "useSearchLimit": true, "attributeMapping": [ { "source": "uid", "destination": "uid" } ], "snapshotFolder": "/var/gluu/identity/cr-snapshots", "snapshotMaxCount": 10 } ```

Here is the log from external ldap server: [15:44:48] DEBUG [org.apache.directory.api.ldap.model.schema.SyntaxChecker] - MSG_13701_SYNTAX_VALID (referral) [15:44:48] DEBUG [org.apache.directory.server.OPERATION_LOG] - >> BindOperation : BindContext for Dn '', credentials <> [15:44:48] DEBUG [org.apache.directory.server.core.authn.AuthenticationInterceptor] - Operation Context: BindContext for Dn '', credentials <> [15:44:48] INFO [org.apache.directory.server.core.authn.AbstractAuthenticator]** ** - Cannot authenticate as anonymous, the server does not allow it** ** [15:44:48] INFO [org.apache.directory.server.core.authn.AuthenticationInterceptor] - Unexpected failure for Authenticator org.apache.directory.server.core.authn.AnonymousAuthenticator@45099dd3 : [15:44:48] INFO [org.apache.directory.server.core.authn.AuthenticationInterceptor] - Cannot bind to the server [15:44:48] DEBUG [org.apache.directory.api.ldap.model.schema.SyntaxChecker] - MSG_13701_SYNTAX_VALID (20200415194448.230Z) [15:44:48] DEBUG [org.apache.directory.api.ldap.model.schema.SyntaxChecker] - MSG_13701_SYNTAX_VALID (20200415194448.231000Z#000000#001#000000) [15:44:48] DEBUG [org.apache.directory.api.CODEC_LOG] - MSG_14003_ENCODED_LDAP_MESSAGE (MessageType : BIND_RESPONSE Message ID : 1 BindResponse Ldap Result Result code : (INVALID_CREDENTIALS) invalidCredentials Matched Dn : 'null' Diagnostic message : 'INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user : org.apache.directory.api.ldap.model.exception.LdapAuthenticationException: ERR_229 Cannot authenticate user at org.apache.directory.server.core.authn.AuthenticationInterceptor.bind(AuthenticationInterceptor.java:726) at org.apache.directory.server.core.DefaultOperationManager.bind(DefaultOperationManager.java:510) at org.apache.directory.server.ldap.handlers.request.BindRequestHandler.handleSimpleAuth(BindRequestHandler.java:200) at org.apache.directory.server.ldap.handlers.request.BindRequestHandler.handle(BindRequestHandler.java:651) at org.apache.directory.server.ldap.handlers.request.BindRequestHandler.handle(BindRequestHandler.java:64) at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:193) at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56) at org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:243) at org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:223) at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:1019) at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650) at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49) at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1141) at org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:87) at org.apache.mina.core.session.IoEvent.run(IoEvent.java:88) at org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:541) at org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:493) at java.lang.Thread.run(Unknown Source)

Please let me know if you need any more information regards to this issue... I'm eagerly waiting for a resolution to this issue. We cannot have anonymous access to our backend ldap server. I really appreciate your support

Hi, Tyson. Please note we can't guarantee a timely answer under community support. We need prioritize our customers, first of all. I'll let you know when the dev team will confirm whether this an expected behaviour, or not.

Hi, Tyson. Apparently, there was a bug like that, which should have been fixed in 4.1.1 You can download the patched WAR from [here](https://ox.gluu.org/maven/org/gluu/oxtrust-server/4.1.1.Final/oxtrust-server-4.1.1.Final.war), it should be compatible with your version. Stop "identity" service in the container, back up original `/opt/gluu/jetty/identity/webapps/identity.war` file just in case, then overwrite it with the patched WAR, and start the service.

Thanks for the update and I followed your recommendation by replacing the identity.war but I am still seeing the same issue and same error in the logs... any thought?

I'm confirming with the developer whether the fix is already added to 4.1.1. Will let you know tomorrow.

Thanks for the quick response

Hi Aliaksandr, Have you had chance to confirm with the developer if the fix is in 4.1.1? It seems like it's not part of it based on my testing with the provided war file. Please confirm. thanks, Tyson

Hi, Any update?

I can confirm, it's fixed in 4.1.1.

Gluu Team, I've updated gluu server to 4.2.0 and I am still getting the same error connecting to LDAP server without "Allow Anonymous Access". If I allow anonymous access to external ldap server then the cache refresh works but without Anonymous access ; I am getting the following error: Failed to create LDAP bind connection pool! Result code: '49 (invalid credentials)'2020-11-24 19:38:16,550 ERROR [Thread-22384] [gluu.oxtrust.ldap.cache.service.CacheRefreshTimer] (CacheRefreshTimer.java:204) - Exception happened while executing cache refresh synchronization org.gluu.persist.exception.operation.ConfigurationException: Failed to create LDAP bind connection pool! Result code: '49 (invalid credentials)' at org.gluu.persist.ldap.impl.LdapEntryManagerFactory.createEntryManager(LdapEntryManagerFactory.java:58) ~[oxcore-persistence-ldap-4.2.0.Final.jar:?] at org.gluu.persist.ldap.impl.LdapEntryManagerFactory.createEntryManager(LdapEntryManagerFactory.java:23) ~[oxcore-persistence-ldap-4.2.0.Final.jar:?] at org.gluu.persist.ldap.impl.LdapEntryManagerFactory$Proxy$_$$_WeldClientProxy.createEntryManager(Unknown Source) ~[oxcore-persistence-ldap-4.2.0.Final.jar:?] Is there any solution for this?

Try to use ldapsearch with that BindDN and password from the Gluu Server. For example : ``` # /opt/opendj/bin/ldapsearch -h your_server -p -Z -X your_port -D "your bind dn" -w your_password -b "your_base" -s base "objectclass=*" ``` Maybe the password or BindDN is not what you think it is.

here is the output of oxTrustConfCacheRefresh setting.... it shows as > "useAnonymousBind": false, ``` oxTrustConfCacheRefresh:{ "sourceConfigs": [ { "configId": "sandbox", "bindDN": "uid=testuser,dc=example,dc=com", "bindPassword": "pass", "servers": [ "ip:port" ], "maxConnections": 3, "useSSL": false, "baseDNs": [ "dc=example,dc=com" ], "primaryKey": null, "localPrimaryKey": null, "useAnonymousBind": false, "enabled": false, "version": 0, "level": 0 } ], "inumConfig": { "configId": "local_inum", "bindDN": "cn=directory manager", "bindPassword": "pass", "servers": [ "localhost:1636" ], "maxConnections": 10, "useSSL": true, "baseDNs": [ "ou=cache-refresh,o=site" ], "primaryKey": null, "localPrimaryKey": null, "useAnonymousBind": false, "enabled": true, "version": 0, "level": 0 }, "targetConfig": { "configId": null, "bindDN": null, "bindPassword": null, "servers": [], "maxConnections": 2, "useSSL": false, "baseDNs": [], "primaryKey": null, "localPrimaryKey": null, "useAnonymousBind": false, "enabled": false, "version": 0, "level": 0 }, "ldapSearchSizeLimit": 1000, "keyAttributes": [ "uid" ], "keyObjectClasses": [ "person" ], "sourceAttributes": [ "uid", "cn", "sn" ], "customLdapFilter": "(&(uid=*)(objectclass=inetOrgPerson))", "updateMethod": "copy", "defaultInumServer": true, "keepExternalPerson": true, "useSearchLimit": false, "attributeMapping": [ { "source": "uid", "destination": "uid" }, { "source": "cn", "destination": "givenName" }, { "source": "sn", "destination": "sn" } ], "snapshotFolder": "/var/gluu/identity/cr-snapshots", "snapshotMaxCount": 10 } ```

1. I would use ssl... never send bind creds over non-tls channel 2. test bindDN and pass as I suggested above

/opt/opendj/bin/ldapsearch -h ldap_server -p port -D "uid=testuser,dc=example,dc=com" -w password -b "dc=example,dc=com" -s base "objectclass=*" The above return a result but the following command return in SSL handshake failed /opt/opendj/bin/ldapsearch -h ldap_server -p port -Z -X -D "uid=testuser,dc=example,dc=com" -w password -b "dc=example,dc=com" -s base "objectclass=*" The LDAP search request failed: 81 (Server Connection Closed) Additional Information: An error occurred during establishment of a connection: org.forgerock.opendj.ldap.LdapException: Local Error: SSL handshake failed

Right, you're not using ssl, so that makes sense. Your LDAP server doesn't listen on LDAPS ?

I enabled SSL and was able to connect via the ldap command but cache refresh still throws the same error [Thread-22916] [gluu.oxtrust.ldap.cache.service.CacheRefreshTimer] (CacheRefreshTimer.java:204) - Exception happened while executing cache refresh synchronization org.gluu.persist.exception.operation.ConfigurationException: Failed to create LDAP bind connection pool! Result code: '49 (invalid credentials)' If I change to "Allow Anonymous Access" then even with SSL cache refresh works...

The issue is with Anonymous Access....

Do you see the BIND error in the logs of your source LDAP server?

Yes, here is the error from LDAP server: [16:09:17] DEBUG [org.apache.mina.filter.ssl.SslFilter] - Session Server[23](SSL): Writing Message : MessageWriteRequest, parent : WR WrapperWriteRequest: MessageType : BIND_RESPONSE Message ID : 1 BindResponse Ldap Result Result code : (INVALID_CREDENTIALS) invalidCredentials Matched Dn : 'null' Diagnostic message : 'INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user : org.apache.directory.api.ldap.model.exception.LdapAuthenticationException: ERR_229 Cannot authenticate user at org.apache.directory.server.core.authn.AuthenticationInterceptor.bind(AuthenticationInterceptor.java:726) at org.apache.directory.server.core.DefaultOperationManager.bind(DefaultOperationManager.java:510) at org.apache.directory.server.ldap.handlers.request.BindRequestHandler.handleSimpleAuth(BindRequestHandler.java:200) at org.apache.directory.server.ldap.handlers.request.BindRequestHandler.handle(BindRequestHandler.java:651) at org.apache.directory.server.ldap.handlers.request.BindRequestHandler.handle(BindRequestHandler.java:64) at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:193) at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56) at org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:243) at org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:223) at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:1019) at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650) at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49) at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1141) at org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:87) at org.apache.mina.core.session.IoEvent.run(IoEvent.java:88) at org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:541) at org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:493) at java.base/java.lang.Thread.run(Thread.java:834) BindRequest = MessageType : BIND_REQUEST Message ID : 1 BindRequest Version : '3' Name : anonymous '

Hi Tyson, I _think_ issue is with your backend LDAP server... What type of LDAP server you are using?

I am using ApacheDS

I think he has not configured cache refresh correctly. For example, why are the primary keys wrong? It might be best to upload screenshots of all the Cache Refresh tabs. Or to re-read the documentation carefully and compare versus your config. Many, many customers are using this feature. It's one of the oldest features in Gluu. So yes... I highly doubt it's a bug in Gluu. As he is able to connect via ldapsearch, it seems more likely that he has not configured Gluu correctly.

Yes, agreed. Your CR config screenshot would help us to understand.

Here is the link to screenshot for CR and FYI: the cache refresh works fine if allow Anonymous Access on openDS https://drive.google.com/file/d/18Yo4aGF9aOTqtFova1Qf7IqWLT6ADrJR/view?usp=sharing https://drive.google.com/file/d/1hAO22jPwUJAv72GftpFuWEYNTG5sz-59/view?usp=sharing

Hi, Any update on this?

Hello, >> https://drive.google.com/file/d/18Yo4aGF9aOTqtFova1Qf7IqWLT6ADrJR/view?usp=sharing - 'Server IP Address': That's the IP_address of your Gluu server, right? - Remove all entries mapping section ( I'll tell you why after we fix primary issue ) >> https://drive.google.com/file/d/1hAO22jPwUJAv72GftpFuWEYNTG5sz-59/view?usp=sharing Remove that 'Custom LDAP filters' and just put `sn` there. Also please share `Source backend LDAP servers` screenshot.

'Server IP Address': That's the IP_address of your Gluu server, right? YES Remove all entries mapping section ( I'll tell you why after we fix primary issue ) >>> I did remove the mapping & updated 'Custom LDAP filters' and just with sn ... still I am getting the same error Failed to create LDAP bind connection pool! Result code: '49 (invalid credentials)' but when I test the connection from Source Backend LDAP server.. came back as successful I have value for name, bind DN, server:port and base DN in "Source Backend LDAP" tab

Yes, the mapping is useless... there is no need to map from one name to the same name. It won't help the bind error, but it's useless. The LDAP filter is also useless... because the inetOrgPerson is already specified as the objectclass, and uid is the primary key. It's probably a misconfig on the Source Backend Servers tab. Maybe the anonymous box is checked?

there is no anonymous box on Source Backend Servers tab ( gluu server 4.2.0 final)

@Mobarak Hosen.Shakil: can you please share your config which you tried yesterday? Might be helpful.

Hi Tyson, A quick question... Can you please run below command and see if the bindPassword field is populated or not in LDAP? ``` /opt/opendj/bin/ldapsearch -h localhost -p 1636 -Z -X -D "cn=directory manager" -w <admin_password> -b 'o=gluu' 'oxTrustConfCacheRefresh=*' oxTrustConfCacheRefresh ```

``` oxTrustConfCacheRefresh: :{ "sourceConfigs": [ { "configId": "dev", "bindDN": "cn=DirectoryAdmin,ou=users,dc=dev,dc=cc", "bindPassword": "password", "servers": [ "12.12.12.12:443" ], "maxConnections": 2, "useSSL": true, "baseDNs": [ "organizationName=domain.com,ou=users,dc=dev,dc=cc" ], "primaryKey": null, "localPrimaryKey": null, "useAnonymousBind": false, "enabled": false, "version": 0, "level": 0 } ], "inumConfig": { "configId": "local_inum", "bindDN": "cn=directory manager", "bindPassword": "password", "servers": [ "localhost:1636" ], "maxConnections": 10, "useSSL": true, "baseDNs": [ "ou=cache-refresh,o=site" ], "primaryKey": null, "localPrimaryKey": null, "useAnonymousBind": false, "enabled": true, "version": 0, "level": 0 }, "targetConfig": { "configId": null, "bindDN": null, "bindPassword": null, "servers": [], "maxConnections": 2, "useSSL": false, "baseDNs": [], "primaryKey": null, "localPrimaryKey": null, "useAnonymousBind": false, "enabled": false, "version": 0, "level": 0 }, "ldapSearchSizeLimit": 1000, "keyAttributes": [ "uid" ], "keyObjectClasses": [ "inetOrgPerson" ], "sourceAttributes": [ "memberOf", "cn", "sn", "mail", "userPassword" ], "customLdapFilter": "(&(uid=*)(objectclass=inetOrgPerson))", "updateMethod": "copy", "defaultInumServer": true, "keepExternalPerson": true, "useSearchLimit": false, "attributeMapping": [ { "source": "uid", "destination": "uid" }, { "source": "memberOf", "destination": "memberOf" }, { "source": "sn", "destination": "sn" }, { "source": "cn", "destination": "cn" }, { "source": "userPassword", "destination": "userPassword" } ], "snapshotFolder": "/var/gluu/identity/cr-snapshots", "snapshotMaxCount": 10 } ```

Thanks. Seems like `"bindPassword": "password",` is okay for you. I just configured a customer's production Cache Refresh in 4.2 and not sure why ( may be I didn't hit update in oxTrust ) I didn't have bindPassword value in LDAP. Saving second time ( hitting update from oxTrust ) populated that value.

so what could be wrong with my env?

At this point, I have no idea.