The SASL (Simple Authentication and Security Layer) DIGEST-MD5 mechanism, used in LDAP authentication, works using a shared secret. The directory server stores this secret in a database. The LDAP client obtains this shared secret from the user. Under the boards, DIGEST-MD5 on the directory server issues a challenge to the LDAP client. The client builds a response based on data in the server challenge and the secret obtained from the user and sends that response back to the server. At no time does the password appear in the communications between the client and server. The server also generates a response based on its stored secret. If the client’s response to the server’s challenge does not match what the server generated as a proper response, this error occurs.
These examples demonstrate the error that occurs when the user is successfully mapped to an FQDN that references an existing object in the directory and the password stored in the directory doesn’t match what the user specified.
To remedy, correct the password on the client or have the directory administrator change the password on the directory server and retry the failed command.