AD/LDAP Connector Login Fails Due to Incorrect LDAP_USER_BY_NAME Configuration

Knowledge Articles
1

Overview

This article addresses login failures when attempting to authenticate through an Auth0 Active Directory (AD)/Lightweight Directory Access Protocol (LDAP) connection. The failure is indicated by the following error messages:

In the Auth0 tenant logs, a fu event (Failed Login - invalid email/username) appears:

{
  "date": "2025-04-03T21:00:12.345Z",
  "type": "fu",
  "description": "Wrong email or password.",
  "connection": "My-Connection",
  "connection_id": "con_redacted",
  "client_id": "REDACTED",
  "client_name": "My App",
  // other fields omitted
}
  • In the AD/LDAP connector log, the error Authentication attempt failed. Reason: wrong username is logged:
2025-04-03T21:00:12.345Z - debug: [2025-04-03 21:00:12] user user@example.com: Starting authentication attempt.
2025-04-03T21:00:12.345Z - debug: [2025-04-03 21:00:12] user user@example.com: Authentication attempt failed. Reason: wrong username

Applies To

  • AD/LDAP connector
  • AD/LDAP connection

Cause

The root cause of this login failure is a mismatch between the LDAP_USER_BY_NAME configuration setting in the AD/LDAP connector’s config.json file and the actual attribute name used to store the login username in the target AD/LDAP directory.

The LDAP_USER_BY_NAME setting defines the search filter used by the connector to locate a user during authentication. For example, the default value is (sAMAccountName={0}). If a user attempts to log in with the username “johndoe”, the connector searches the directory using the filter sAMAccountName=johndoe. However, if the usernames in the directory are stored under a different attribute (e.g., userPrincipalName or cn), the connector cannot find the user, resulting in the “wrong username” error, even if the entered username is correct.

See more details in the ad-ldap-connector README.md.

Solution

To resolve this issue, update the LDAP_USER_BY_NAME setting in the AD/LDAP connector’s config.json file to match the attribute used for usernames in the specific AD/LDAP directory.

  1. Identify the correct attribute name used for storing user login names in the target AD/LDAP directory (e.g., sAMAccountName, userPrincipalName, cn).
  2. Locate and open the config.json file for the affected AD/LDAP connector instance.
  3. Find the LDAP_USER_BY_NAME configuration key within the file.
  4. Modify the value of LDAP_USER_BY_NAME to use the correct attribute identified in Step 1. For example, if the correct attribute is userPrincipalName, change the setting to (userPrincipalName={0}).
  5. Save the changes to the config.json file.
  6. Restart the AD/LDAP Connector service (the Auth0 ADLDAP service in Windows).