[Date Prev][Date Next]
Re: Help needed chaining to active directory for authentication - not quite there yet
One thing that stopped working since I introduced the new directives which
fixed the authentication problem is
being able to peruse the directories using Apache Directory Studio. I can
still see the AD branches but when I try to look at them I get an error
which in the server logs is reported as
res_errno: 1, res_error: <000004DC: LdapErr: DSID-0C0906E8, comment: In
order to perform this operation a successful bind must be completed on the
connection., data 0, v1db1>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
So I must still be missing something in my configuration.
>On 09/11/11 19:34 +0000, Gabriella Turek wrote:
>>The way I got it to work (by pure chance mind you , I just happened on a
>>blog entry somewhere) was to add this entry to the slapd.config file:
>># Configure slapd-ldap back end to connect to AD
>>suffix "ou=user accounts,dc=niwa,dc=local"
>>Nowhere in any documentation did I see this mentioned, and yet it worked
>>So I don't know what to think.
>>On 10/11/11 6:37 AM, "Dan White" <firstname.lastname@example.org> wrote:
>>>On 07/11/11 21:57 +0000, Gabriella Turek wrote:
>>>>Hello, I've set up an openLDAP server (2.4.23) which chains to an
>>>>Active Directory (2008). I can successfully search for users, it will
>>>>find them in Active Directory if they are not in openLDAP, but I
>>>>authenticate the Active Directory users.
>>>>The error is "Invalid credentials (49)"
>>>>Everything is currently configured with clear text
>>>>ldapSearch works fine when pointed directly to the Active Directory.
>>>>The chaining configuration in the slapd.conf is:
>>>> binddn="cn=SDT Tester,ou=NIWA Staff
>>>>Accounts,ou=User Accounts, dc=niwa,dc=local"
>>>Does mode="none" work? If my reading of slapd-ldap(5) is correct, with
>>>config other than 'none', slapd will attempt to assert the proxyAuthz
>>>I checked our local AD server (2003) and it does not appear to support
>>>ldapsearch -LLL -x -H ldap://<AD.ip> -s "base" -b "" supportedControl
>>>proxyAuthz control == 2.16.840.1.1137126.96.36.199 (RFC 4370)
>Ph 918.366.0248 (direct) main: (918)366-8000
>Fax 918.366.6610 email: email@example.com