Den 12-03-2014 17:42, Clément OUDOT skrev: > > > > 2014-03-12 17:38 GMT+01:00 Esben <[email protected] <mailto:[email protected]>>: > > Den 12-03-2014 16:49, Clément OUDOT skrev: >> 2014-03-12 16:22 GMT+01:00 Esben <[email protected] >> <mailto:[email protected]>>: >> >> >>>>> I'm trying out LSC (2.0.4) and I'm having >>>>> problems connecting to my >>>>> Active Directory (Windows 2008 R2) >>>>> >>>>> I get the following message when trying to >>>>> connect: >>>>> >>>>> ERROR - Error opening the LDAP connection to >>>>> the destination! >>>>> (javax.naming.AuthenticationException: [LDAP: >>>>> error code 49 - Invalid >>>>> Credentials]) >>>>> >>>>> I know the username password is correct. I can >>>>> connect to AD via >>>>> ldapsearch and Apache Directory Studio with no >>>>> problems. If I change the >>>>> username or password to something incorrect, I >>>>> get this message instead: >>>>> >>>>> ERROR - Error opening the LDAP connection to >>>>> the destination! >>>>> (javax.naming.AuthenticationException: [LDAP: >>>>> error code 49 - 80090308: >>>>> LdapErr: DSID-0C0903A9, comment: >>>>> AcceptSecurityContext error, data 52e, >>>>> v1db1]) >>>>> >>>>> I've tried different passwords, and both DN >>>>> and UPN usernames. >>>>> >>>>> My lsc.xml contains the following AD ldap >>>>> connection: >>>>> >>>>> <ldapConnection> >>>>> <name>asdf-ad</name> >>>>> <url>ldap://ip/DC=asdf,DC=local</url> >>>>> <username>[email protected] >>>>> <mailto:[email protected]></username> >>>>> <password>password</password> >>>>> <authentication>SIMPLE</authentication> >>>>> <referral>IGNORE</referral> >>>>> <derefAliases>NEVER</derefAliases> >>>>> <version>VERSION_3</version> >>>>> <pageSize>1000</pageSize> >>>>> >>>>> <factory>com.sun.jndi.ldap.LdapCtxFactory</factory> >>>>> <tlsActivated>false</tlsActivated> >>>>> </ldapConnection> >>>>> >>>>> Am I missing something? >>>>> >>>>> >>>>> >>>>> UPN is not really supported, try to use the DN >>>>> form in <username></username> >>>>> >>>>> Clément. >>>> >>>> As I wrote in the message, I tried the DN as well, >>>> with the same negative result. >>>> >>>> >>>> >>>> Please answer to the list. >>>> >>>> >>>> If you can log in with DN and password in ldapsearch, >>>> you should be able to do it with LSC. Do you have >>>> special characters in password? Maybe you should check >>>> if they fit in an XML markup. >>>> >>>> Clément. >>> Sorry, I was a little fast on the send button. >>> >>> lsc.xml >>> >>> >>> <ldapConnection> >>> <name>asdf-ad</name> >>> <url>ldap://ip/DC=asdf,DC=local</url> >>> >>> <username>CN=SyncUser,CN=Users,DC=asdf,DC=local</username> >>> >>> <password>password</password> >>> <authentication>SIMPLE</authentication> >>> <referral>IGNORE</referral> >>> <derefAliases>NEVER</derefAliases> >>> <version>VERSION_3</version> >>> <pageSize>1000</pageSize> >>> <factory>com.sun.jndi.ldap.LdapCtxFactory</factory> >>> <tlsActivated>false</tlsActivated> >>> </ldapConnection> >>> </connections> >>> >>> Mar 12 15:58:14 - INFO - Connecting to LDAP server >>> ldap://ip/DC=asdf,DC=local as >>> CN=SyncUser,CN=Users,DC=asdf,DC=local >>> Mar 12 15:58:15 - ERROR - Error opening the LDAP >>> connection to the destination! >>> (javax.naming.AuthenticationException: [LDAP: error code >>> 49 - Invalid Credentials]) >>> >>> My password is really simple, consisting of only letters >>> (a-z) and numbers. How do I see what characters are >>> supported? >>> >>> >>> See >>> >>> https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references >>> >>> But letters and numbers should not be a problem. >>> >>> Can you paste the working ldapsearch command? >>> >>> >>> Clément. >> >> This command works fine: >> ldapsearch -x -D "CN=SyncUser,CN=Users,DC=asdf,DC=local" -w >> PASSWORD -h IP -b "DC=asdf,DC=local" >> >> I can also connect via Apache Directory Studio, which also >> uses Java. >> >> >> >> Well I have no idea. Try a tcpdump to find difference between the >> LSC BIND and the ldapsearch BIND. >> >> >> Clément. > > Running wireshark i can see the exact same flow when running lsc > and ldapsearch: > > bindRequest(1) "CN=SyncUser,CN=Users,DC=asdf,DC=local" simple > bindResponse(1) success > > I just seems like LSC is not responding to the "bindResponse > success" command because it closes the connection afterwards. > Ldapsearch makes a searchRequest after the bindResponse and works fine > > > > The LDAP error message is form AD. > > Do you confirm that AD is your destination directory? Could you maybe > send the lsc.xml file with the task definition?
I only see the following LDAP packets when LSC is connecting: bindRequest(1) "CN=SyncUser,CN=Users,DC=asdf,DC=local" simple bindResponse(1) success None of them contains "invalid credentials". Are you sure the error message is coming the AD? What is the simplest possible lsc.xml file just to check if AD is working? I'm not at all sure that my tasks are correct, I just followed the guide on lsc-project.org. Here's my lsc.xml file with openldap url/username/password removed: <?xml version="1.0" ?> <lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.0.xsd"; revision="0"> <connections> <ldapConnection> <name>asdf-ldap</name> <url>ldaps://openldapIP:636/dc=asdf,dc=dk</url> <username></username> <password></password> <authentication>SIMPLE</authentication> <referral>IGNORE</referral> <derefAliases>NEVER</derefAliases> <pageSize>-1</pageSize> <factory>com.sun.jndi.ldap.LdapCtxFactory</factory> <tlsActivated>true</tlsActivated> </ldapConnection> <ldapConnection> <name>asdf-ad</name> <url>ldap://ip/DC=asdf,DC=local</url> <username>CN=SyncUser,CN=Users,DC=asdf,DC=local</username> <password>password</password> <authentication>SIMPLE</authentication> <referral>IGNORE</referral> <derefAliases>NEVER</derefAliases> <version>VERSION_3</version> <pageSize>1000</pageSize> <factory>com.sun.jndi.ldap.LdapCtxFactory</factory> </ldapConnection> </connections> <tasks> <task> <name>adUser</name> <bean>org.lsc.beans.SimpleBean</bean> <ldapSourceService> <name>openldap-source-service</name> <connection reference="asdf-ldap" /> <baseDn>ou=people,dc=asdf,dc=dk</baseDn> <pivotAttributes> <string>uid</string> </pivotAttributes> <fetchedAttributes> <string>cn</string> <string>description</string> <string>givenName</string> <string>mail</string> <string>sn</string> <string>uid</string> </fetchedAttributes> <getAllFilter><![CDATA[(objectClass=inetOrgPerson)]]></getAllFilter> <getOneFilter><![CDATA[(&(objectClass=inetOrgPerson)(uid={uid}))]]></getOneFilter> <cleanFilter><![CDATA[(&(objectClass=inetOrgPerson)(uid={sAMAccountName}))]]></cleanFilter> </ldapSourceService> <ldapDestinationService> <name>ad-dst-service</name> <connection reference="asdf-ad" /> <baseDn>OU=People,DC=asdf,DC=local</baseDn> <pivotAttributes> <string>sAMAccountName</string> </pivotAttributes> <fetchedAttributes> <string>cn</string> <string>description</string> <string>givenName</string> <string>mail</string> <string>objectclass</string> <string>pwdLastSet</string> <string>sAMAccountName</string> <string>sn</string> <string>userAccountControl</string> <string>userPrincipalName</string> </fetchedAttributes> <getAllFilter><![CDATA[(objectClass=user)]]></getAllFilter> <getOneFilter><![CDATA[(&(objectClass=user)(sAMAccountName={uid}))]]></getOneFilter> </ldapDestinationService> <propertiesBasedSyncOptions> <mainIdentifier>"cn=" + srcBean.getDatasetFirstValueById("cn") + ",OU=People,DC=asdf,DC=local"</mainIdentifier> <defaultDelimiter>;</defaultDelimiter> <defaultPolicy>FORCE</defaultPolicy> <conditions> <create>true</create> <update>true</update> <delete>true</delete> <changeId>true</changeId> </conditions> <dataset> <name>objectclass</name> <policy>KEEP</policy> <createValues> <string>"user"</string> <string>"organizationalPerson"</string> <string>"person"</string> <string>"top"</string> </createValues> </dataset> <dataset> <name>sAMAccountName</name> <policy>KEEP</policy> <createValues> <string>srcBean.getDatasetFirstValueById("uid")</string> </createValues> </dataset> <dataset> <!-- userPrincipalName = uid + "@lsc-project.org" --> <name>userPrincipalName</name> <policy>FORCE</policy> <forceValues> <string>srcBean.getDatasetFirstValueById("uid") + "@asdf.local"</string> </forceValues> </dataset> <dataset> <name>userAccountControl</name> <policy>KEEP</policy> <createValues> <string>AD.userAccountControlSet( "0", [AD.UAC_SET_NORMAL_ACCOUNT])</string> </createValues> </dataset> </propertiesBasedSyncOptions> </task> </tasks> <!-- ./security This mandatory node contains the security settings used by LSC --> <security> </security> </lsc>
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
