2014-03-12 18:18 GMT+01:00 Esben <[email protected]>: > Den 12-03-2014 17:42, Clément OUDOT skrev: > > > > > 2014-03-12 17:38 GMT+01:00 Esben <[email protected]>: > >> Den 12-03-2014 16:49, Clément OUDOT skrev: >> >> 2014-03-12 16:22 GMT+01:00 Esben <[email protected]>: >> >>> >>> I'm trying out LSC (2.0.4) and I'm having problems >>>>>> connecting to my >>>>>> Active Directory (Windows 2008 R2) >>>>>> >>>>>> I get the following message when trying to connect: >>>>>> >>>>>> ERROR - Error opening the LDAP connection to the destination! >>>>>> (javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid >>>>>> Credentials]) >>>>>> >>>>>> I know the username password is correct. I can connect to AD via >>>>>> ldapsearch and Apache Directory Studio with no problems. If I change >>>>>> the >>>>>> username or password to something incorrect, I get this message >>>>>> instead: >>>>>> >>>>>> ERROR - Error opening the LDAP connection to the destination! >>>>>> (javax.naming.AuthenticationException: [LDAP: error code 49 - >>>>>> 80090308: >>>>>> LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data >>>>>> 52e, >>>>>> v1db1]) >>>>>> >>>>>> I've tried different passwords, and both DN and UPN usernames. >>>>>> >>>>>> My lsc.xml contains the following AD ldap connection: >>>>>> >>>>>> <ldapConnection> >>>>>> <name>asdf-ad</name> >>>>>> <url>ldap://ip/DC=asdf,DC=local</url> >>>>>> <username>[email protected]</username> >>>>>> <password>password</password> >>>>>> <authentication>SIMPLE</authentication> >>>>>> <referral>IGNORE</referral> >>>>>> <derefAliases>NEVER</derefAliases> >>>>>> <version>VERSION_3</version> >>>>>> <pageSize>1000</pageSize> >>>>>> <factory>com.sun.jndi.ldap.LdapCtxFactory</factory> >>>>>> <tlsActivated>false</tlsActivated> >>>>>> </ldapConnection> >>>>>> >>>>>> Am I missing something? >>>>>> >>>>> >>>>> >>>>> UPN is not really supported, try to use the DN form in >>>>> <username></username> >>>>> >>>>> Clément. >>>>> >>>>> >>>>> As I wrote in the message, I tried the DN as well, with the same >>>>> negative result. >>>>> >>>> >>>> >>>> Please answer to the list. >>>> >>>> >>>> If you can log in with DN and password in ldapsearch, you should be >>>> able to do it with LSC. Do you have special characters in password? Maybe >>>> you should check if they fit in an XML markup. >>>> >>>> Clément. >>>> >>>> Sorry, I was a little fast on the send button. >>>> >>>> lsc.xml >>>> >>>> >>>> <ldapConnection> >>>> <name>asdf-ad</name> >>>> <url>ldap://ip/DC=asdf,DC=local</url> >>>> <username>CN=SyncUser,CN=Users,DC=asdf,DC=local</username> >>>> >>>> <password>password</password> >>>> <authentication>SIMPLE</authentication> >>>> <referral>IGNORE</referral> >>>> <derefAliases>NEVER</derefAliases> >>>> <version>VERSION_3</version> >>>> <pageSize>1000</pageSize> >>>> <factory>com.sun.jndi.ldap.LdapCtxFactory</factory> >>>> <tlsActivated>false</tlsActivated> >>>> </ldapConnection> >>>> </connections> >>>> >>>> Mar 12 15:58:14 - INFO - Connecting to LDAP server >>>> ldap://ip/DC=asdf,DC=local as CN=SyncUser,CN=Users,DC=asdf,DC=local >>>> Mar 12 15:58:15 - ERROR - Error opening the LDAP connection to the >>>> destination! (javax.naming.AuthenticationException: [LDAP: error code 49 - >>>> Invalid Credentials]) >>>> >>>> My password is really simple, consisting of only letters (a-z) and >>>> numbers. How do I see what characters are supported? >>>> >>> >>> See >>> https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references >>> >>> But letters and numbers should not be a problem. >>> >>> Can you paste the working ldapsearch command? >>> >>> >>> Clément. >>> >>> >>> This command works fine: >>> ldapsearch -x -D "CN=SyncUser,CN=Users,DC=asdf,DC=local" -w PASSWORD -h >>> IP -b "DC=asdf,DC=local" >>> >>> I can also connect via Apache Directory Studio, which also uses Java. >>> >>> >> >> Well I have no idea. Try a tcpdump to find difference between the LSC >> BIND and the ldapsearch BIND. >> >> >> Clément. >> >> >> Running wireshark i can see the exact same flow when running lsc and >> ldapsearch: >> >> bindRequest(1) "CN=SyncUser,CN=Users,DC=asdf,DC=local" simple >> bindResponse(1) success >> >> I just seems like LSC is not responding to the "bindResponse success" >> command because it closes the connection afterwards. Ldapsearch makes a >> searchRequest after the bindResponse and works fine >> >> >> > The LDAP error message is form AD. > > Do you confirm that AD is your destination directory? Could you maybe > send the lsc.xml file with the task definition? > > > I only see the following LDAP packets when LSC is connecting: > > > bindRequest(1) "CN=SyncUser,CN=Users,DC=asdf,DC=local" simple > bindResponse(1) success > > None of them contains "invalid credentials". Are you sure the error > message is coming the AD? >
It may come from the source, are OpenLDPA credentials ok? > > What is the simplest possible lsc.xml file just to check if AD is working? > I'm not at all sure that my tasks are correct, I just followed the guide on > lsc-project.org. Here's my lsc.xml file with openldap > url/username/password removed: > > <?xml version="1.0" ?> > <lsc > xmlns="http://lsc-project.org/XSD/lsc-core-2.0.xsd";<http://lsc-project.org/XSD/lsc-core-2.0.xsd>revision="0"> > <connections> > <ldapConnection> > <name>asdf-ldap</name> > <url>ldaps://openldapIP:636/dc=asdf,dc=dk</url> > <username></username> > > <password></password> > <authentication>SIMPLE</authentication> > <referral>IGNORE</referral> > <derefAliases>NEVER</derefAliases> > <pageSize>-1</pageSize> > <factory>com.sun.jndi.ldap.LdapCtxFactory</factory> > <tlsActivated>true</tlsActivated> > </ldapConnection> > > <ldapConnection> > <name>asdf-ad</name> > <url>ldap://ip/DC=asdf,DC=local</url> > <username>CN=SyncUser,CN=Users,DC=asdf,DC=local</username> > <password>password</password> > <authentication>SIMPLE</authentication> > <referral>IGNORE</referral> > <derefAliases>NEVER</derefAliases> > <version>VERSION_3</version> > <pageSize>1000</pageSize> > <factory>com.sun.jndi.ldap.LdapCtxFactory</factory> > </ldapConnection> > </connections> > <tasks> > <task> > <name>adUser</name> > <bean>org.lsc.beans.SimpleBean</bean> > <ldapSourceService> > <name>openldap-source-service</name> > <connection reference="asdf-ldap" /> > <baseDn>ou=people,dc=asdf,dc=dk</baseDn> > <pivotAttributes> > <string>uid</string> > </pivotAttributes> > <fetchedAttributes> > <string>cn</string> > <string>description</string> > <string>givenName</string> > <string>mail</string> > <string>sn</string> > <string>uid</string> > </fetchedAttributes> > > <getAllFilter><![CDATA[(objectClass=inetOrgPerson)]]></getAllFilter> > > <getOneFilter><![CDATA[(&(objectClass=inetOrgPerson)(uid={uid}))]]></getOneFilter> > > <cleanFilter><![CDATA[(&(objectClass=inetOrgPerson)(uid={sAMAccountName}))]]></cleanFilter> > </ldapSourceService> > <ldapDestinationService> > <name>ad-dst-service</name> > <connection reference="asdf-ad" /> > <baseDn>OU=People,DC=asdf,DC=local</baseDn> > <pivotAttributes> > <string>sAMAccountName</string> > </pivotAttributes> > <fetchedAttributes> > <string>cn</string> > <string>description</string> > <string>givenName</string> > <string>mail</string> > <string>objectclass</string> > <string>pwdLastSet</string> > <string>sAMAccountName</string> > <string>sn</string> > <string>userAccountControl</string> > <string>userPrincipalName</string> > </fetchedAttributes> > <getAllFilter><![CDATA[(objectClass=user)]]></getAllFilter> > > <getOneFilter><![CDATA[(&(objectClass=user)(sAMAccountName={uid}))]]></getOneFilter> > </ldapDestinationService> > <propertiesBasedSyncOptions> > <mainIdentifier>"cn=" + srcBean.getDatasetFirstValueById("cn") + > ",OU=People,DC=asdf,DC=local"</mainIdentifier> > <defaultDelimiter>;</defaultDelimiter> > <defaultPolicy>FORCE</defaultPolicy> > <conditions> > <create>true</create> > <update>true</update> > <delete>true</delete> > <changeId>true</changeId> > </conditions> > <dataset> > <name>objectclass</name> > <policy>KEEP</policy> > <createValues> > <string>"user"</string> > <string>"organizationalPerson"</string> > <string>"person"</string> > <string>"top"</string> > </createValues> > </dataset> > <dataset> > <name>sAMAccountName</name> > <policy>KEEP</policy> > <createValues> > <string>srcBean.getDatasetFirstValueById("uid")</string> > </createValues> > </dataset> > <dataset> > <!-- userPrincipalName = uid + "@lsc-project.org" --> > <name>userPrincipalName</name> > <policy>FORCE</policy> > <forceValues> > <string>srcBean.getDatasetFirstValueById("uid") + > "@asdf.local"</string> > </forceValues> > </dataset> > <dataset> > <name>userAccountControl</name> > <policy>KEEP</policy> > <createValues> > <string>AD.userAccountControlSet( "0", > [AD.UAC_SET_NORMAL_ACCOUNT])</string> > </createValues> > </dataset> > </propertiesBasedSyncOptions> > </task> > </tasks> > <!-- ./security This mandatory node contains the security settings used > by LSC --> > <security> > </security> > </lsc> > > Configuration seems ok. Clément.
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
