I'm trying out LSC (2.0.4) and I'm having
problems connecting to my
Active Directory (Windows 2008 R2)
I get the following message when trying to
connect:
ERROR - Error opening the LDAP connection
to the destination!
(javax.naming.AuthenticationException:
[LDAP: error code 49 - Invalid
Credentials])
I know the username password is correct. I
can connect to AD via
ldapsearch and Apache Directory Studio
with no problems. If I change the
username or password to something
incorrect, I get this message instead:
ERROR - Error opening the LDAP connection
to the destination!
(javax.naming.AuthenticationException:
[LDAP: error code 49 - 80090308:
LdapErr: DSID-0C0903A9, comment:
AcceptSecurityContext error, data 52e,
v1db1])
I've tried different passwords, and both
DN and UPN usernames.
My lsc.xml contains the following AD ldap
connection:
<ldapConnection>
<name>asdf-ad</name>
<url>ldap://ip/DC=asdf,DC=local</url>
<username>[email protected]
<mailto:[email protected]></username>
<password>password</password>
<authentication>SIMPLE</authentication>
<referral>IGNORE</referral>
<derefAliases>NEVER</derefAliases>
<version>VERSION_3</version>
<pageSize>1000</pageSize>
<factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
<tlsActivated>false</tlsActivated>
</ldapConnection>
Am I missing something?
UPN is not really supported, try to use the DN
form in <username></username>
Clément.
As I wrote in the message, I tried the DN as
well, with the same negative result.
Please answer to the list.
If you can log in with DN and password in
ldapsearch, you should be able to do it with LSC.
Do you have special characters in password? Maybe
you should check if they fit in an XML markup.
Clément.
Sorry, I was a little fast on the send button.
lsc.xml
<ldapConnection>
<name>asdf-ad</name>
<url>ldap://ip/DC=asdf,DC=local</url>
<username>CN=SyncUser,CN=Users,DC=asdf,DC=local</username>
<password>password</password>
<authentication>SIMPLE</authentication>
<referral>IGNORE</referral>
<derefAliases>NEVER</derefAliases>
<version>VERSION_3</version>
<pageSize>1000</pageSize>
<factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
<tlsActivated>false</tlsActivated>
</ldapConnection>
</connections>
Mar 12 15:58:14 - INFO - Connecting to LDAP server
ldap://ip/DC=asdf,DC=local as
CN=SyncUser,CN=Users,DC=asdf,DC=local
Mar 12 15:58:15 - ERROR - Error opening the LDAP
connection to the destination!
(javax.naming.AuthenticationException: [LDAP: error
code 49 - Invalid Credentials])
My password is really simple, consisting of only
letters (a-z) and numbers. How do I see what
characters are supported?
See
https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references
But letters and numbers should not be a problem.
Can you paste the working ldapsearch command?
Clément.
This command works fine:
ldapsearch -x -D "CN=SyncUser,CN=Users,DC=asdf,DC=local"
-w PASSWORD -h IP -b "DC=asdf,DC=local"
I can also connect via Apache Directory Studio, which
also uses Java.
Well I have no idea. Try a tcpdump to find difference between
the LSC BIND and the ldapsearch BIND.
Clément.
Running wireshark i can see the exact same flow when running
lsc and ldapsearch:
bindRequest(1) "CN=SyncUser,CN=Users,DC=asdf,DC=local" simple
bindResponse(1) success
I just seems like LSC is not responding to the "bindResponse
success" command because it closes the connection afterwards.
Ldapsearch makes a searchRequest after the bindResponse and
works fine
The LDAP error message is form AD.
Do you confirm that AD is your destination directory? Could you
maybe send the lsc.xml file with the task definition?
I only see the following LDAP packets when LSC is connecting:
bindRequest(1) "CN=SyncUser,CN=Users,DC=asdf,DC=local" simple
bindResponse(1) success
None of them contains "invalid credentials". Are you sure the error
message is coming the AD?
It may come from the source, are OpenLDPA credentials ok?
LSC reports no OpenLDAP errors. Here is LSC's debug output
Mar 13 19:53:39 - INFO - Connecting to LDAP server
ldap://<ad-ip>/DC=asdf,DC=local as CN=SyncUser,CN=Users,DC=asdf,DC=local
Mar 13 19:53:39 - INFO - Connecting to LDAP server
ldaps://<openldap>:636/dc=asdf,dc=dk as cn=admin,dc=asdf,dc=dk
Mar 13 19:53:40 - ERROR - Error opening the LDAP connection to the
destination! (javax.naming.AuthenticationException: [LDAP: error code 49
- Invalid Credentials])
Mar 13 19:53:40 - ERROR - org.lsc.exception.LscConfigurationException:
java.lang.reflect.InvocationTargetException
Mar 13 19:53:40 - DEBUG - org.lsc.exception.LscConfigurationException:
java.lang.reflect.InvocationTargetException
org.lsc.exception.LscConfigurationException:
java.lang.reflect.InvocationTargetException
at org.lsc.Task.<init>(Task.java:127) ~[lsc-core-2.0.4.jar:na]
at org.lsc.SimpleSynchronize.init(SimpleSynchronize.java:103)
~[lsc-core-2.0.4.jar:na]
at org.lsc.SimpleSynchronize.launch(SimpleSynchronize.java:146)
~[lsc-core-2.0.4.jar:na]
at org.lsc.Launcher.run(Launcher.java:224) [lsc-core-2.0.4.jar:na]
at org.lsc.Launcher.launch(Launcher.java:159)
[lsc-core-2.0.4.jar:na]
at org.lsc.Launcher.main(Launcher.java:142) [lsc-core-2.0.4.jar:na]
Caused by: java.lang.reflect.InvocationTargetException: null
at
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
~[na:1.7.0_51]
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
~[na:1.7.0_51]
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
~[na:1.7.0_51]
at
java.lang.reflect.Constructor.newInstance(Constructor.java:526)
~[na:1.7.0_51]
at org.lsc.Task.<init>(Task.java:120) ~[lsc-core-2.0.4.jar:na]
... 5 common frames omitted
Caused by: java.lang.RuntimeException:
javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid
Credentials]
at org.lsc.jndi.JndiServices.getInstance(JndiServices.java:460)
~[lsc-core-2.0.4.jar:na]
at
org.lsc.jndi.AbstractSimpleJndiService.<init>(AbstractSimpleJndiService.java:175)
~[lsc-core-2.0.4.jar:na]
at
org.lsc.jndi.SimpleJndiSrcService.<init>(SimpleJndiSrcService.java:116)
~[lsc-core-2.0.4.jar:na]
at
org.lsc.jndi.PullableJndiSrcService.<init>(PullableJndiSrcService.java:108)
~[lsc-core-2.0.4.jar:na]
... 10 common frames omitted
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 -
Invalid Credentials]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3087)
~[na:1.7.0_51]
at
com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033)
~[na:1.7.0_51]
at
com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2835)
~[na:1.7.0_51]
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)
~[na:1.7.0_51]
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
~[na:1.7.0_51]
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
~[na:1.7.0_51]
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
~[na:1.7.0_51]
at
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
~[na:1.7.0_51]
at
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
~[na:1.7.0_51]
at
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
~[na:1.7.0_51]
at
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
~[na:1.7.0_51]
at javax.naming.InitialContext.init(InitialContext.java:242)
~[na:1.7.0_51]
at
javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153)
~[na:1.7.0_51]
at
org.lsc.jndi.JndiServices.initConnection(JndiServices.java:210)
~[lsc-core-2.0.4.jar:na]
at org.lsc.jndi.JndiServices.<init>(JndiServices.java:164)
~[lsc-core-2.0.4.jar:na]
at org.lsc.jndi.JndiServices.getInstance(JndiServices.java:321)
~[lsc-core-2.0.4.jar:na]
at org.lsc.jndi.JndiServices.getInstance(JndiServices.java:306)
~[lsc-core-2.0.4.jar:na]
at org.lsc.jndi.JndiServices.getInstance(JndiServices.java:457)
~[lsc-core-2.0.4.jar:na]
... 13 common frames omitted
What is the simplest possible lsc.xml file just to check if AD is
working? I'm not at all sure that my tasks are correct, I just
followed the guide on lsc-project.org <http://lsc-project.org>.
Here's my lsc.xml file with openldap url/username/password removed:
<?xml version="1.0" ?>
<lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.0.xsd";
<http://lsc-project.org/XSD/lsc-core-2.0.xsd> revision="0">
<connections>
<ldapConnection>
<name>asdf-ldap</name>
<url>ldaps://openldapIP:636/dc=asdf,dc=dk</url>
<username></username>
<password></password>
<authentication>SIMPLE</authentication>
<referral>IGNORE</referral>
<derefAliases>NEVER</derefAliases>
<pageSize>-1</pageSize>
<factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
<tlsActivated>true</tlsActivated>
</ldapConnection>
<ldapConnection>
<name>asdf-ad</name>
<url>ldap://ip/DC=asdf,DC=local</url>
<username>CN=SyncUser,CN=Users,DC=asdf,DC=local</username>
<password>password</password>
<authentication>SIMPLE</authentication>
<referral>IGNORE</referral>
<derefAliases>NEVER</derefAliases>
<version>VERSION_3</version>
<pageSize>1000</pageSize>
<factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
</ldapConnection>
</connections>
<tasks>
<task>
<name>adUser</name>
<bean>org.lsc.beans.SimpleBean</bean>
<ldapSourceService>
<name>openldap-source-service</name>
<connection reference="asdf-ldap" />
<baseDn>ou=people,dc=asdf,dc=dk</baseDn>
<pivotAttributes>
<string>uid</string>
</pivotAttributes>
<fetchedAttributes>
<string>cn</string>
<string>description</string>
<string>givenName</string>
<string>mail</string>
<string>sn</string>
<string>uid</string>
</fetchedAttributes>
<getAllFilter><![CDATA[(objectClass=inetOrgPerson)]]></getAllFilter>
<getOneFilter><![CDATA[(&(objectClass=inetOrgPerson)(uid={uid}))]]></getOneFilter>
<cleanFilter><![CDATA[(&(objectClass=inetOrgPerson)(uid={sAMAccountName}))]]></cleanFilter>
</ldapSourceService>
<ldapDestinationService>
<name>ad-dst-service</name>
<connection reference="asdf-ad" />
<baseDn>OU=People,DC=asdf,DC=local</baseDn>
<pivotAttributes>
<string>sAMAccountName</string>
</pivotAttributes>
<fetchedAttributes>
<string>cn</string>
<string>description</string>
<string>givenName</string>
<string>mail</string>
<string>objectclass</string>
<string>pwdLastSet</string>
<string>sAMAccountName</string>
<string>sn</string>
<string>userAccountControl</string>
<string>userPrincipalName</string>
</fetchedAttributes>
<getAllFilter><![CDATA[(objectClass=user)]]></getAllFilter>
<getOneFilter><![CDATA[(&(objectClass=user)(sAMAccountName={uid}))]]></getOneFilter>
</ldapDestinationService>
<propertiesBasedSyncOptions>
<mainIdentifier>"cn=" +
srcBean.getDatasetFirstValueById("cn") +
",OU=People,DC=asdf,DC=local"</mainIdentifier>
<defaultDelimiter>;</defaultDelimiter>
<defaultPolicy>FORCE</defaultPolicy>
<conditions>
<create>true</create>
<update>true</update>
<delete>true</delete>
<changeId>true</changeId>
</conditions>
<dataset>
<name>objectclass</name>
<policy>KEEP</policy>
<createValues>
<string>"user"</string>
<string>"organizationalPerson"</string>
<string>"person"</string>
<string>"top"</string>
</createValues>
</dataset>
<dataset>
<name>sAMAccountName</name>
<policy>KEEP</policy>
<createValues>
<string>srcBean.getDatasetFirstValueById("uid")</string>
</createValues>
</dataset>
<dataset>
<!-- userPrincipalName = uid + "@lsc-project.org
<http://lsc-project.org>" -->
<name>userPrincipalName</name>
<policy>FORCE</policy>
<forceValues>
<string>srcBean.getDatasetFirstValueById("uid") +
"@asdf.local"</string>
</forceValues>
</dataset>
<dataset>
<name>userAccountControl</name>
<policy>KEEP</policy>
<createValues>
<string>AD.userAccountControlSet( "0",
[AD.UAC_SET_NORMAL_ACCOUNT])</string>
</createValues>
</dataset>
</propertiesBasedSyncOptions>
</task>
</tasks>
<!-- ./security This mandatory node contains the security
settings used by LSC -->
<security>
</security>
</lsc>
Configuration seems ok.
Clément.
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users
