2014-03-13 21:45 GMT+01:00 Esben <[email protected]>: > I'm trying out LSC (2.0.4) and I'm having >>>>>>> problems connecting to my >>>>>>> Active Directory (Windows 2008 R2) >>>>>>> >>>>>>> I get the following message when trying to >>>>>>> connect: >>>>>>> >>>>>>> ERROR - Error opening the LDAP connection >>>>>>> to the destination! >>>>>>> (javax.naming.AuthenticationException: >>>>>>> [LDAP: error code 49 - Invalid >>>>>>> Credentials]) >>>>>>> >>>>>>> I know the username password is correct. I >>>>>>> can connect to AD via >>>>>>> ldapsearch and Apache Directory Studio >>>>>>> with no problems. If I change the >>>>>>> username or password to something >>>>>>> incorrect, I get this message instead: >>>>>>> >>>>>>> ERROR - Error opening the LDAP connection >>>>>>> to the destination! >>>>>>> (javax.naming.AuthenticationException: >>>>>>> [LDAP: error code 49 - 80090308: >>>>>>> LdapErr: DSID-0C0903A9, comment: >>>>>>> AcceptSecurityContext error, data 52e, >>>>>>> v1db1]) >>>>>>> >>>>>>> I've tried different passwords, and both >>>>>>> DN and UPN usernames. >>>>>>> >>>>>>> My lsc.xml contains the following AD ldap >>>>>>> connection: >>>>>>> >>>>>>> <ldapConnection> >>>>>>> <name>asdf-ad</name> >>>>>>> <url>ldap://ip/DC=asdf,DC=local</url> >>>>>>> <username>[email protected] >>>>>>> <mailto:[email protected]></username> >>>>>>> >>>>>>> <password>password</password> >>>>>>> <authentication>SIMPLE</authentication> >>>>>>> <referral>IGNORE</referral> >>>>>>> <derefAliases>NEVER</derefAliases> >>>>>>> <version>VERSION_3</version> >>>>>>> <pageSize>1000</pageSize> >>>>>>> <factory>com.sun.jndi.ldap. >>>>>>> LdapCtxFactory</factory> >>>>>>> <tlsActivated>false</tlsActivated> >>>>>>> </ldapConnection> >>>>>>> >>>>>>> Am I missing something? >>>>>>> >>>>>>> >>>>>>> >>>>>>> UPN is not really supported, try to use the DN >>>>>>> form in <username></username> >>>>>>> >>>>>>> Clément. >>>>>>> >>>>>> >>>>>> As I wrote in the message, I tried the DN as >>>>>> well, with the same negative result. >>>>>> >>>>>> >>>>>> >>>>>> Please answer to the list. >>>>>> >>>>>> >>>>>> If you can log in with DN and password in >>>>>> ldapsearch, you should be able to do it with LSC. >>>>>> Do you have special characters in password? Maybe >>>>>> you should check if they fit in an XML markup. >>>>>> >>>>>> Clément. >>>>>> >>>>> Sorry, I was a little fast on the send button. >>>>> >>>>> lsc.xml >>>>> >>>>> >>>>> <ldapConnection> >>>>> <name>asdf-ad</name> >>>>> <url>ldap://ip/DC=asdf,DC=local</url> >>>>> <username>CN=SyncUser,CN=Users,DC=asdf,DC=local</ >>>>> username> >>>>> >>>>> >>>>> <password>password</password> >>>>> <authentication>SIMPLE</authentication> >>>>> <referral>IGNORE</referral> >>>>> <derefAliases>NEVER</derefAliases> >>>>> <version>VERSION_3</version> >>>>> <pageSize>1000</pageSize> >>>>> <factory>com.sun.jndi.ldap.LdapCtxFactory</factory> >>>>> <tlsActivated>false</tlsActivated> >>>>> </ldapConnection> >>>>> </connections> >>>>> >>>>> Mar 12 15:58:14 - INFO - Connecting to LDAP server >>>>> ldap://ip/DC=asdf,DC=local as >>>>> CN=SyncUser,CN=Users,DC=asdf,DC=local >>>>> Mar 12 15:58:15 - ERROR - Error opening the LDAP >>>>> connection to the destination! >>>>> (javax.naming.AuthenticationException: [LDAP: error >>>>> code 49 - Invalid Credentials]) >>>>> >>>>> My password is really simple, consisting of only >>>>> letters (a-z) and numbers. How do I see what >>>>> characters are supported? >>>>> >>>>> >>>>> See >>>>> https://en.wikipedia.org/wiki/List_of_XML_and_HTML_ >>>>> character_entity_references >>>>> >>>>> But letters and numbers should not be a problem. >>>>> >>>>> Can you paste the working ldapsearch command? >>>>> >>>>> >>>>> Clément. >>>>> >>>> >>>> This command works fine: >>>> ldapsearch -x -D "CN=SyncUser,CN=Users,DC=asdf,DC=local" >>>> -w PASSWORD -h IP -b "DC=asdf,DC=local" >>>> >>>> I can also connect via Apache Directory Studio, which >>>> also uses Java. >>>> >>>> >>>> >>>> Well I have no idea. Try a tcpdump to find difference between >>>> the LSC BIND and the ldapsearch BIND. >>>> >>>> >>>> Clément. >>>> >>> >>> Running wireshark i can see the exact same flow when running >>> lsc and ldapsearch: >>> >>> bindRequest(1) "CN=SyncUser,CN=Users,DC=asdf,DC=local" simple >>> bindResponse(1) success >>> >>> I just seems like LSC is not responding to the "bindResponse >>> success" command because it closes the connection afterwards. >>> Ldapsearch makes a searchRequest after the bindResponse and >>> works fine >>> >>> >>> >>> The LDAP error message is form AD. >>> >>> Do you confirm that AD is your destination directory? Could you >>> maybe send the lsc.xml file with the task definition? >>> >> >> I only see the following LDAP packets when LSC is connecting: >> >> >> bindRequest(1) "CN=SyncUser,CN=Users,DC=asdf,DC=local" simple >> bindResponse(1) success >> >> None of them contains "invalid credentials". Are you sure the error >> message is coming the AD? >> >> >> >> It may come from the source, are OpenLDPA credentials ok? >> > > > LSC reports no OpenLDAP errors. Here is LSC's debug output > > Mar 13 19:53:39 - INFO - Connecting to LDAP server > ldap://<ad-ip>/DC=asdf,DC=local as CN=SyncUser,CN=Users,DC=asdf,DC=local > Mar 13 19:53:39 - INFO - Connecting to LDAP server > ldaps://<openldap>:636/dc=asdf,dc=dk as cn=admin,dc=asdf,dc=dk > Mar 13 19:53:40 - ERROR - Error opening the LDAP connection to the > destination! (javax.naming.AuthenticationException: [LDAP: error code 49 > - Invalid Credentials]) >
Here, the ERROR occurs after connecting to OpenLDAP, so check the credentials of OpenLDAP connection. Clément.
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
