Le 14/03/2014 09:25, Clément OUDOT a écrit :
2014-03-13 21:45 GMT+01:00 Esben <[email protected]>:
I'm trying out LSC (2.0.4) and I'm
having
problems connecting to my
Active Directory (Windows 2008 R2)
I get the following message when trying
to
connect:
ERROR - Error opening the LDAP
connection
to the destination!
(javax.naming.AuthenticationException:
[LDAP: error code 49 - Invalid
Credentials])
I know the username password is
correct. I
can connect to AD via
ldapsearch and Apache Directory Studio
with no problems. If I change the
username or password to something
incorrect, I get this message instead:
ERROR - Error opening the LDAP
connection
to the destination!
(javax.naming.AuthenticationException:
[LDAP: error code 49 - 80090308:
LdapErr: DSID-0C0903A9, comment:
AcceptSecurityContext error, data 52e,
v1db1])
I've tried different passwords, and
both
DN and UPN usernames.
My lsc.xml contains the following AD
ldap
connection:
<ldapConnection>
<name>asdf-ad</name>
<url>ldap://ip/DC=asdf,DC=local</url>
<username>[email protected]
<mailto:[email protected]></username>
<password>password</password>
<authentication>SIMPLE</authentication>
<referral>IGNORE</referral>
<derefAliases>NEVER</derefAliases>
<version>VERSION_3</version>
<pageSize>1000</pageSize>
<factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
<tlsActivated>false</tlsActivated>
</ldapConnection>
Am I missing something?
UPN is not really supported, try to use the
DN
form in <username></username>
Clément.
As I wrote in the message, I tried the DN as
well, with the same negative result.
Please answer to the list.
If you can log in with DN and password in
ldapsearch, you should be able to do it with
LSC.
Do you have special characters in password?
Maybe
you should check if they fit in an XML markup.
Clément.
Sorry, I was a little fast on the send button.
lsc.xml
<ldapConnection>
<name>asdf-ad</name>
<url>ldap://ip/DC=asdf,DC=local</url>
<username>CN=SyncUser,CN=Users,DC=asdf,DC=local</username>
<password>password</password>
<authentication>SIMPLE</authentication>
<referral>IGNORE</referral>
<derefAliases>NEVER</derefAliases>
<version>VERSION_3</version>
<pageSize>1000</pageSize>
<factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
<tlsActivated>false</tlsActivated>
</ldapConnection>
</connections>
Mar 12 15:58:14 - INFO - Connecting to LDAP
server
ldap://ip/DC=asdf,DC=local as
CN=SyncUser,CN=Users,DC=asdf,DC=local
Mar 12 15:58:15 - ERROR - Error opening the LDAP
connection to the destination!
(javax.naming.AuthenticationException: [LDAP:
error
code 49 - Invalid Credentials])
My password is really simple, consisting of only
letters (a-z) and numbers. How do I see what
characters are supported?
See
https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references
[1]
But letters and numbers should not be a problem.
Can you paste the working ldapsearch command?
Clément.
This command works fine:
ldapsearch -x -D
"CN=SyncUser,CN=Users,DC=asdf,DC=local"
-w PASSWORD -h IP -b "DC=asdf,DC=local"
I can also connect via Apache Directory Studio, which
also uses Java.
Well I have no idea. Try a tcpdump to find difference
between
the LSC BIND and the ldapsearch BIND.
Clément.
Running wireshark i can see the exact same flow when
running
lsc and ldapsearch:
bindRequest(1) "CN=SyncUser,CN=Users,DC=asdf,DC=local"
simple
bindResponse(1) success
I just seems like LSC is not responding to the
"bindResponse
success" command because it closes the connection
afterwards.
Ldapsearch makes a searchRequest after the bindResponse and
works fine
The LDAP error message is form AD.
Do you confirm that AD is your destination directory? Could you
maybe send the lsc.xml file with the task definition?
I only see the following LDAP packets when LSC is connecting:
bindRequest(1) "CN=SyncUser,CN=Users,DC=asdf,DC=local" simple
bindResponse(1) success
None of them contains "invalid credentials". Are you sure the
error
message is coming the AD?
It may come from the source, are OpenLDPA credentials ok?
LSC reports no OpenLDAP errors. Here is LSC's debug output
Mar 13 19:53:39 - INFO - Connecting to LDAP server
ldap://<ad-ip>/DC=asdf,DC=local as
CN=SyncUser,CN=Users,DC=asdf,DC=local
Mar 13 19:53:39 - INFO - Connecting to LDAP server
ldaps://<openldap>:636/dc=asdf,dc=dk as cn=admin,dc=asdf,dc=dk
Mar 13 19:53:40 - ERROR - Error opening the LDAP connection to the
destination! (javax.naming.AuthenticationException: [LDAP: error code
49 - Invalid Credentials])
Here, the ERROR occurs after connecting to OpenLDAP, so check the
credentials of OpenLDAP connection.
It seems that in some cases the error message is bad, referring to
destination instead of source. Please open a bug.
As said before, this error message indicates an issue with OpenLDAP, as
AD error messages are more verbose.
Regards,
Raphaël Ouazana.
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users
