> > > Le 14/03/2014 09:25, Clément OUDOT a écrit : >> 2014-03-13 21:45 GMT+01:00 Esben <[email protected]>: >> >>>>>>>>> I'm trying out LSC (2.0.4) and I'm having >>>>>>>>> problems connecting to my >>>>>>>>> Active Directory (Windows 2008 R2) >>>>>>>>> >>>>>>>>> I get the following message when >>>>>>>>> trying to >>>>>>>>> connect: >>>>>>>>> >>>>>>>>> ERROR - Error opening the LDAP connection >>>>>>>>> to the destination! >>>>>>>>> (javax.naming.AuthenticationException: >>>>>>>>> [LDAP: error code 49 - Invalid >>>>>>>>> Credentials]) >>>>>>>>> >>>>>>>>> I know the username password is >>>>>>>>> correct. I >>>>>>>>> can connect to AD via >>>>>>>>> ldapsearch and Apache Directory Studio >>>>>>>>> with no problems. If I change the >>>>>>>>> username or password to something >>>>>>>>> incorrect, I get this message instead: >>>>>>>>> >>>>>>>>> ERROR - Error opening the LDAP connection >>>>>>>>> to the destination! >>>>>>>>> (javax.naming.AuthenticationException: >>>>>>>>> [LDAP: error code 49 - 80090308: >>>>>>>>> LdapErr: DSID-0C0903A9, comment: >>>>>>>>> AcceptSecurityContext error, data 52e, >>>>>>>>> v1db1]) >>>>>>>>> >>>>>>>>> I've tried different passwords, and both >>>>>>>>> DN and UPN usernames. >>>>>>>>> >>>>>>>>> My lsc.xml contains the following AD ldap >>>>>>>>> connection: >>>>>>>>> >>>>>>>>> <ldapConnection> >>>>>>>>> <name>asdf-ad</name> >>>>>>>>> <url>ldap://ip/DC=asdf,DC=local</url> >>>>>>>>> <username>[email protected] >>>>>>>>> <mailto:[email protected]></username> >>>>>>>>> >>>>>>>>> <password>password</password> >>>>>>>>> <authentication>SIMPLE</authentication> >>>>>>>>> <referral>IGNORE</referral> >>>>>>>>> <derefAliases>NEVER</derefAliases> >>>>>>>>> <version>VERSION_3</version> >>>>>>>>> <pageSize>1000</pageSize> >>>>>>>>> >>>>>>>>> <factory>com.sun.jndi.ldap.LdapCtxFactory</factory> >>>>>>>>> <tlsActivated>false</tlsActivated> >>>>>>>>> </ldapConnection> >>>>>>>>> >>>>>>>>> Am I missing something? >>>>>>>>> >>>>>>>>> UPN is not really supported, try to use >>>>>>>>> the DN >>>>>>>>> form in <username></username> >>>>>>>>> >>>>>>>>> Clément. >>>>>>>> >>>>>>>> As I wrote in the message, I tried the DN as >>>>>>>> well, with the same negative result. >>>>>>>> >>>>>>>> Please answer to the list. >>>>>>>> >>>>>>>> If you can log in with DN and password in >>>>>>>> ldapsearch, you should be able to do it with LSC. >>>>>>>> Do you have special characters in password? Maybe >>>>>>>> you should check if they fit in an XML markup. >>>>>>>> >>>>>>>> Clément. >>>>>>> >>>>>>> Sorry, I was a little fast on the send button. >>>>>>> >>>>>>> lsc.xml >>>>>>> >>>>>>> <ldapConnection> >>>>>>> <name>asdf-ad</name> >>>>>>> <url>ldap://ip/DC=asdf,DC=local</url> >>>>>>> >>>>>>> <username>CN=SyncUser,CN=Users,DC=asdf,DC=local</username> >>>>>>> >>>>>>> <password>password</password> >>>>>>> <authentication>SIMPLE</authentication> >>>>>>> <referral>IGNORE</referral> >>>>>>> <derefAliases>NEVER</derefAliases> >>>>>>> <version>VERSION_3</version> >>>>>>> <pageSize>1000</pageSize> >>>>>>> <factory>com.sun.jndi.ldap.LdapCtxFactory</factory> >>>>>>> <tlsActivated>false</tlsActivated> >>>>>>> </ldapConnection> >>>>>>> </connections> >>>>>>> >>>>>>> Mar 12 15:58:14 - INFO - Connecting to LDAP server >>>>>>> ldap://ip/DC=asdf,DC=local as >>>>>>> CN=SyncUser,CN=Users,DC=asdf,DC=local >>>>>>> Mar 12 15:58:15 - ERROR - Error opening the LDAP >>>>>>> connection to the destination! >>>>>>> (javax.naming.AuthenticationException: [LDAP: error >>>>>>> code 49 - Invalid Credentials]) >>>>>>> >>>>>>> My password is really simple, consisting of only >>>>>>> letters (a-z) and numbers. How do I see what >>>>>>> characters are supported? >>>>>>> >>>>>>> See >>>>>>> >>>>>>> https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references >>>>>>> [1] >>>>>>> >>>>>>> But letters and numbers should not be a problem. >>>>>>> >>>>>>> Can you paste the working ldapsearch command? >>>>>>> >>>>>>> Clément. >>>>>> >>>>>> This command works fine: >>>>>> ldapsearch -x -D "CN=SyncUser,CN=Users,DC=asdf,DC=local" >>>>>> -w PASSWORD -h IP -b "DC=asdf,DC=local" >>>>>> >>>>>> I can also connect via Apache Directory Studio, which >>>>>> also uses Java. >>>>>> >>>>>> Well I have no idea. Try a tcpdump to find difference >>>>>> between >>>>>> the LSC BIND and the ldapsearch BIND. >>>>>> >>>>>> Clément. >>>>> >>>>> Running wireshark i can see the exact same flow when running >>>>> lsc and ldapsearch: >>>>> >>>>> bindRequest(1) "CN=SyncUser,CN=Users,DC=asdf,DC=local" simple >>>>> bindResponse(1) success >>>>> >>>>> I just seems like LSC is not responding to the "bindResponse >>>>> success" command because it closes the connection afterwards. >>>>> Ldapsearch makes a searchRequest after the bindResponse and >>>>> works fine >>>>> >>>>> The LDAP error message is form AD. >>>>> >>>>> Do you confirm that AD is your destination directory? Could you >>>>> maybe send the lsc.xml file with the task definition? >>>> >>>> I only see the following LDAP packets when LSC is connecting: >>>> >>>> bindRequest(1) "CN=SyncUser,CN=Users,DC=asdf,DC=local" simple >>>> bindResponse(1) success >>>> >>>> None of them contains "invalid credentials". Are you sure the >>>> error >>>> message is coming the AD? >>>> >>>> It may come from the source, are OpenLDPA credentials ok? >>> >>> LSC reports no OpenLDAP errors. Here is LSC's debug output >>> >>> Mar 13 19:53:39 - INFO - Connecting to LDAP server >>> ldap://<ad-ip>/DC=asdf,DC=local as >>> CN=SyncUser,CN=Users,DC=asdf,DC=local >>> Mar 13 19:53:39 - INFO - Connecting to LDAP server >>> ldaps://<openldap>:636/dc=asdf,dc=dk as cn=admin,dc=asdf,dc=dk >>> Mar 13 19:53:40 - ERROR - Error opening the LDAP connection to the >>> destination! (javax.naming.AuthenticationException: [LDAP: error >>> code 49 - Invalid Credentials]) >> >> Here, the ERROR occurs after connecting to OpenLDAP, so check the >> credentials of OpenLDAP connection. > > It seems that in some cases the error message is bad, referring to > destination instead of source. Please open a bug. > As said before, this error message indicates an issue with OpenLDAP, > as AD error messages are more verbose. > > Regards, > Raphaël Ouazana. > _______________________________________________________________ > Ldap Synchronization Connector (LSC) - http://lsc-project.org > > lsc-users mailing list > [email protected] > http://lists.lsc-project.org/listinfo/lsc-users
Ahh, thank you. The error "Error opening the LDAP connection to the destination" is somewhat misleading". I thought it was referring to the "destination" ldap server, which was the AD. I guess i should have seen the fact that the error was appearing after the openldap connection. Anyway, the OpenLDAP credentials were incorrect and the connection works now. Now i just have to get the sync to work. Thanks everybody for the help. Esben _______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
