2015-06-18 12:11 GMT+02:00 <[email protected]>: > Hello, > > I am trying to migrate accounts from OpenLDAP to AD but it appears that our > AD won't set the user password through a SIMPLE authentication login > If I use the resulting LDIF with ldapadd and -Y GSSAPI it works > So I am wondering how to configure the AD connection in lsc.xml to use > GSSAPI instead of SIMPLE > > First I had a message about gsseg_jaas.conf > so I created on ... but I don't know what to pu in it > > now I have another error message : > > > juin 18 11:50:29 - INFO - LSC configuration successfully loaded from > /etc/lsc/openldap2ad/ > javax.security.auth.login.LoginException: Aucun LoginModule configuré pour > org.lsc.jndi.JndiServices > at > javax.security.auth.login.LoginContext.init(LoginContext.java:272) > at > javax.security.auth.login.LoginContext.<init>(LoginContext.java:425) > at > org.lsc.jndi.JndiServices.getLdapProperties(JndiServices.java:358) > at org.lsc.jndi.JndiServices.getInstance(JndiServices.java:465) > at > org.lsc.jndi.AbstractSimpleJndiService.<init>(AbstractSimpleJndiService.java:176) > at > org.lsc.jndi.SimpleJndiDstService.<init>(SimpleJndiDstService.java:98) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:526) > at org.lsc.Task.<init>(Task.java:117) > at org.lsc.SimpleSynchronize.init(SimpleSynchronize.java:104) > at org.lsc.SimpleSynchronize.launch(SimpleSynchronize.java:154) > at org.lsc.Launcher.run(Launcher.java:223) > at org.lsc.Launcher.launch(Launcher.java:158) > at org.lsc.Launcher.main(Launcher.java:141) > juin 18 11:50:29 - INFO - Connecting to LDAP server > ldap://my.ad.com/DC=my,DC=ad,DC=com > CN=ADM,ou=AdminUsers,ou=FR,DC=my,DC=ad,DC=com > juin 18 11:50:30 - ERROR - Error opening the LDAP connection to the > destination! (javax.naming.AuthenticationException: GSSAPI [Root exception > is javax.security.sasl.SaslException: Failure to initialize security context > [Caused by GSSException: Invalid name provided (Mechanism level: Cannot > locate default realm)]]) > juin 18 11:50:30 - ERROR - org.lsc.exception.LscConfigurationException: > Configuration exception: javax.naming.AuthenticationException: GSSAPI [Root > exception is javax.security.sasl.SaslException: Failure to initialize > security context [Caused by GSSException: Invalid name provided (Mechanism > level: Cannot locate default realm)]] > > > Can you please let me know if it is possible to use kerberos auth for the > update and how to configure it ?
Hi, I think we never tried to use GSSAPI to authenticate to LDAP. The documentation mentions it (http://lsc-project.org/wiki/documentation/latest/configuration/connections/ldap) but I'm not sure it works. To update a password in AD, you need to use LDAPS. See also http://lsc-project.org/wiki/documentation/howto/activedirectory#password_synchronization Clément. _______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
