Le 4 août 2010 12:31, Cédric Lemarchand <[email protected]> a écrit : > >>> Hi, >>> >>> Can your debien server contact your AD (telnet on port 636) ? >>> By the way, you have to install ssl extention on AD to get a valid >>> certificate. >>> >>> Thomas. >>> >>> -- >>> Thomas Chemineau >>> > Thx for your reply Thomas. > Yes the LDAPS port is reachable on both server : > > lenny:/usr/share/self-service-password# nmap -p 636 192.168.220.32 > > Starting Nmap 4.62 ( http://nmap.org ) at 2010-08-04 12:21 CEST > Interesting ports on 192.168.220.32: > PORT STATE SERVICE > 636/tcp open ldapssl > MAC Address: 52:54:00:25:A0:DA (QEMU Virtual NIC) > > Nmap done: 1 IP address (1 host up) scanned in 0.169 seconds > lenny:/usr/share/self-service-password# nmap -p 636 192.168.220.30 > > Starting Nmap 4.62 ( http://nmap.org ) at 2010-08-04 12:21 CEST > Interesting ports on 192.168.220.30: > PORT STATE SERVICE > 636/tcp open ldapssl > MAC Address: 54:52:00:A1:A5:25 (Unknown) > > Nmap done: 1 IP address (1 host up) scanned in 0.098 seconds > > > For information, they are 2 Active Directory 2008 Domain Controller > (only used for lab tests), the .30 are has master FFSMO roles, .32 is a > second Domain Controller for the same domain, both run Windows 2008 R2, > on the same network segment. > > We have tried on the .30, with the same results, but normally each > domain controllers can modified objects in the ldap tree. > > Do you know if the soft has been already tested on a windows active > directory domain controller ? > >> Hum, by reading the error, it seems that your AD returns a referer. >> Are you sure SSP binds on the good AD ? > What do you mean by 'the good ad' ? > >> Thomas. >> >
My apologies, I do not read carefully the log (there is no referer returned by your AD). In fact, the LDAP operation SSP wants to apply is not accepted by AD (return code 53). There are many reason for that. Concerning permissions, I read that the account used by SSP should have reset permission: "The permissions you need depend on the type of password mod you do. Replace LDAP operation is equiv to an admin reset, so you must have admin reset permissions to do that. Delete and Add operation with delete containing previous password is the equiv of password change. Typically all users have that unless they've been denied change pwd via ACL as above. " http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.adsi.general&tid=812fc4a8-4f7a-49bf-8b37-59368e67cc1a&cat=&lang=&cr=&sloc=&p=1 Finaly, I'm not sure SSP has been tested on AD 2008 before. Did you try to use SSP on a 2003 server ? Thomas. -- Thomas Chemineau _______________________________________________ ltb-users mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-users
