Hi, indeed,if the password is refused by AD, this can be due to : * insuffisent privileges of LDAP user * insuffiisent strength of the password
SSP works with AD 2003, never tested with 2008. Clément. 2010/8/4, Thomas Chemineau <[email protected]>: > Le 4 août 2010 12:31, Cédric Lemarchand <[email protected]> a > écrit : >> >>>> Hi, >>>> >>>> Can your debien server contact your AD (telnet on port 636) ? >>>> By the way, you have to install ssl extention on AD to get a valid >>>> certificate. >>>> >>>> Thomas. >>>> >>>> -- >>>> Thomas Chemineau >>>> >> Thx for your reply Thomas. >> Yes the LDAPS port is reachable on both server : >> >> lenny:/usr/share/self-service-password# nmap -p 636 192.168.220.32 >> >> Starting Nmap 4.62 ( http://nmap.org ) at 2010-08-04 12:21 CEST >> Interesting ports on 192.168.220.32: >> PORT STATE SERVICE >> 636/tcp open ldapssl >> MAC Address: 52:54:00:25:A0:DA (QEMU Virtual NIC) >> >> Nmap done: 1 IP address (1 host up) scanned in 0.169 seconds >> lenny:/usr/share/self-service-password# nmap -p 636 192.168.220.30 >> >> Starting Nmap 4.62 ( http://nmap.org ) at 2010-08-04 12:21 CEST >> Interesting ports on 192.168.220.30: >> PORT STATE SERVICE >> 636/tcp open ldapssl >> MAC Address: 54:52:00:A1:A5:25 (Unknown) >> >> Nmap done: 1 IP address (1 host up) scanned in 0.098 seconds >> >> >> For information, they are 2 Active Directory 2008 Domain Controller >> (only used for lab tests), the .30 are has master FFSMO roles, .32 is a >> second Domain Controller for the same domain, both run Windows 2008 R2, >> on the same network segment. >> >> We have tried on the .30, with the same results, but normally each >> domain controllers can modified objects in the ldap tree. >> >> Do you know if the soft has been already tested on a windows active >> directory domain controller ? >> >>> Hum, by reading the error, it seems that your AD returns a referer. >>> Are you sure SSP binds on the good AD ? >> What do you mean by 'the good ad' ? >> >>> Thomas. >>> >> > > My apologies, I do not read carefully the log (there is no referer > returned by your AD). > > In fact, the LDAP operation SSP wants to apply is not accepted by AD > (return code 53). There are many reason for that. > > Concerning permissions, I read that the account used by SSP should > have reset permission: > > "The permissions you need depend on the type of password mod you do. Replace > LDAP operation is equiv to an admin reset, so you must have admin reset > permissions to do that. Delete and Add operation with delete containing > previous password is the equiv of password change. Typically all users have > that unless they've been denied change pwd via ACL as above. " > > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.adsi.general&tid=812fc4a8-4f7a-49bf-8b37-59368e67cc1a&cat=&lang=&cr=&sloc=&p=1 > > Finaly, I'm not sure SSP has been tested on AD 2008 before. > > Did you try to use SSP on a 2003 server ? > > Thomas. > > -- > Thomas Chemineau > _______________________________________________ > ltb-users mailing list > [email protected] > http://lists.ltb-project.org/listinfo/ltb-users > _______________________________________________ ltb-users mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-users
