2012/6/7 Luis Armando Roca Fumero <[email protected]>: > Hello > I'm in trouble configuring LTB to change passwords in Active Directory; I > don't know what I'm doing wrong. > I followed the instructions for Configuring an SSL Certificate for Microsoft > Active Directory, from site: > https://confluence.atlassian.com/display/CROWD/Configuring+an+SSL+Certificate+for+Microsoft+Active+Directory > > 1. My CA has: > CA type: Enterprise Root > Common Name for CA: Gannicus > Distinguished Name Suffix: DC=uclv4,DC=edu,DC=cu > Preview of Distinguished Name: CN=Gannicus,DC=uclv4,DC=edu,DC=cu > > > 2. I exported the certificate with the command: > certutil –ca.cert ca.crt > > 3. I tested the connection with ldp.exe in the Active Directory server. I > used SSL in port 636 and it connected successfully > > 4. I copied the certidicate to the client machine (Ubuntu) in > /etc/ssl/ca.crt > > 5. I edited the file ldap.conf with: > TLS_CACERT /etc/ssl/ca.crt > TLS_REQCERT allow > > 6. I tested the conection from the client machine (ubuntu). > telnet 10.12.2.99 > I had this results: > Trying 10.12.2.99... > Connected to 10.12.2.99 > > 7. My configuration file conf.inc.php has the next code: > > #====================================================== > # Configuration > #====================================================== > # LDAP > $ldap_url = "ldaps://10.12.2.99:636"; > $ldap_binddn = "CN=Administrator,CN=Users,DC=uclv4,DC=edu,DC=cu"; > $ldap_bindpw = "Riddle-88"; > $ldap_base = "CN=users,DC=uclv4,DC=edu,DC=cu"; > $ldap_filter = > "(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"; > #$ldap_filter = "(&(objectClass=person)(uid={login}))"; > > # Active Directory mode > # true: use unicodePwd as password field > # false: LDAPv3 standard behavior > $ad_mode = true; > # Force account unlock when password is changed > $ad_options['force_unlock'] = true; > # Force user change password at next login > $ad_options['force_pwd_change'] = false; > > 8. With this configuration there is an error that says “Can not Access > to LDAP Directory". I attached this picture. >
Hello, I think you can first try to ignore the certificate validation in ldap.conf : TLS_REQCERT never If it works, you then have to debug the SSL protocol between your Linux server and Active Directory. Try for example : openssl s_client -connect 10.12.2.99:636 By the way, the telnet command you have done prove nothing, try instead this command to check that your server can connect to LDAPS port of Active Directory : telnet 10.12.2.99 636 Clément. _______________________________________________ ltb-users mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-users
