Hello all,
I've run into a problem with sgd authenticating to active directory.
First off the layout. We have two domains that the users authenticate
to. Faculty log onto nau, while students use students. Both are child
domains of "froot.nau.edu". The default domain is set to
students.froot.nau.edu, so as I understand it, students will be able to
log in with username, while faculty must log in with [EMAIL PROTECTED]
tarantella config list output for the ad auth is as follows:
login-ad-base-domain: froot.nau.edu
login-ad-default-domain: students.froot.nau.edu
login-ad: 1
login-anon: 0
login-atla: 1
login-autotoken: 1
login-ens: 1
login-ldap-pki-enabled: 0
login-ldap-url: ad://froot.nau.edu
login-ldap: 0
login-mapped: 0
login-nt-domain: froot.nau.edu
And the error I get when attempting to log in is...
------------------------------------------------------------------------
Sun Secure Global Desktop Software (4.3) ERROR:
Active Directory service discovery failed: Failed to find any valid Site
objects.
Looking up Global Catalog DNS name: _gc._tcp.froot.nau.edu. - HIT
Looking for GC on server: Active
Directory:acaddcs.students.froot.nau.edu:/134.114.52.3:3268:Up - HIT
Checking for CN=Configuration: CN=Configuration,DC=froot,DC=nau,DC=edu - HIT
Looking up domain root context: DC=froot,DC=nau,DC=edu - HIT
Looking up site context: CN=Sites,CN=Configuration
Searching for sites: (&(objectClass=site)(siteObjectBL=*)) - HIT
Looking up addresses for peer DNS: sgd.cens.nau.edu - HIT
Failed to discover Active Directory Site, Domain and server data.
This might mean LDAP users cannot log in.
Make sure the DNS server contains the Active Directory service
records for the forest. Make sure a Global Catalog server is available.
2007/01/09 11:28:52.803 (pid 5289) server/login/error
#1168367332803
Sun Secure Global Desktop Software (4.3) ERROR:
The user :[EMAIL PROTECTED]: was authenticated but was not
found within ldap.
The Active Directory login authority and LDAP webtop would not work
in this situation. The search filter used for this search was :
"[EMAIL PROTECTED]"
Check the userProncipalName is correct and valid for user
[EMAIL PROTECTED]
in the Active Directory.
------------------------------------------------------------------------
So as you see, ad users are not actually able to log in.
I am able to do ldap lookups for users with the same service account sgd
is configured with:
ldapsearch -b dc=froot,dc=nau,dc=edu -h froot.nau.edu:3268 -D
"cn=systemuser1,ou=service,ou=CENS Users and Groups,ou=CENS
Labs,dc=students,dc=froot,dc=nau,dc=edu" -w - "cn=mcm75"
Does anyone have any advice?
Thanks,
Christian McHugh
Northern Arizona University
_______________________________________________
SGD-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sgd-users
