OK, so I tried that, including modifying ldap-username-attribute to be cn=users,cn=accounts,dc=example,dc=com, and now I get a 403 error in the Developer Tools, and the following error in /var/log/messages:
Nov 27 10:00:34 access server: 10:00:34.766 [http-bio-8080-exec-8] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from xxx.xxx.xxx.xxx for user "harry.devine" failed. However, I know that the password is 100% correct. Where to look now? I feel we’re getting very close. Thanks, Harry From: Nick Couchman [mailto:[email protected]] Sent: Monday, November 27, 2017 9:56 AM To: [email protected] Subject: Re: Configuring LDAP On Mon, Nov 27, 2017 at 9:46 AM, <[email protected]<mailto:[email protected]>> wrote: Update: using port 389 and none for encryption, and I had to change the search DN to be just cn=Directory Manager. Now I get the following error: Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user "harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com, uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com] Try disabling LDAP alias dereferencing: ldap-dereference-aliases: never It looks like you probably have the cn=users,cn=compat area pointed to the real objects (cn=users,cn=accounts), and this could be confusing the LDAP client when it expects uniquely-named items. Otherwise, you'll need to narrow your base DN such that it only locates one or the other account. -Nick
