Re: Cant set up authentication through AD

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Oleg Makarov <oamakarov [at] platbox.com>
To: Berend De Schouwer <berend [at] deschouwer.co.za>
Cc: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: Cant set up authentication through AD
Date: Tue, 14 Oct 2014 14:35:52 +0400

Thank you for answer.
But in my conf I want to bind by share [at] test.local, why is it trying to bind as 'testing'?
'share' has a permission to read about accounts. there is not ntp server between servers but the time is closely correct.
this line is confusing me:
nslcd: [8b4567] <host=x> DEBUG: ldap_simple_bind_s("CN=share,CN=Users,DC=test,DC=local","***") (uri="ldap://192.168.93.95")
nslcd: [8b4567] <host=x> DEBUG: ldap_result(): end of results (0 total)
is that mean that it didn't see a 'share' account ?

But ldapsearch works fine with 'share' and 'testing' acc!
ldapsearch -d8 -H ldap://192.168.93.95/ -W -LLL -o ldif-wrap=no -D 'CN=share,CN=Users,DC=test,DC=local' -b 'cn=users,dc=test,dc=local' '(sAMAccountName=share)'
Enter LDAP Password:
dn: CN=share,CN=Users,DC=test,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: share
givenName: share
distinguishedName: CN=share,CN=Users,DC=test,DC=local
instanceType: 4
whenCreated: 20141008033700.0Z
whenChanged: 20141013035436.0Z
displayName: share
uSNCreated: 13235
uSNChanged: 13744
name: share
objectGUID:: bgoZPrBsZkyOFaoHm6A6NQ==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 130576609983696809
lastLogoff: 0
lastLogon: 130576612024169592
pwdLastSet: 130576460767936326
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA+E0BMRbz9hXKyocmUQQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: share
sAMAccountType: 805306368
userPrincipalName: share [at] test.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=test,DC=local
dSCorePropagationData: 20141013041248.0Z
dSCorePropagationData: 20141008033722.0Z
dSCorePropagationData: 16010101000416.0Z
lastLogonTimestamp: 130572140305015944

ldapsearch -d8 -H ldap://192.168.93.95/ -W -LLL -o ldif-wrap=no -D 'CN=testing,CN=Users,DC=test,DC=local' -b 'cn=users,dc=test,dc=local' '(sAMAccountName=testing)'
Enter LDAP Password:
dn: CN=testing,CN=Users,DC=test,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: testing
sn: testing
givenName: testing
distinguishedName: CN=testing,CN=Users,DC=test,DC=local
instanceType: 4
whenCreated: 20141008032715.0Z
whenChanged: 20141014062146.0Z
displayName: testing
uSNCreated: 13228
uSNChanged: 16509
name: testing
objectGUID:: PXk6KMmHMUqJtRpzmBpzrA==
userAccountControl: 66048
badPwdCount: 11
codePage: 0
countryCode: 0
badPasswordTime: 130576631894679906
lastLogoff: 0
lastLogon: 130576477027030627
pwdLastSet: 130577413061676263
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA+E0BMRbz9hXKyocmUAQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: testing
sAMAccountType: 805306368
userPrincipalName: testing [at] test.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=test,DC=local
dSCorePropagationData: 20141013041248.0Z
dSCorePropagationData: 20141008033722.0Z
dSCorePropagationData: 16010101000416.0Z
lastLogonTimestamp: 130576462809815230

14.10.2014 12:39, Berend De Schouwer пишет:

On Mon, 13 Oct, 2014 at 2:42 , Oleg Makarov oamakarov [at] platbox.com wrote:

nslcd: [b0dc51] <authc="testing"> DEBUG: ldap_simple_bind_s("CN=testing,CN=Users,DC=test,DC=local","***") (uri="ldap://192.168.93.95")
nslcd: [b0dc51] <authc="testing"> DEBUG: failed to bind to LDAP server ldap://192.168.93.95: Invalid credentials: 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580

You're binding as 'CN=testing,CN=Users,DC=test,DC=local', securitycontext error. Check the AD server for wrong password / wrong time / user-not-allowed, etc.

But ldapsearch works!
ldapsearch -d8 -H ldap://192.168.93.95/ -W -LLL -o ldif-wrap=no -D 'share [at] test.local' -b 'cn=users,dc=test,dc=local' '(sAMAccountName=testing)'
Enter LDAP Password:

You're *binding* as 'share [at] test.local' but *searching* for '(sAMAccountName=testing)'. Try -D 'CN=testing,CN=Users,DC=test,DC=local'

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

Cant set up authentication through AD, Oleg Makarov
- Re: Cant set up authentication through AD, Berend De Schouwer
  - Re: Cant set up authentication through AD, Oleg Makarov

Prev by Date: Re: Cant set up authentication through AD
Next by Date: Re: Cant set up authentication through AD
Previous by thread: Re: Cant set up authentication through AD
Next by thread: Re: Cant set up authentication through AD