/build/static/layout/Breadcrumb_cap_w.png

LDAP credentials error

We've been using the same credentials for LDAP since we got our KBox but now need to change them. We have a new AD account with the exact same permissions as the original but the KBox says the credentials are incorrect. The account is setup ok and behaves normally outside of the Kbox so I dont know why this is happening.

Oddly on the K1000 Settings Authentication page it says at the top Last Updated: May 11 2009 04:24pm

Test error:

Testing server connection to: 172.26.1.1 on Port: 389
OK Connection Successful.
OK Setting Protocol Version 3 Successful.
OK Setting LDAP REFERRALS Option 0 Successful.
Error Search Bind using LDAP supplied credentials Failed.
Error LDAP Test Failed. Closing connection.

0 Comments   [ + ] Show comments

Answers (11)

Posted by: airwolf 12 years ago
Red Belt
1
Paste your LDAP configuration for the old account AND the new account. It's hard to troubleshoot without that info. I'm just guessing here, but I would imagine it's either an issue with the filter or the CN string for the username.

EDIT: Obviously, leave out passwords - we don't need those.
Posted by: stubox 12 years ago
Blue Belt
1
That would be useful! Thanks

Existing:

Server Friendly Name: serverName
Server Hostname (or IP): 192.168.1.1
LDAP Port Number: 389
Search Base DN: DC=ad,DC=domain,DC=uk
Search Filter: (&(objectcategory=User)(samaccountname=KBOX_USER))
LDAP Login: userAccount1
Role: User

New:

Server Friendly Name: serverName
Server Hostname (or IP): 192.168.1.1
LDAP Port Number: 389
Search Base DN: DC=ad,DC=domain,DC=uk
Search Filter: (&(objectcategory=User)(samaccountname=KBOX_USER))
LDAP Login: userAccount2
Role: User

In AD userAccount1 and userAccount2 are identical (apart from their names)
Posted by: airwolf 12 years ago
Red Belt
1
Have you rebooted your KBOX since the change?
Posted by: GillySpy 12 years ago
7th Degree Black Belt
1
Have you changed some information to protect the innocent here? The IP in your error message was 172.26.1.1 but the IP in the auth source is 192.168.1.1

Open the "LDAP Browser" on the K1000 and then see what search bases automatically come back. Click on the first one. Then proceed to step2 and get the details for the two users. Can you find both users? If so then use the search base the browser used. If not then something is likely different. Inactive?
Posted by: stubox 12 years ago
Blue Belt
1
Hi

Airwolf - yep rebooted the kbox but no difference, page still says last updated in 2009.
GillySpy - I have changed the address yes, the first 172 address was a fake as well.

The LDAP browser test for userAccount1 (the original account) reports:

Successfully connected to the server:
DC=ad,DC=woking,DC=gov,DC=uk
CN=Configuration,DC=ad,DC=woking,DC=gov,DC=uk
CN=Schema,CN=Configuration,DC=ad,DC=woking,DC=gov,DC=uk
DC=DomainDnsZones,DC=ad,DC=woking,DC=gov,DC=uk
DC=ForestDnsZones,DC=ad,DC=woking,DC=gov,DC=uk

The LDAP browser test for userAccount2 reports:

ERROR:Errno49 Invalid credentials

I've noticed that any account details I enter in on the LDAP browser page (except for userAccount1) returns Errno49. It also doesn't accept new accounts within the User Import pages (where you can set the LDAP criteria for scheduled user account imports).

Very odd, I've had other people check the AD accounts to make sure I'm not missing something really obvious.
Posted by: GillySpy 12 years ago
7th Degree Black Belt
1
On step 1 enter the useraccount1 credentials no matter what and click on DC=ad,DC=woking,DC=gov,DC=uk

Step 2 is where you are going to have two different tests. One will be for samaccountname=useraccount1 and then a second test with samaccountname=useraccount2

If you find both make sure that:
your searchbase is DC=ad,DC=woking,DC=gov,DC=uk
Posted by: stubox 12 years ago
Blue Belt
1
Hi GillySpy

In step 2 the search is able to return results for both user accounts. I've checked and the searchbase is still DC=ad,DC=woking,DC=gov,DC=uk

So the Kbox can see both accounts
Posted by: GillySpy 12 years ago
7th Degree Black Belt
1
Ok the user exists so the given credentials are no good for that OU then. Could you try a separate 3rd party LDAP client?
Posted by: stubox 12 years ago
Blue Belt
1
I've tried using an LDAP query app called Softerra LDAP Browser 4.5 and I can connect and load the AD schema using both accounts. To clarify ad.woking.gov.uk is our domain name rather than a specific OU.
Posted by: GillySpy 12 years ago
7th Degree Black Belt
1
A 3rd party test can help a lot. I suggest a tech support ticket.
Posted by: stubox 12 years ago
Blue Belt
1
Thanks GillySpy, I'll log a ticket and see what they say. I'll post back here.
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ