Hey Theo - A couple of things. One - can you do a packet capture? Check the bind failure message for an error code. Possible codes are:

data 525 (invalid user)

data 52e (invalid password)

Also I remember this "type" of error from another product I worked with. It had do with the difference in names. The actual cn (canonical name) was not the same as the "login" name. I duplicated your problem by setting up a user called sa (1st name) admin (last name) with a "login" name of saadmin. This failed with a 525 error code which reminded me of my old problem with another LDAP box. I opened up my handy dandy LDAP browser (I use Softerra) and sure enough the "CN" was acutally "sa admin" - I edited the CAN with the LDAP browser and got rid of the space.

I then setup another user and edited the display name and found that the CN appeared to be matching display name, not login. The user was test (1st name) user (2nd name) testuser (login name). I edited display name and made it testuser instead of the default of "test user" before I saved and it worked.

So I hope this makes sense You need to find out what the actual CN for LDAP and use that, editing if necessary.

SO! Not really a Juniper error. Just an LDAP pain in the ass error.

Already did that, but don't remember the results. I had to change the type to Unencrypted so the data in Wireshark was visible.

seems to me the codes were 525 / 1771....as soon as a i can restart my ldap server, i'll give that a try again.

thanks.

I think my problem was a that my AD/DC was hosed. I have since re-built my AD/DC (windows 2008 standard), and installed the following Roles:

Active Directory Certificate Services (my AD is also the domain root CA)

Active Directory Domain Services w/

Identity Management for Unix

Active Directory Lightweight Directory Services (not sure if this was necessary)

DNS Server (my AD is also the zone root dns)

Web Server [IIS] (for certificate management....)

and these Features are installed:

.NET Framework 3.0

Group Policy Management

Remote Server Admin Tools

Subsystem for Unix-based Applications

Windows Process Activation Service (required by IIS)

My SA-2000 authentication server is defined as follows:

Name: LDAPSERVER
LDAP Server: AD01.testing.local
LDAP Port: 636
Backup LDAP Server1:
Backup LDAP Port1:
Backup LDAP Server2:
Backup LDAP Port2:
LDAP Server Type: Active Directory
Connection: LDAPS

Connection Timeout: 15
Search Timeout: 60

authentication required:

<checked> Authentication required to search LDAP

Admin DN: cn=junipersa2000,cn=users,dc=testing,dc=local
Password: *************

finding users:

Base DN: dc=testing,dc=local
Filter: cn=<username>

determine group membership:

Base DN: cn=users,dc=testing,dc=local
Filter: cn=<groupname)
Member Attribute: memberOf
<checked> Reverse Group Search
Query Attribute:
Nested Group Level: 4
Nested Group Search: Search all nested groups

stine