cancel
Showing results for 
Search instead for 
Did you mean: 

trouble using account other than 'administrator' for LDAP to win2k8 AD

stine_
Super Contributor

trouble using account other than 'administrator' for LDAP to win2k8 AD

I have an ldap authentication server configured using the account 'administrator', and i would like to change this to use a different account with fewer privs. My problem is that when i change the Admin DN from:

cn=administrator,cn=users,dc=testing,dc=abc,dc=local

to

cn=junipersa2000,cn=users,dc=testing,dc=abc,dc=local

it fails with the following error:

Invalid admin credentials.

I know that the account names and passwords match because i used cut/paste after about the 3rd try.

i'm running a Windows 2008 AD and and SA-2000 at 6.4r1.

I've been through all of the KB articles and J-Net topics and haven't found an answer.

Any assistance would be appreciated.

stine

4 REPLIES 4
muttbarker_
Valued Contributor

Re: trouble using account other than 'administrator' for LDAP to win2k8 AD

Hey Theo - A couple of things. One - can you do a packet capture? Check the bind failure message for an error code. Possible codes are:

data 525 (invalid user)

data 52e (invalid password)

Also I remember this "type" of error from another product I worked with. It had do with the difference in names. The actual cn (canonical name) was not the same as the "login" name. I duplicated your problem by setting up a user called sa (1st name) admin (last name) with a "login" name of saadmin. This failed with a 525 error code which reminded me of my old problem with another LDAP box. I opened up my handy dandy LDAP browser (I use Softerra) and sure enough the "CN" was acutally "sa admin" - I edited the CAN with the LDAP browser and got rid of the space.

I then setup another user and edited the display name and found that the CN appeared to be matching display name, not login. The user was test (1st name) user (2nd name) testuser (login name). I edited display name and made it testuser instead of the default of "test user" before I saved and it worked.

So I hope this makes sense You need to find out what the actual CN for LDAP and use that, editing if necessary.

SO! Not really a Juniper error. Just an LDAP pain in the ass error.

Message Edited by muttbarker on 04-13-2009 08:59 PM
stine_
Super Contributor

Re: trouble using account other than 'administrator' for LDAP to win2k8 AD

Already did that, but don't remember the results. I had to change the type to Unencrypted so the data in Wireshark was visible.

seems to me the codes were 525 / 1771....as soon as a i can restart my ldap server, i'll give that a try again.

thanks.

muttbarker_
Valued Contributor

Re: trouble using account other than 'administrator' for LDAP to win2k8 AD

Theo - I would be willing to be a nickel that the problem is with the canonical name in LDAP. The 525 is user not which is exactly what I saw when I tried it. It is an old, old LDAP/AD issue with mapping names. Would love to hear what you learn.
stine_
Super Contributor

Re: trouble using account other than 'administrator' for LDAP to win2k8 AD

I think my problem was a that my AD/DC was hosed. I have since re-built my AD/DC (windows 2008 standard), and installed the following Roles:

Active Directory Certificate Services (my AD is also the domain root CA)

Active Directory Domain Services w/

Identity Management for Unix

Active Directory Lightweight Directory Services (not sure if this was necessary)

DNS Server (my AD is also the zone root dns)

Web Server [IIS] (for certificate management....)

and these Features are installed:

.NET Framework 3.0

Group Policy Management

Remote Server Admin Tools

Subsystem for Unix-based Applications

Windows Process Activation Service (required by IIS)

My SA-2000 authentication server is defined as follows:

Name: LDAPSERVER
LDAP Server: AD01.testing.local
LDAP Port: 636
Backup LDAP Server1:
Backup LDAP Port1:
Backup LDAP Server2:
Backup LDAP Port2:
LDAP Server Type: Active Directory
Connection: LDAPS

Connection Timeout: 15
Search Timeout: 60

authentication required:

<checked> Authentication required to search LDAP

Admin DN: cn=junipersa2000,cn=users,dc=testing,dc=local
Password: *************

finding users:

Base DN: dc=testing,dc=local
Filter: cn=<username>

determine group membership:

Base DN: cn=users,dc=testing,dc=local
Filter: cn=<groupname)
Member Attribute: memberOf
<checked> Reverse Group Search
Query Attribute:
Nested Group Level: 4
Nested Group Search: Search all nested groups

stine