Linux server + LDAP Active Directory Authentication

Please post here if you have problems in using Wing FTP Server.

Linux server + LDAP Active Directory Authentication

Postby mde@nexis.be » Tue May 31, 2011 8:25 am

Dear support,

I'm trying to configure the LDAP authentication against a Windows 2008R2 AD server. The test connection button result is successful but not when I try to login.
Here are some information:
Server: Linux CentOS 5.6 x64 2.6.18-238.9.1.el5
WingFTP: 3.8.7
LDAP Configuration:
IP: => ip of my AD server
Port: 389
Base DN: DC=domain,DC=local => (I don't put my real domain name for security)
User Filter: (&(objectClass=user)(sAMAccountName=%s))
LDAP Version: 3 (even when I change to 2, this setting is reverted back to 3 when I reopen the window)
SSL/TLS: No (with Yes, the test connection button fails)

I tried to define a Bind DN like this: CN=adm-ftp,OU=Services,OU=Administrators,DC=domain,DC=local
With adm-ftp member of Domain Admins or not it doesn't solve the issue.

In the Domains logs, I can found this line but not at every attempts:
[14] Tue, 31 May 2011 10:05:13 An error occurs when doing LDAP::ldap_bind_s. Error code=-1

What did I made wrong?

Kind regards,

Michel
mde@nexis.be
 
posts 7
 
joined Tue May 31, 2011 8:11 am

Re: Linux server + LDAP Active Directory Authentication

Postby FTP » Tue May 31, 2011 9:22 am

Could you login with the account "adm-ftp"? If you still can't login with this account, please change the "User Filter" into:

Code: Select all
(&(objectClass=user)(sAMAccountName=%s)(ou=Services))


or

Code: Select all
(&(objectClass=user)(sAMAccountName=%s)(ou=Services)(ou=Administrators))
FTP
Site Admin
 
posts 1212
 
joined Tue Sep 29, 2009 6:09 am

Re: Linux server + LDAP Active Directory Authentication

Postby mde@nexis.be » Tue May 31, 2011 9:57 am

Thank you for the answer.

I tried the 3 tips you gave but it still fails and I still have the same error:
[14] Tue, 31 May 2011 11:55:42 An error occurs when doing LDAP::ldap_search_s. Error code=1
mde@nexis.be
 
posts 7
 
joined Tue May 31, 2011 8:11 am

Re: Linux server + LDAP Active Directory Authentication

Postby FTP » Tue May 31, 2011 1:21 pm

I have tested the LDAP authentication with Windows AD server, there is no problem with my computer.

Here is a screenshot of LDAP dialog:
Image


Please note line 4, it will return the user DN through base DN and user filter, from the screenshot, you can see the right user DN.

So please record your LDAP dialog via wireshark, then paste your result here.
FTP
Site Admin
 
posts 1212
 
joined Tue Sep 29, 2009 6:09 am

Re: Linux server + LDAP Active Directory Authentication

Postby mde@nexis.be » Tue May 31, 2011 3:46 pm

I took traces and see that like you, the 4th line return the correct LDAP path of my user but after that, it tries a bindRequest for the user <ROOT> 3 times and do a searchRequest on the Configuration, ForestDnsZones and DomainDnsZones but these operations fails with LDAP error DSID-0C0906DC "A successful bind must be completed on the connection".

Kind regards,

Michel
mde@nexis.be
 
posts 7
 
joined Tue May 31, 2011 8:11 am

Re: Linux server + LDAP Active Directory Authentication

Postby FTP » Tue May 31, 2011 4:42 pm

There is an article with similar problem: http://blogs.technet.com/b/pki/archive/2007/04/13/manually-publishing-a-ca-certificate-or-crl-into-a-ldap-store.aspx

On the bottom of that article, it says:
I had not configured correct SPNs for AD LDS service account. After registering the SPNs everything works fine.
FTP
Site Admin
 
posts 1212
 
joined Tue Sep 29, 2009 6:09 am

Re: Linux server + LDAP Active Directory Authentication

Postby mde@nexis.be » Tue May 31, 2011 5:48 pm

Do I need to install the AD LDS role on my Windows 2008R2 Domain Controller to make my DC compatible with WingFTP LDAP queries???
mde@nexis.be
 
posts 7
 
joined Tue May 31, 2011 8:11 am

Re: Linux server + LDAP Active Directory Authentication

Postby mde@nexis.be » Tue May 31, 2011 5:58 pm

ok, I found this post:
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_26659333.html
Solved by:
port 3268 is used by AD to have access to Global Catalog. Port 389 is meant for other LDAP search and has limited acess. Refer to the following url for details

http://technet.microsoft.com/en-us/library/cc978012.aspx


which help me without configuring/installing anything on the DC.

According to the wireshark traces, I understand that the server make a CN request using the bind user, use the answer to retry a binding with the full CN and the binding is now successful.

Is it the good solution for you (I don't know the risks of using the 3268 port)?

Thank you,

Michel
mde@nexis.be
 
posts 7
 
joined Tue May 31, 2011 8:11 am

Re: Linux server + LDAP Active Directory Authentication

Postby danielch » Tue Jun 14, 2011 1:16 pm

Using your details You should use
adm-ftp@domain.local as Bind DN (changing domain.local to your real data)
Regards,
Daniel
danielch
 
posts 1
 
joined Wed Jun 01, 2011 5:14 am

Re: Linux server + LDAP Active Directory Authentication

Postby leo462 » Fri Sep 07, 2012 7:37 pm

Hello. Did you ever get your problem resolved? Curious as to I'm having issues too. Thanks.
leo462
 
posts 1
 
joined Fri Sep 07, 2012 7:36 pm

Next

Return to Support

Who is online

Users browsing this forum: No registered users and 1 guest

cron