Skip to main content
Solved

Active Directory LDAP Connection Fails to Configure

N
Forum|alt.badge.img+5
  • NateW
  • New Contributor
  • 9 replies

I am trying to get an LDAP connection setup in JSS to our AD server and I cannot get it to work.

I put in the hostname and domain, but on the next step it says failed to verify user account.

I've tried two user accounts, both are in good working order, neither locked and one of them was my own which has a decent number of permissions.

I have Casper on a linux box. It can ping the domain just fine as well as the specific AD Server I pointed it to.

Also of note, we have a domain domain.company.com as well as an alias for the domain "Arbitraryname." If I point it at domain.company.com it says "Please verify the username and password." If I point it to Arbitraryname it doesn't give any errors, just blanks out the password and does not progress.

Which permissions does the service account specifically need? Also, our domain is setup with load balancing, so should I just point it to domain.company.com for the host as well as the domain? When you ping domain.company.com it resolves to a Domain Controller.

Where do I go from here?

Thanks!

Nate

Best answer by NateW

Turns out I *had* to use simple auth. So Simple Auth + SSL worked. I also realized that the distinguished name wasn't correct for the user I was trying to use. I found the proper distinguished name using the dsquery tool on a windows box. It spit out the distinguished name exactly in the format that I needed for the config and everything is happy now.

View original
    Did this topic help you find an answer to your question?

    9 replies

    golbiga
    Forum|alt.badge.img+21
    • golbiga
    • Employee
    • 298 replies
    • January 12, 2012

    How are you entering the username? Just the name or are you putting the full distinguished name?

    J
    Forum|alt.badge.img+24
    • jarednichols
    • Valued Contributor
    • 1892 replies
    • January 12, 2012

    Have you gone through this: https://jamfnation.jamfsoftware.com/article.html?id=121

    ??

    N
    Forum|alt.badge.img+5
    • NateW
    • Author
    • New Contributor
    • 9 replies
    • January 12, 2012

    I have not tried the SSL setup. Let me talk to our AD admins and see if SSL is enforced or not.

    This is one fo the recurring errors in the log:

    2012-01-12 04:39:46,784 [ERROR] [LookupLDAPUser ] - Error performing LDAP Lookup: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]]

    I'll look into the SSL setup.

    Also of note, we have a non-standard location for storing users, so I tweak that as well, but it seems the auth is what is failing.

    N
    Forum|alt.badge.img+5
    • NateW
    • Author
    • New Contributor
    • 9 replies
    • January 12, 2012

    I've confirmed that we are not using SSL on our AD setup right now.

    I setup LDAPS anyways just to test and I'm getting the same basic error message as above:

    ]
    2012-01-12 06:47:55,352 [ERROR] [LookupLDAPUser ] - Error performing LDAP Lookup: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]

    S
    Forum|alt.badge.img+12
    • sean
    • Contributor
    • 529 replies
    • January 17, 2012

    Try dropping .com from the end of your domain!
    If that doesn't work, try Apache Directory Studio on a mac to confirm the name of your domain.

    Sean

    N
    Forum|alt.badge.img+5
    • NateW
    • Author
    • New Contributor
    • 9 replies
    • Answer
    • January 19, 2012

    Turns out I *had* to use simple auth. So Simple Auth + SSL worked. I also realized that the distinguished name wasn't correct for the user I was trying to use. I found the proper distinguished name using the dsquery tool on a windows box. It spit out the distinguished name exactly in the format that I needed for the config and everything is happy now.

    I
    Forum|alt.badge.img+9
    • itupshot
    • Valued Contributor
    • 173 replies
    • March 23, 2015

    @NateW: Can you please post the actual dsquery command that you used to get that Distinguished Name? I'm having pretty much the same issue. JSS doesn't recognize the service account even though I gave JSS the correct server address and domain.

    J
    Forum|alt.badge.img+13
    • justinrummel
    • Contributor
    • 159 replies
    • March 23, 2015

    I've posted the method to connect to an AD LDAP server via the JSS's Assistant and manually at: https://www.justinrummel.com/integrating-and-debugging-windows-active-directory-ldap-connection-with-jamf-softwares-jss/

    - Justin

    T
    1 person likes this
    • T
      tendickt
    I
    Forum|alt.badge.img+9
    • itupshot
    • Valued Contributor
    • 173 replies
    • March 23, 2015

    @justinrummel Thanks, Justin. The command line LDAP test was successful as per your method, but the JSS AD "wizard" still rejected any admin/service account I typed in.

    Your manual setup instructions seem to be working.

    Reply


    Most helpful members this week

    Terms & ConditionsCookie settingsAccessibility statement

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings