- Jamf Nation Community
- Products
- Jamf Pro
- Re: Active Directory LDAP Connection Fails to Conf...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-12-2012 05:42 AM
I am trying to get an LDAP connection setup in JSS to our AD server and I cannot get it to work.
I put in the hostname and domain, but on the next step it says failed to verify user account.
I've tried two user accounts, both are in good working order, neither locked and one of them was my own which has a decent number of permissions.
I have Casper on a linux box. It can ping the domain just fine as well as the specific AD Server I pointed it to.
Also of note, we have a domain domain.company.com as well as an alias for the domain "Arbitraryname." If I point it at domain.company.com it says "Please verify the username and password." If I point it to Arbitraryname it doesn't give any errors, just blanks out the password and does not progress.
Which permissions does the service account specifically need? Also, our domain is setup with load balancing, so should I just point it to domain.company.com for the host as well as the domain? When you ping domain.company.com it resolves to a Domain Controller.
Where do I go from here?
Thanks!
Nate
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-19-2012 04:59 AM
Turns out I *had* to use simple auth. So Simple Auth + SSL worked. I also realized that the distinguished name wasn't correct for the user I was trying to use. I found the proper distinguished name using the dsquery tool on a windows box. It spit out the distinguished name exactly in the format that I needed for the config and everything is happy now.
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-12-2012 05:52 AM
How are you entering the username? Just the name or are you putting the full distinguished name?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-12-2012 06:24 AM
Have you gone through this: https://jamfnation.jamfsoftware.com/article.html?id=121
??
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-12-2012 06:45 AM
I have not tried the SSL setup. Let me talk to our AD admins and see if SSL is enforced or not.
This is one fo the recurring errors in the log:
2012-01-12 04:39:46,784 [ERROR] [LookupLDAPUser ] - Error performing LDAP Lookup: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]]
I'll look into the SSL setup.
Also of note, we have a non-standard location for storing users, so I tweak that as well, but it seems the auth is what is failing.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-12-2012 07:06 AM
I've confirmed that we are not using SSL on our AD setup right now.
I setup LDAPS anyways just to test and I'm getting the same basic error message as above:
]
2012-01-12 06:47:55,352 [ERROR] [LookupLDAPUser ] - Error performing LDAP Lookup: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-17-2012 03:04 AM
Try dropping .com from the end of your domain!
If that doesn't work, try Apache Directory Studio on a mac to confirm the name of your domain.
Sean
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-19-2012 04:59 AM
Turns out I *had* to use simple auth. So Simple Auth + SSL worked. I also realized that the distinguished name wasn't correct for the user I was trying to use. I found the proper distinguished name using the dsquery tool on a windows box. It spit out the distinguished name exactly in the format that I needed for the config and everything is happy now.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-23-2015 11:31 AM
@NateW: Can you please post the actual dsquery command that you used to get that Distinguished Name? I'm having pretty much the same issue. JSS doesn't recognize the service account even though I gave JSS the correct server address and domain.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-23-2015 11:37 AM
I've posted the method to connect to an AD LDAP server via the JSS's Assistant and manually at: https://www.justinrummel.com/integrating-and-debugging-windows-active-directory-ldap-connection-with...
- Justin
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-23-2015 02:29 PM
@justinrummel Thanks, Justin. The command line LDAP test was successful as per your method, but the JSS AD "wizard" still rejected any admin/service account I typed in.
Your manual setup instructions seem to be working.
