AD LDAP Server Configuration - username and password not valid.

ctarbox
Contributor II

When testing a policy with a Directory Binding payload, I am receiving this error and the policy is failing:

The username (xxxxx) and password provided for the domain (xx.xxxxxxxxxxxx.edu) was not valid. (Attempt 5)

Some background: Our institution is currently migrating from an Internal Active Directory Forest/Domain to an outfacing Forest/Domain. As a part of the migration we are now following the Red Forest security recommendations.

With our current AD Domain Structure I have a Service Account for the LDAP Server Configuration with the JSS that is an actual AD admin account.

With the new AD Domain Structure I have a new Service Account that has the least allowed privileges to bind computers to the domain. This account does not have login privileges to the AD Domain Controllers or any elevated privileges other than bind privileges.

I have configured the new domain in the LDAP Server Configuration Settings manually (with help from our AD Administrator). Within the LDAP Server Configuration, I can confirm a connection to the Domain Controller with the 'Test' button by searching for users within the new domain and getting an accurate result.

Would having a new Service Account with less than admin privileges in the domain cause the failure?

What is the lowest level of AD admin privileges do I need to have a valid username and password for the bind payload to work?

Thanks for any advice you can give.
Cheryl

1 ACCEPTED SOLUTION

ctarbox
Contributor II

I figured out my mistake.

I only updated my password change in the LDAP Server Configuration and did not update it in the Computer Management --> Directory Binding Settings. D'Oh!

Thanks for you help, @alexjdale.

Cheryl

View solution in original post

3 REPLIES 3

alexjdale
Valued Contributor III

Well, the specific error makes me inclined to believe it is just bad credentials. Not sure why else it would return that. If it was another issue it would state it, like insufficient permissions.

Regarding permissions, make sure that the account has create and modify privileges for the computer records. We had an issue where we could bind computers that had no existing record, but couldn't re-bind them.

ctarbox
Contributor II

Thanks for the tips.

I can bind and rebind, so I'm pretty sure that I have create and modify privileges.

I did reset the password to my binding account recently.

Thinking that my password change is causing the problem -- maybe the old password is cached in the JSS somewhere? -- I decided to delete the new Domain's LDAP Server Configuration and start fresh by recreating it with the new password. This has not worked out as well as I thought, because even though I recreated and tested the new configuration, the new Doman's payload (Type of: Built-in AD) is not listed when I try to add it to a Policy, nor is it available in Jamf Admin. I've restarted mySQL, Tomcat and the Server itself, but no change. Looks like I broke something else by deleted the Domain configuration and I'll need to open a support ticket. <Heavy Sigh> This is on my test/dev server, so not a huge deal, but am wary to try the configuration on the production server.

ctarbox
Contributor II

I figured out my mistake.

I only updated my password change in the LDAP Server Configuration and did not update it in the Computer Management --> Directory Binding Settings. D'Oh!

Thanks for you help, @alexjdale.

Cheryl