Solved

ldap bind problem windows 2008 enteprise

Posted on 2011-02-15
7
742 Views
Last Modified: 2012-05-11
I have a customer that is having issues with ldap binding. I've installed ldap server admistrator and binding using the "current login account active directory only" works fine. If you try to manually create the login info using info from dsquery and the same domain admin account it fails saying something about must have a authorized binding. On a closer look it looks like the bind passed but it fails on the search. I ran portqry and 389 is listening on tcp but not on udp. I've turned on the windows firewall and was running the ldap test locally to the server. We got started on this trying to get LDAP to work on a set of ASA's. TAC spent 2hrs on it and couldn't figure anything out. They have two DC's in their parent domain and many child domains. DCDIAG looks clean.
0
Comment
Question by:bciengineer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
7 Comments
 
LVL 20

Expert Comment

by:brwwiggins
ID: 34909068
what is the LDAP query or search you are tying to perform?
0
 

Author Comment

by:bciengineer
ID: 34909151
using the ldapadministrator tool. Maybe a search was a bad term to use. When you succesfully bind with that tool it reads through AD and shows all items. It works when I use the current login account and doesn't when I manually try to credit the login info using the same account I'm logged in as. I've tested the ldap tool on other customers servers and setup several ASA's to use LDAP for VPN config and have never had a problem. It's something with the setup.
0
 

Assisted Solution

by:bciengineer
bciengineer earned 0 total points
ID: 34966245
debug ldap 255 on the asa shows this. I can bind to ldap using dcdiag without problems and other devices aren't having issues with ldap binding,

[2127] Session Start
[2127] New request Session, context 0xca6bb348, reqType = Other
[2127] Fiber started
[2127] Creating LDAP context with uri=ldap://x.x.x.x
[2127] Connect to LDAP server: ldap://x.x.x.x, status = Successful
[2127] supportedLDAPVersion: value = 3
[2127] supportedLDAPVersion: value = 2
[2127] Binding as username
[2127] Performing Simple authentication for username to x.x.x.x
[2127] LDAP Search:
        Base DN = [DC=domainname,DC=local]
        Filter  = [sAMAccountName=username]
        Scope   = [SUBTREE]
[2127] Request for username returned code (1) Operations error
[2127] Fiber exit Tx=241 bytes Rx=653 bytes, status=-1
[2127] Session End
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Accepted Solution

by:
bciengineer earned 0 total points
ID: 35325974
I haven't posted back since there weren't any suggested solutions. We ended up opening a case with Microsoft and they changed some Kerberos settings  in the registry and the LDAP bind works now. Before that I could add the suggested registry keys here http://social.technet.microsoft.com/Forums/pl-PL/winserverDS/thread/40755056-45c8-480f-9337-fbe2f18c8c15  and the bind would work until the servers were rebooted and something would remove the registry keys. Microsoft never did figure that out. Even with all that in the ASA we had to create a config for Kerberos authentication then when configuring LDAP authentication check the SASL Kerberos authentication check box and specify the Kerberos Server Group we created.
0
 

Assisted Solution

by:bciengineer
bciengineer earned 0 total points
ID: 35326051
I just replied back and appologize for not following up. There were never any suggested solutions posted to this question. I've followed up with a new post and solution that may be helpfull to someone else if they ever come across this problem so you may not want to delete the question.
0
 

Author Closing Comment

by:bciengineer
ID: 35360860
I never got any suggested solutions from any of the experts here. After working on this for a month and finally opening a ticket with Microsoft we were able to resolve the issue.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question