Solved

ldap bind problem windows 2008 enteprise

Posted on 2011-02-15
7
737 Views
Last Modified: 2012-05-11
I have a customer that is having issues with ldap binding. I've installed ldap server admistrator and binding using the "current login account active directory only" works fine. If you try to manually create the login info using info from dsquery and the same domain admin account it fails saying something about must have a authorized binding. On a closer look it looks like the bind passed but it fails on the search. I ran portqry and 389 is listening on tcp but not on udp. I've turned on the windows firewall and was running the ldap test locally to the server. We got started on this trying to get LDAP to work on a set of ASA's. TAC spent 2hrs on it and couldn't figure anything out. They have two DC's in their parent domain and many child domains. DCDIAG looks clean.
0
Comment
Question by:bciengineer
  • 5
7 Comments
 
LVL 20

Expert Comment

by:brwwiggins
ID: 34909068
what is the LDAP query or search you are tying to perform?
0
 

Author Comment

by:bciengineer
ID: 34909151
using the ldapadministrator tool. Maybe a search was a bad term to use. When you succesfully bind with that tool it reads through AD and shows all items. It works when I use the current login account and doesn't when I manually try to credit the login info using the same account I'm logged in as. I've tested the ldap tool on other customers servers and setup several ASA's to use LDAP for VPN config and have never had a problem. It's something with the setup.
0
 

Assisted Solution

by:bciengineer
bciengineer earned 0 total points
ID: 34966245
debug ldap 255 on the asa shows this. I can bind to ldap using dcdiag without problems and other devices aren't having issues with ldap binding,

[2127] Session Start
[2127] New request Session, context 0xca6bb348, reqType = Other
[2127] Fiber started
[2127] Creating LDAP context with uri=ldap://x.x.x.x
[2127] Connect to LDAP server: ldap://x.x.x.x, status = Successful
[2127] supportedLDAPVersion: value = 3
[2127] supportedLDAPVersion: value = 2
[2127] Binding as username
[2127] Performing Simple authentication for username to x.x.x.x
[2127] LDAP Search:
        Base DN = [DC=domainname,DC=local]
        Filter  = [sAMAccountName=username]
        Scope   = [SUBTREE]
[2127] Request for username returned code (1) Operations error
[2127] Fiber exit Tx=241 bytes Rx=653 bytes, status=-1
[2127] Session End
0
 

Accepted Solution

by:
bciengineer earned 0 total points
ID: 35325974
I haven't posted back since there weren't any suggested solutions. We ended up opening a case with Microsoft and they changed some Kerberos settings  in the registry and the LDAP bind works now. Before that I could add the suggested registry keys here http://social.technet.microsoft.com/Forums/pl-PL/winserverDS/thread/40755056-45c8-480f-9337-fbe2f18c8c15  and the bind would work until the servers were rebooted and something would remove the registry keys. Microsoft never did figure that out. Even with all that in the ASA we had to create a config for Kerberos authentication then when configuring LDAP authentication check the SASL Kerberos authentication check box and specify the Kerberos Server Group we created.
0
 

Assisted Solution

by:bciengineer
bciengineer earned 0 total points
ID: 35326051
I just replied back and appologize for not following up. There were never any suggested solutions posted to this question. I've followed up with a new post and solution that may be helpfull to someone else if they ever come across this problem so you may not want to delete the question.
0
 

Author Closing Comment

by:bciengineer
ID: 35360860
I never got any suggested solutions from any of the experts here. After working on this for a month and finally opening a ticket with Microsoft we were able to resolve the issue.
0

Join & Write a Comment

Resolve DNS query failed errors for Exchange
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now