• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 750
  • Last Modified:

ldap bind problem windows 2008 enteprise

I have a customer that is having issues with ldap binding. I've installed ldap server admistrator and binding using the "current login account active directory only" works fine. If you try to manually create the login info using info from dsquery and the same domain admin account it fails saying something about must have a authorized binding. On a closer look it looks like the bind passed but it fails on the search. I ran portqry and 389 is listening on tcp but not on udp. I've turned on the windows firewall and was running the ldap test locally to the server. We got started on this trying to get LDAP to work on a set of ASA's. TAC spent 2hrs on it and couldn't figure anything out. They have two DC's in their parent domain and many child domains. DCDIAG looks clean.
0
bciengineer
Asked:
bciengineer
  • 5
3 Solutions
 
brwwigginsCommented:
what is the LDAP query or search you are tying to perform?
0
 
bciengineerAuthor Commented:
using the ldapadministrator tool. Maybe a search was a bad term to use. When you succesfully bind with that tool it reads through AD and shows all items. It works when I use the current login account and doesn't when I manually try to credit the login info using the same account I'm logged in as. I've tested the ldap tool on other customers servers and setup several ASA's to use LDAP for VPN config and have never had a problem. It's something with the setup.
0
 
bciengineerAuthor Commented:
debug ldap 255 on the asa shows this. I can bind to ldap using dcdiag without problems and other devices aren't having issues with ldap binding,

[2127] Session Start
[2127] New request Session, context 0xca6bb348, reqType = Other
[2127] Fiber started
[2127] Creating LDAP context with uri=ldap://x.x.x.x
[2127] Connect to LDAP server: ldap://x.x.x.x, status = Successful
[2127] supportedLDAPVersion: value = 3
[2127] supportedLDAPVersion: value = 2
[2127] Binding as username
[2127] Performing Simple authentication for username to x.x.x.x
[2127] LDAP Search:
        Base DN = [DC=domainname,DC=local]
        Filter  = [sAMAccountName=username]
        Scope   = [SUBTREE]
[2127] Request for username returned code (1) Operations error
[2127] Fiber exit Tx=241 bytes Rx=653 bytes, status=-1
[2127] Session End
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
bciengineerAuthor Commented:
I haven't posted back since there weren't any suggested solutions. We ended up opening a case with Microsoft and they changed some Kerberos settings  in the registry and the LDAP bind works now. Before that I could add the suggested registry keys here http://social.technet.microsoft.com/Forums/pl-PL/winserverDS/thread/40755056-45c8-480f-9337-fbe2f18c8c15  and the bind would work until the servers were rebooted and something would remove the registry keys. Microsoft never did figure that out. Even with all that in the ASA we had to create a config for Kerberos authentication then when configuring LDAP authentication check the SASL Kerberos authentication check box and specify the Kerberos Server Group we created.
0
 
bciengineerAuthor Commented:
I just replied back and appologize for not following up. There were never any suggested solutions posted to this question. I've followed up with a new post and solution that may be helpfull to someone else if they ever come across this problem so you may not want to delete the question.
0
 
bciengineerAuthor Commented:
I never got any suggested solutions from any of the experts here. After working on this for a month and finally opening a ticket with Microsoft we were able to resolve the issue.
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now