How to connect LDAP to Active Directory

uknet80
uknet80 used Ask the Experts™
on
Hi all,

I haven’t used LDAP to connect to active directory before.  The client webserver is linux and application that connect to windows server 2003 Active directory is a library system called Koha, it needs LDAP configuration, can you help me out with this. Here is the Active Directory

Active Directory Server detail:
Server IP: 10.1.1.5
Domain: Example.local
Admin anme: administrator      
Password: pass11
The Koha manual to connect to AD is as follow:

((((

Configuring LDAP

To configure Koha to use LDAP, we edit the /etc/koha-dev/etc/koha-conf.xml file and add an LDAP block similar to this:
To configure Koha to use LDAP, we edit the /etc/koha-dev/etc/koha-conf.xml
file and add an LDAP block similar to this:
<useldapserver>1</useldapserver><!-- see C4::Auth_with_ldap for extra
configs you must add if you want to turn this on -->
<ldapserver id="ldapserver" listenref="ldapserver">
<hostname>your hosts ip address or name</hostname>
<base>base dn</base>
<user>LDAP user's dn</user>
<pass>LDAP user's password</pass>
<replicate>1</replicate> <!-- add new users from LDAP to
Koha database -->
<update>1</update> <!-- update existing users in Koha
database -->
<auth_by_bind>1</auth_by_bind>
<mapping> <!-- match koha SQL field names to your
LDAP record field names -->
<firstname is="givenName" ></firstname>
<surname is="sn" ></surname>
<userid is="uid"></userid>
<password is="userPassword" ></password>
<email is="mail"></email>
<address is="address">Default Address</address>
<city is="city">Default City</city>
<branchcode is="branch">Default Branch Code</branchcode>
<categorycode is="category">Default Catefory Code</
categorycode>
</mapping>
</ldapserver>

Here is how we configure the LDAP block:
1. Add the LDAP server block before these tags: </config></yazgfs> in the koha-conf.xml file.
2. Set the <useldapserver> tag to 1 to turn LDAP authentication on, set it to 0 to turn it off.
3. Enter the LDAP server's host name or IP address in the tag <hostname>.
4. Enter the LDAP server's base DN in the tag <base>.
5. In the tag <user> enter the DN of an LDAP user with browse privileges to the base DN.
6. Enter the LDAP user's password in the tag <pass>.
7. Set <replicate> tag to 1 if you want to create new users in Koha from the LDAP server. If this is set to 0, the user record must exist in Koha.
8. Set <update> tag to 1 if you want updates to user records on the LDAP server to update user records in Koha as well.
9. The fields listed in the <mapping> block refer to fields in the borrowers tables in Koha.
10. The fields listed in the <mapping> block must include all mandatory fields in the borrowers table except the field borrowernumber. Mandatory fields in the table are—surname, address, city, branchcode, and categorycode (patron category code).
11. The fields listed in the <mapping> block should include other Koha fields that have data in corresponding fields in the LDAP record. This way you can get useful data such as e-mail address or phone number from the LDAP record into Koha.
12. The name following is= refers to the corresponding field in the LDAP server.
13. For each field you can specify a default

)))))

can you please tell me what paramiter i have to change from above code.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Senior Solutions Architect
Commented:
You just need to provide the connection settings by completing the form mentioned above.

I've never heard of "the LDAP Server Block" but these should be the settings you need.
Here is how we configure the LDAP block:
3. 10.1.1.5  or your AD Server name
4. Base DN is the location where you start searching for users.
This can be set as the root of your domain, dc=example,dc=local, but for faster searches set the base DN to the nearest location for user accounts, by default, users are created in CN=users,dc=example,dc=local, or specify the location where users(see details below to find your BASE DN)
5. Can be any authenticated user, since LDAP is read-only to all users. *Don't specify your Domain Admin account if the password is stored in clear text. *
6. Password for user entered above

Finding BASE DN of user locations, you can run
dsquery user -name <<your name>>*
e.g. dsquery user -name john*

You'd probably get some results like...
CN=John Surname, CN=users,dc=example,dc=local

The part your interested in is:
CN=users,dc=example,dc=local (may differ on your LAN depending on your architecture design)

http://support.microsoft.com/kb/224543
http://technet.microsoft.com/en-us/library/aa996205(EXCHG.65).aspx

Author

Commented:
((4. Base DN is the location where you start searching for users.
This can be set as the root of your domain, dc=example,dc=local, but for faster searches set the base DN to the nearest location for user accounts, by default, users are created in CN=users,dc=example,dc=local, or specify the location where users(see details below to find your BASE DN))

under (<base>base dn</base>) i can only specify one range of data on of the follownig:
dc=example,dc=local  or
CN=users,dc=example,dc=local

which one?

one can be used for Distinguished name (cn=john,cn=users....) use bind-user to seach users. or
(cn-users,dc=Example,dc=local...) list of contexts where users are located.

which one shall i use, what is the different?



Leon FesterSenior Solutions Architect

Commented:
Like I said, that is dependent on where you user accounts are stored.
That is the default location of AD will store newly created users.
My own users are not stored in this location, because you cannot apply GPO's to containers.

Run the  dsquery command I specified earlier, and replace John with your own name
Finding BASE DN of user locations, you can run
dsquery user -name <<your name>>*
e.g. dsquery user -name john*

Post the results and I'll tell you the base DN.
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Author

Commented:
We have another LDAP client (moodle) web based that is connected to our AD. the setting is as follow:

Distinguished Name: If you want to use bind-user to seach users, specify it here..etc
cn=moodl,cn=users,dc=stud-ndtc,dc=local

Contexts: List of contexts where suers are located. Separate different contexts with; ...etc
cn=users,dc=stud-ndtc,dc=local;ou=students,dc=stud-ndtc,dc=local

I set it as following:

<ldapserver id="ldapserver" listenref="ldapserver">
<hostname>10.1.1.5</hostname>
<base>cn=users,dc=stud-ndtc,dc=local;ou=students,dc=stud-ndtc,dc=local</base>
<user>cn=moodle,cn=users,dc=stud-ndtc,dc=local</user>
<pass>PASSWORD</pass>
<replicate>1</replicate> <!-- add new users from LDAP to
Koha database -->
<update>1</update> <!-- update existing users in Koha
database -->
<auth_by_bind>1</auth_by_bind>
<mapping> <!-- match koha SQL field names to your
LDAP record field names -->
<firstname is="givenName" ></firstname>
<surname is="sn" ></surname>
<userid is="uid"></userid>
<password is="userPassword" ></password>
<email is="mail"></email>
<address is="address">Default Address</address>
<city is="city">Default City</city>
<branchcode is="branch">Default Branch Code</branchcode>
<categorycode is="category">Default Catefory Code</categorycode>
</mapping>
</ldapserver>

After setting this users under active directory can't login, even admin user that was created under koha itself can't login.

if I try Active Directory user I get error message (You entered an incorrect username or password. Please try again! And remember, usernames and passwords are case sensitive.)

Author

Commented:
is there a way to test LDAP Connection Linux to windows Active Directory, using command line?

Author

Commented:
I have download ldapsearch tool to test connection linux to Active Directory, i got following error:

[root@RHEL5 html]# ldapsearch -x -h 10.1.1.5 moodle -w PASSWORD -b "ou=students,dc=stud-ndtc,dc=local"
# extended LDIF
#
# LDAPv3
# base <ou=students,dc=stud-ndtc,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: moodle
#

# search result
search: 2
result: 1 Operations error
text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope
 ration a successful bind must be completed on the connection., data 0, vece

# numResponses: 1


any idea why this error?
Leon FesterSenior Solutions Architect

Commented:
In noticed differences in your Base DN configs between the application and ldap test tool.

Config #1
cn=users,dc=stud-ndtc,dc=local;ou=students,dc=stud-ndtc,dc=local

Config #2
ou=students,dc=stud-ndtc,dc=local

I also notice that the username for the moodle application is "moodl" and your ldap search tool is using username "moodle"

Correct the username to and test again, if username is correct the adjust the base DN to reference the root of your domain = dc=stud-ndtc,dc=local and see if that works.

Author

Commented:
ldapsearch works  issuing following command:
ldapsearch -x -D "cn=moodle,cn=users,dc=stud-ndtc,dc=local" -h 10.1.1.5 -b "cn=Users,dc=stud-ndtc,dc=local" -w PASS
OR
Addming 'sAMAccountName' at the end.

I have set koha-conf.XML file , but when I try to logging to koha, I get error message (You entered an incorrect username or password. Please try again! And remember, usernames and passwords are case sensitive.)

koha-conf.XML configuration file is as follow
<ldapserver id="ldapserver" listenref="ldapserver">
<hostname>10.1.1.5</hostname>
<base> CN=Users,DC=stud-ndtc,DC=local </base>
<user>CN=moodle,CN=Users,DC=stud-ndtc,DC=local</user>
<pass>PASS</pass>
<replicate>1</replicate> <!-- add new users from LDAP to
Koha database -->
<update>1</update> <!-- update existing users in Koha
database -->
<auth_by_bind>1</auth_by_bind>
<mapping> <!-- match koha SQL field names to your
LDAP record field names -->
<firstname is="givenName" ></firstname>
<surname is="sn" ></surname>
<userid is="sAMAccountName"></userid>
<password is="userPassword" ></password>
<email is="mail"></email>
<address is="address">Default Address</address>
</mapping>
</ldapserver>
</config>
</yazgfs>


Leon FesterSenior Solutions Architect

Commented:
You're using the username "moodle" and the LDAP query that works in the other app is using username "moodl" - without the "e" at the end.

Please check that you're using the correct username.

Author

Commented:
if you check my last comment both of them are moodle
Leon FesterSenior Solutions Architect

Commented:
Yes, and in the 2nd post on this thread...with the details of the other app that works, you used "moodl"

We have another LDAP client (moodle) web based that is connected to our AD. the setting is as follow:

Distinguished Name: If you want to use bind-user to seach users, specify it here..etc
cn=moodl,cn=users,dc=stud-ndtc,dc=local

Open a CMD prompt and run the following query and post the results.
dsquery user -samid moodl*

Please post the results.

Author

Commented:
I don't have admin password for AC, but from remote machine i run bellow command and got this result:
ldapsearch -x -D "cn=moodle,cn=users,dc=stud-ndtc,dc=local" -h 10.8.0.12 -b "cn=Users,dc=stud-ndtc,dc=local" -w PASS


result is below, if you want me to run another command please tell me.

thanks
# moodle, Users, stud-ndtc.local
dn: CN=moodle,CN=Users,DC=stud-ndtc,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: moodle
description: User account to bind Moodle server to LDAP
givenName: moodle
distinguishedName: CN=moodle,CN=Users,DC=stud-ndtc,DC=local
instanceType: 4
whenCreated: 20090926083410.0Z
whenChanged: 20110510011429.0Z
displayName: moodle
uSNCreated: 484218
uSNChanged: 8654676
name: moodle
objectGUID:: zrY8Z/GOLUO8xwGwZYm1Iw==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 129502633566825668
lastLogoff: 0
lastLogon: 129502633619327012
pwdLastSet: 129180500773089149
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAlh/fSC2rvb6MYmLrPgcAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: moodle
sAMAccountType: 805306368
userPrincipalName: moodle@stud-ndtc.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ndtc,DC=local
dSCorePropagationData: 20091130094848.0Z
dSCorePropagationData: 20091126185827.0Z
dSCorePropagationData: 20091126165219.0Z
dSCorePropagationData: 20090927083553.0Z
dSCorePropagationData: 16010101181633.0Z
lastLogonTimestamp: 129494636694055395

Open in new window

Leon FesterSenior Solutions Architect

Commented:
please run this command.
dsquery user -samid moodl*

Author

Commented:
I asked windows administrator to run that command the result was:
"CN=moodle,CN=Users,DC=ndtc,DC=local"
Leon FesterSenior Solutions Architect

Commented:
Then that is what you should enter as the user:CN=moodle,CN=Users,DC=ndtc,DC=local
This account is from a domain called: ndtc.local
The one used previously is from another domain called: stud-ndtc.local

Double check the password again.
From the command prompt run the following:
runas /user:moodle calc.exe
when prompted for the password enter the password that you know.

If the windows Calculator opens up then you're using the correct username/password, else you'll get a username/password not correct message.

Verify/Reset the credentials and try again.

Author

Commented:
thanks the problem was from koha itself, I had to make sure both categorycode & branchcode are specified or it will give error message data missing.

thanks for your help

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial