Hi everybody,
I am completely new to this group - and to OpenLDAP as well. Trying to get rid of our Windows SBS domain controller I am building a new Samba 4 server dedicated only to domain controlling, Debian 10.4, Samba 4.9.5. I'm doing this from scratch, following the textbooks. I've also setup LAM as graphical interface for administration.
But once I try logging into the server's profile via that LAM interface as Administrator, I get this: "LDAP error, server says: (8) Strong(er) authentication required".
(1) "ldbsearch -H ldap://ldap.[my].[domain] "cn=Administrator" -k yes": is working with the same password I would use in LAM
(2) Server profile settings in LAM
- TLS is deactivated - Login: Fixed list, cn=Administrator,cn=users,dc=[my],dc=[domain]
(3) ldap.conf
# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=[my],dc=[domain] URI ldap://ldap.[my].[domain] ldap://ldap-master.[my].[domain]:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never # TLS certificates (needed for GnuTLS) #TLS_CACERT /etc/ssl/certs/ca-certificates.crt
What am I doing wrong?
Help appreciated, thank you!
Lothar Schilling
--On Tuesday, July 28, 2020 10:38 AM +0200 Lothar Schilling ls@proasyl.de wrote:
But once I try logging into the server's profile via that LAM interface as Administrator, I get this: "LDAP error, server says: (8) Strong(er) authentication required".
(1) "ldbsearch -H ldap://ldap.[my].[domain] "cn=Administrator" -k yes": is working with the same password I would use in LAM
I've no idea what ldbsearch does behind the scenes, I do not see a "-k" option documented for it, so no clue what that does.
What am I doing wrong?
Well any limitation on authentication would be in the server config, not ldap.conf. My guess is there's a security requirement that ldb is meeting when it does the connection that LAM is not.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Thank you, but I was given the solution in another group:
"Did you configure LDAPS in LAM? The message comes from Samba and not from LAM. It has something to do with the bedlock Bug read this:
https://www.kania-online.de/ldb-tools-nach-badlock/
I wrote how you can disable the secure settings."
Regards
Lothar
Am 28.07.2020 um 23:56 schrieb Quanah Gibson-Mount:
--On Tuesday, July 28, 2020 10:38 AM +0200 Lothar Schilling ls@proasyl.de wrote:
But once I try logging into the server's profile via that LAM interface as Administrator, I get this: "LDAP error, server says: (8) Strong(er) authentication required".
(1) "ldbsearch -H ldap://ldap.[my].[domain] "cn=Administrator" -k yes": is working with the same password I would use in LAM
I've no idea what ldbsearch does behind the scenes, I do not see a "-k" option documented for it, so no clue what that does.
What am I doing wrong?
Well any limitation on authentication would be in the server config, not ldap.conf. My guess is there's a security requirement that ldb is meeting when it does the connection that LAM is not.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Lothar Schilling -
Quanah Gibson-Mount