Hello,
I have a windows 2008 server, serving users auth with AD. I have another windows 2003 server, serving other users. I'm trying to access them through openldap and an PHP application.
I can easly access my 2003 server with this command:
ldapsearch -x -D "cn=cm,cn=TIS,dc=TIS,dc=local" -W -H ldap://192.168.10.206
but when i try to access the 2008 server with the same command i get:
ldap_bind: Invalid credentials (49) additional info: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772
in this case my user is "cm" and he is in the "TIS" folder and i can login from a windows client with user TIS\cm successfully. I've tried also with -Z and -ZZ, in that case i get a service unavailable error.
Do you have any idea why this would happen?
Claudio
Hi,
Le 23/09/2010 12:35, Claudio Martella a écrit :
Hello,
I have a windows 2008 server, serving users auth with AD. I have another windows 2003 server, serving other users. I'm trying to access them through openldap and an PHP application.
I can easly access my 2003 server with this command:
ldapsearch -x -D "cn=cm,cn=TIS,dc=TIS,dc=local" -W -H ldap://192.168.10.206
but when i try to access the 2008 server with the same command i get:
ldap_bind: Invalid credentials (49) additional info: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772
in this case my user is "cm" and he is in the "TIS" folder and i can login from a windows client with user TIS\cm successfully. I've tried also with -Z and -ZZ, in that case i get a service unavailable error.
Do you have any idea why this would happen?
This is a little off topic, but the "data nnn" codes for Active Directory are (somewhat) documented here: http://www-01.ibm.com/support/docview.wss?rs=688&uid=swg21290631
In this case, it appears you're encountering a "user not found" error. Check that all the elements in the DN are correct (is it called "cn=cm"? is the "folder" TIS named "cn=TIS"? is the context DN "dc=TIS,dc=local"?).
Also, another hint: I have found that AD accepts the format of userPrincipalName as a bind DN, so you may get success with something like: ldapsearch -x -D "cm@TIS.local" -W -H ldap://192.168.10.206
Hope this helps, Jonathan
openldap-technical@openldap.org