Zentyal Forum, Linux Small Business Server
Zentyal Server => Directory and Authentication => Topic started by: stetho on July 03, 2019, 08:53:54 am
-
Hi all,
I've spent way too much time trying to understand what I'm doing wrong. I have searched these forums and Google in general, tried all the suggestions and still can't figure out which bit is incorrect. I'm using an up-to-date "Zentyal Development Server 6.0"
Just to clarify it's not anything "obvious", I can:
○ → ssh steve@zentyal.23wwc.io
steve@zentyal.23wwc.io's password:
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-54-generic x86_64)
And I can even
○ → kinit steve@23WWC.IO
steve@23WWC.IO's password:
○ → klist
Credentials cache: API:2A75BED1-1C30-4585-991E-6681BEC9CB99
Principal: steve@23WWC.IO
Issued Expires Principal
Jul 3 07:30:46 2019 Jul 3 17:30:43 2019 krbtgt/23WWC.IO@23WWC.IO
But no matter what I try, doing anything with LDAP fails
○ → ldapsearch -h zentyal.23wwc.io -b dc=23wwc,dc=io -D CN=steve,CN=Users,DC=23wwc,DC=io -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
And the Zentyal Samba logs show
Auth: [LDAP,simple bind/TLS] user [(null)]\[CN=steve,CN=Users,DC=23wwc,DC=io] at [Wed, 03 Jul 2019 07:35:10.123764 BST] with [Plaintext] status [NT_STATUS_NO_SUCH_USER] workstation [(null)] remote host [ipv4:192.168.3.50:63405] mapped to [(null)]\[(null)]. local host [ipv4:192.168.2.1:389]
My main path of testing has been that the DN CN=steve,CN=Users,DC=23wwc,DC=io is wrong so I've tried 23WWC/Steve and uid= and samAccountName= and other variations but I get the same result. I did notice in my searching that in screenshots for 5.0 the LDAP page used to display the bind user and bind password. In 6.0 it only shows the base DN. This also made me wonder if there's another step I have to do to "activate" LDAP
Can anyone point out what I'm missing or doing wrong?
Thanks
Steve
-
Hi stetho! :)
Samba4 uses his own LDAP "almost compliant" implementation that is called "LDB". So you should use the ldbsearch command instead of ldapsearch. Read this https://wiki.samba.org/index.php/LDB (https://wiki.samba.org/index.php/LDB)
Could be this the problem?
Best regards,
-
I read your response and I thought "That's a bit silly - it means Zentyal has LDAP in the interface but you can't query the LDAP using standard LDAP tools". But I did a bit of Googling and figured out how ldbsearch works and I found this
CN=Administrator Administrator,CN=Users,DC=23wwc,DC=io
The admin account's DN is 'Administrator Administrator'. And now, using that account, I can do queries. I would never have guessed that so thank you for pointing me in the right direction.
Steve
-
Just to save myself from future hairpulling and to help others...
In zentyal 6:
The DN for an account is CN=[concatination of first and last name],CN=Users,DC=domainname,DC=tld
(zentyal ldap)