Correct OU containers?

[masum...@gmail.com]

Hello,

I have installed the latest pwm. Everything is working correctly;however, stuck authenticating users. Currently, the LDAP contextless login is :

CN=pwm pwm,CN=Users,DC=XXX,DC=XXX.

This works....but only working for users who are in the domain.com > Users (CN=Users,DC=xxx,DC=xxx). The problem is that we don't have any users there, instead this is how our Active Directory is organized as:

domain.com
builtin
.....etc
+Offices
-Atlanta
-New York
-Harrisburg
...etc
Uers

What would be the best way authenticating all users in the active directory regardless of which OU they belong to?

---------
Also, I randomly get the following error:

Unexpected error while testing ldap test user: [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A11E5, problem 5003 (WILL_NOT_PERFORM), data 0 ]

---------

Any help is appreciated, thank you.

[Jared Jennings]

I would expect your contextless login to be DC=domain,DC=com

Now, you could do ou=Offices,DC=domain,DC=com but that would exclude any in the CN=users,DC=domain,DC=com

I would have to see the PWM log to get an idea of what the "Will not perform" error is. Someone else might know.

[masum...@gmail.com]

Hi,

Thank you for you suggestion. I will try it and post back how it goes.

[masum...@gmail.com]

On Wednesday, January 29, 2014 10:58:28 PM UTC-5, Jared Jennings wrote:

So after playing around with different contextless login roots, I am unable to login at all. Oddly, only the LDAP Contextless Login Root is able to login and all other users are not where I get the following error:

The username or password is not valid. Please try again. { 5001 ERROR_WRONGPASSWORD (an ldap user for username value 'mmiah_admin' was not found) }

and my Contextless root is :

CN=pwmFX pwmFX,OU=fxHQ,OU=Offices,DC=xxx,DC=com

using the above root, only the user pwmFX is able to login and all other accounts on that OU are not able to.

Any suggestions? Thanks.

[Menno Pieters]

First read a book about trees and understand the difference between a root and a leaf ;-)

Then set the contextless login ROOT to OU=Offices,DC=xxx,DC=com or perhaps OU=fxHQ,OU=Offices,DC=xxx,DC=com.

"CN=pwmFX pwmFX,OU=fxHQ,OU=Offices,DC=xxx,DC=com" is a leaf

Have fun,

Menno

--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To post to this group, send email to pwm-g...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/9166bc93-829c-4bef-9f2a-1b459a2bd58f%40googlegroups.com.

For more options, visit https://groups.google.com/groups/opt_out.

[masu...@cvpcorp.com]

Hi,

Thanks for the feedback. Got it working right after I post my last message. Your post basically sums up what needs to be done.

-Masum

[Pathfndr]

Regarding the error Unexpected error "while testing ldap test user: [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A11E5, problem 5003 (WILL_NOT_PERFORM), data 0 ]" This was due to insufficient password policy. I had set it to LDAP, hoping it would read the policy from the AD server. That didn't seem to work. Instead I set it to Local and then set the policy to reflect the GPO on the AD server, and the error went away.

Cheers!