Problem setting PWM to work with Microsoft Active Directory
3,129 views
Skip to first unread message
pafcioooo
May 3, 2011, 4:21:57 PM5/3/11
to pwm-general
Hi,
I am setting PWM to work with MS AD which is running on W2K8 R2
operating system. This is single domain and single server. Fully
qualified domain name is in format subdomain.domain.net (when I log to
Windows machine which is part of this AD, in domain field I put
subdomain part of fqdn).
First, I have setup PWM 1.5.3 as it is desribed in Administration
Guide using TurnkeyLinux which is based on Ubuntu Lucid LTS as well as
OpenJDK and Tomcat6 both available directly in the Ubuntu
repositories.
Next I have created two users:
pwm...@subdomain.domain.net - this has domain admin rights
pwm...@subdomain.domain.net - this is standard user.
They were both created in standard Users object (I am no ldap or ad
expert so I do not know if I can call this object ou).
I have set up not to complicated passwords for both users - the same
for two.
Also in Users object I created group PwmAdmins and added one of
existing users from different OU to this group.
Then I opened PWM ConfigManager to configure LDAP Directory page. I
filled out the fields in following way:
LDAP URLs
ldaps://srv01:636
ldap://srv01:389
LDAP Promiscuous SSL
True
LDAP Proxy User
pwm...@subdomain.domain.net
LDAP Proxy Password
<password for the above user>
LDAP Contextless Login Root
dc=subdoamin,dc=domain,dc=net
<this is done on purpose, because the users in AD are not only in
Users object but also in dedicated OUs eg. Admins, AppAdmins>
LDAP Test User
pwm...@kryspin-dent.vimps.net
PWM Admin Query String
(groupMembership=cn=PwmAdmins,ou=Groups,dc=subdomain,dc=domain,dc=net)
<this is left as default apart from dc parts>
After I save the configuration I get the Warning status for LDAP
Connectivity at PWM Health with following message:
"unexpected ldap error while writing test user temporary random
password: pwm...@kryspin-dent.vimps.net: [LDAP: error code 34 -
0000208F: NameErr: DSID-031001F7, problem 2006 (BAD_NAME), data 8350,
best match of: 'pwm...@subdoamin.domain.net' ]"
I tried to login as existing user added to PwmAdmins group but with no
success.
I also finalize configuration and tried to login again also without
success.
To summerize, I think that if there was a warning/error at LDAP
Connectivity with test user it meant that PWM somehow cannot manage
password for test user, thus he can not manage other users too.
So please try to help me get PWM working in my environment.
Regards
Pafcioooo
I am setting PWM to work with MS AD which is running on W2K8 R2
operating system. This is single domain and single server. Fully
qualified domain name is in format subdomain.domain.net (when I log to
Windows machine which is part of this AD, in domain field I put
subdomain part of fqdn).
First, I have setup PWM 1.5.3 as it is desribed in Administration
Guide using TurnkeyLinux which is based on Ubuntu Lucid LTS as well as
OpenJDK and Tomcat6 both available directly in the Ubuntu
repositories.
Next I have created two users:
pwm...@subdomain.domain.net - this has domain admin rights
pwm...@subdomain.domain.net - this is standard user.
They were both created in standard Users object (I am no ldap or ad
expert so I do not know if I can call this object ou).
I have set up not to complicated passwords for both users - the same
for two.
Also in Users object I created group PwmAdmins and added one of
existing users from different OU to this group.
Then I opened PWM ConfigManager to configure LDAP Directory page. I
filled out the fields in following way:
LDAP URLs
ldaps://srv01:636
ldap://srv01:389
LDAP Promiscuous SSL
True
LDAP Proxy User
pwm...@subdomain.domain.net
LDAP Proxy Password
<password for the above user>
LDAP Contextless Login Root
dc=subdoamin,dc=domain,dc=net
<this is done on purpose, because the users in AD are not only in
Users object but also in dedicated OUs eg. Admins, AppAdmins>
LDAP Test User
pwm...@kryspin-dent.vimps.net
PWM Admin Query String
(groupMembership=cn=PwmAdmins,ou=Groups,dc=subdomain,dc=domain,dc=net)
<this is left as default apart from dc parts>
After I save the configuration I get the Warning status for LDAP
Connectivity at PWM Health with following message:
"unexpected ldap error while writing test user temporary random
password: pwm...@kryspin-dent.vimps.net: [LDAP: error code 34 -
0000208F: NameErr: DSID-031001F7, problem 2006 (BAD_NAME), data 8350,
best match of: 'pwm...@subdoamin.domain.net' ]"
I tried to login as existing user added to PwmAdmins group but with no
success.
I also finalize configuration and tried to login again also without
success.
To summerize, I think that if there was a warning/error at LDAP
Connectivity with test user it meant that PWM somehow cannot manage
password for test user, thus he can not manage other users too.
So please try to help me get PWM working in my environment.
Regards
Pafcioooo
Jason Rivard
May 3, 2011, 9:15:30 PM5/3/11
to pwm-general
Your config sounds more or less correct, except for the proxy username & test account username. It turns out PWM doen't work well with usernames (for coniguration) in user@domain format, so please use ldapDNs in this format: "cn=username,cn=users,dc=subdomain,dc=domain,dc=net" I'm trying to remove references that suggest using user@domain syntax from help and configuration guide.
I think that might be what causing the error you see. You are correct that if you see that error in the health configuration for a test user it's probably true that it won't work for a regular user.
You might also consider trying the latest build here:
There are some AD specific fixes and configuration defaults for AD that might make life a little easier...
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To post to this group, send email to pwm-g...@googlegroups.com.
To unsubscribe from this group, send email to pwm-general...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/pwm-general?hl=en.
Reply all
Reply to author
Forward
0 new messages