LDAP error
1,990 views
Skip to first unread message
Charlatat
Aug 25, 2011, 9:55:49 AM8/25/11
to pwm-general
Setting up pwm for the first time in a 2008 Active Directory. The
server which hosts pwm has java and tomcat installed, both are working
fine. Deployed the war file and I can get to the configuration editor
page successfully. Filled out the details for LDAP/Active Directory,
but when I save them I get:
unexpected ldap error while writing test user temporary random
password:
[LDAP: error code 53 - 0000001F: SvcErr: DSID-031A120C, problem 5003
(WILL_NOT_PERFORM), data 0 ]
What am I missing? Thanks for any suggestions
server which hosts pwm has java and tomcat installed, both are working
fine. Deployed the war file and I can get to the configuration editor
page successfully. Filled out the details for LDAP/Active Directory,
but when I save them I get:
unexpected ldap error while writing test user temporary random
password:
[LDAP: error code 53 - 0000001F: SvcErr: DSID-031A120C, problem 5003
(WILL_NOT_PERFORM), data 0 ]
What am I missing? Thanks for any suggestions
Menno Pieters
Aug 25, 2011, 10:11:41 AM8/25/11
to pwm-g...@googlegroups.com
Permissions? Does the proxy user you configured have enough permissions to change the password for the test account?
Just to check, does this occur if you set the proxy user to the administrator?
Menno Pieters
Aug 25, 2011, 10:21:15 AM8/25/11
to pwm-g...@googlegroups.com
Oh, you may want to try connecting over SSL (port 636) or use TLS in stead op plain port 389.
Charlatat
Aug 25, 2011, 10:44:39 AM8/25/11
to pwm-general
Switching to administrator didn't change anything.
Could you explain the TLS option? In this test environment, I don't
have LDAPS (686) configured; its just straight LDAP (389).
On Aug 25, 9:21 am, Menno Pieters <menno.piet...@gmail.com> wrote:
> On Thu, Aug 25, 2011 at 4:11 PM, Menno Pieters <menno.piet...@gmail.com>wrote:
>
> - Show quoted text -
Could you explain the TLS option? In this test environment, I don't
have LDAPS (686) configured; its just straight LDAP (389).
On Aug 25, 9:21 am, Menno Pieters <menno.piet...@gmail.com> wrote:
> On Thu, Aug 25, 2011 at 4:11 PM, Menno Pieters <menno.piet...@gmail.com>wrote:
>
>
>
>
>
>
>
> > On Thu, Aug 25, 2011 at 3:55 PM, Charlatat <charla...@gmail.com> wrote:
>
> >> Setting up pwm for the first time in a 2008 Active Directory. The
> >> server which hosts pwm has java and tomcat installed, both are working
> >> fine. Deployed the war file and I can get to the configuration editor
> >> page successfully. Filled out the details for LDAP/Active Directory,
> >> but when I save them I get:
>
> >> unexpected ldap error while writing test user temporary random
> >> password:
> >> [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A120C, problem 5003
> >> (WILL_NOT_PERFORM), data 0 ]
>
> >> What am I missing? Thanks for any suggestions
>
> > Permissions? Does the proxy user you configured have enough permissions to
> > change the password for the test account?
>
> > Just to check, does this occur if you set the proxy user to the
> > administrator?
>
> Oh, you may want to try connecting over SSL (port 636) or use TLS in stead
> op plain port 389.- Hide quoted text -
>
>
>
>
>
>
> > On Thu, Aug 25, 2011 at 3:55 PM, Charlatat <charla...@gmail.com> wrote:
>
> >> Setting up pwm for the first time in a 2008 Active Directory. The
> >> server which hosts pwm has java and tomcat installed, both are working
> >> fine. Deployed the war file and I can get to the configuration editor
> >> page successfully. Filled out the details for LDAP/Active Directory,
> >> but when I save them I get:
>
> >> unexpected ldap error while writing test user temporary random
> >> password:
> >> [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A120C, problem 5003
> >> (WILL_NOT_PERFORM), data 0 ]
>
> >> What am I missing? Thanks for any suggestions
>
> > Permissions? Does the proxy user you configured have enough permissions to
> > change the password for the test account?
>
> > Just to check, does this occur if you set the proxy user to the
> > administrator?
>
> Oh, you may want to try connecting over SSL (port 636) or use TLS in stead
>
> - Show quoted text -
Menno Pieters
Aug 25, 2011, 11:14:06 AM8/25/11
to pwm-g...@googlegroups.com
On Thu, Aug 25, 2011 at 4:44 PM, Charlatat <char...@gmail.com> wrote:
Switching to administrator didn't change anything.
Could you explain the TLS option? In this test environment, I don't
have LDAPS (686) configured; its just straight LDAP (389).
According to this thread: https://forums.oracle.com/forums/thread.jspa?threadID=2175638
...the error you get could mean that encryption is required to perform password operations. I'm not an AD expert, but perhaps you can turn that requirement off.
About TLS: it is similar to SSL, except that TLS is started after setting up a plain connection, but before any operation takes place that requires confidentiality.
LDAP+SSL:
- Create TCP connection to LDAP/SSL port (usually 636)
- Negotiate SSL encryption
- Perform LDAP operations
- Create TCP connection to standard LDAP port (usually 389);
- Check server capability for TLS
- Start TLS negotiation
- Perform LDAP operations
Regards,
Menno Pieters
On Aug 25, 9:21 am, Menno Pieters <menno.piet...@gmail.com> wrote:
> On Thu, Aug 25, 2011 at 4:11 PM, Menno Pieters <menno.piet...@gmail.com>wrote:
>> op plain port 389.- Hide quoted text -
>
>
>
>
>
>
> > On Thu, Aug 25, 2011 at 3:55 PM, Charlatat <charla...@gmail.com> wrote:
>
> >> Setting up pwm for the first time in a 2008 Active Directory. The
> >> server which hosts pwm has java and tomcat installed, both are working
> >> fine. Deployed the war file and I can get to the configuration editor
> >> page successfully. Filled out the details for LDAP/Active Directory,
> >> but when I save them I get:
>
> >> unexpected ldap error while writing test user temporary random
> >> password:
> >> [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A120C, problem 5003
> >> (WILL_NOT_PERFORM), data 0 ]
>
> >> What am I missing? Thanks for any suggestions
>
> > Permissions? Does the proxy user you configured have enough permissions to
> > change the password for the test account?
>
> > Just to check, does this occur if you set the proxy user to the
> > administrator?
>
> Oh, you may want to try connecting over SSL (port 636) or use TLS in stead
>
> - Show quoted text -
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To post to this group, send email to pwm-g...@googlegroups.com.
To unsubscribe from this group, send email to pwm-general...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/pwm-general?hl=en.
Jason Rivard
Aug 25, 2011, 11:36:46 AM8/25/11
to pwm-g...@googlegroups.com
I think you need to go LDAPS. I'm not sure the java libraries used with PWM will work correctly with TLS as deployed (not sure, I've never tested).
AD requires an encrypted connection (LDAPS) to set a password. As far as I know, this cannot be turned off, but I'm no AD expert either.
Charlatat
Aug 25, 2011, 4:36:03 PM8/25/11
to pwm-general
Installed certificate services, did everything listed at
http://www.reborndigital.com/?p=200 but still having issues. I used
the utility "ldp" but it won't connect unless I specify credentials.
Where/How do I set NtAuthIdentity for active directory? I think that's
all that's missing
On Aug 25, 10:36 am, Jason Rivard <jriv...@gmail.com> wrote:
> I think you need to go LDAPS. I'm not sure the java libraries used with PWM
> will work correctly with TLS as deployed (not sure, I've never tested).
>
> AD requires an encrypted connection (LDAPS) to set a password. As far as I
> know, this cannot be turned off, but I'm no AD expert either.
>
> On Thu, Aug 25, 2011 at 11:14 AM, Menno Pieters <menno.piet...@gmail.com>wrote:
> > - Negotiate SSL encryption
> > - Perform LDAP operations
>
> > LDAP+TLS:
>
> > - Create TCP connection to standard LDAP port (usually 389);
> > - Check server capability for TLS
> > - Start TLS negotiation
> > - Perform LDAP operations
> >http://groups.google.com/group/pwm-general?hl=en.- Hide quoted text -
http://www.reborndigital.com/?p=200 but still having issues. I used
the utility "ldp" but it won't connect unless I specify credentials.
Where/How do I set NtAuthIdentity for active directory? I think that's
all that's missing
On Aug 25, 10:36 am, Jason Rivard <jriv...@gmail.com> wrote:
> I think you need to go LDAPS. I'm not sure the java libraries used with PWM
> will work correctly with TLS as deployed (not sure, I've never tested).
>
> AD requires an encrypted connection (LDAPS) to set a password. As far as I
> know, this cannot be turned off, but I'm no AD expert either.
>
>
>
>
>
>
> > On Thu, Aug 25, 2011 at 4:44 PM, Charlatat <charla...@gmail.com> wrote:
>
> >> Switching to administrator didn't change anything.
>
> >> Could you explain the TLS option? In this test environment, I don't
> >> have LDAPS (686) configured; its just straight LDAP (389).
>
> > According to this thread:
> >https://forums.oracle.com/forums/thread.jspa?threadID=2175638
> > ...the error you get could mean that encryption is required to perform
> > password operations. I'm not an AD expert, but perhaps you can turn that
> > requirement off.
>
> > About TLS: it is similar to SSL, except that TLS is started after setting
> > up a plain connection, but before any operation takes place that requires
> > confidentiality.
>
> > LDAP+SSL:
>
> > - Create TCP connection to LDAP/SSL port (usually 636)
>
>
>
>
> > On Thu, Aug 25, 2011 at 4:44 PM, Charlatat <charla...@gmail.com> wrote:
>
> >> Switching to administrator didn't change anything.
>
> >> Could you explain the TLS option? In this test environment, I don't
> >> have LDAPS (686) configured; its just straight LDAP (389).
>
> > According to this thread:
> >https://forums.oracle.com/forums/thread.jspa?threadID=2175638
> > ...the error you get could mean that encryption is required to perform
> > password operations. I'm not an AD expert, but perhaps you can turn that
> > requirement off.
>
> > About TLS: it is similar to SSL, except that TLS is started after setting
> > up a plain connection, but before any operation takes place that requires
> > confidentiality.
>
> > LDAP+SSL:
>
> > - Negotiate SSL encryption
> > - Perform LDAP operations
>
> > LDAP+TLS:
>
> > - Create TCP connection to standard LDAP port (usually 389);
> > - Check server capability for TLS
> > - Start TLS negotiation
> > - Perform LDAP operations
Jason Rivard
Aug 25, 2011, 4:37:49 PM8/25/11
to pwm-g...@googlegroups.com
Sorry, I don't know what NtAuthIdentiy is. Did you change the LDAP URL in PWM to ldaps://hostname:636 ? Also set Promiscuous SSL mode to true, but just while your testing.
Charlatat
Aug 25, 2011, 5:00:13 PM8/25/11
to pwm-general
That's the property which contains the username/password/domain info
for the ldap_bind_s function. It currently returns "NULL" for all 3
values when I use the "ldp" utility. I assume that's the problem...
On Aug 25, 3:37 pm, Jason Rivard <jriv...@gmail.com> wrote:
> Sorry, I don't know what NtAuthIdentiy is. Did you change the LDAP URL in
> PWM to ldaps://hostname:636 ? Also set Promiscuous SSL mode to true, but
> just while your testing.
>
>
>
> On Thu, Aug 25, 2011 at 4:36 PM, Charlatat <charla...@gmail.com> wrote:
> > Installed certificate services, did everything listed at
> >http://www.reborndigital.com/?p=200but still having issues. I used
> > > >http://groups.google.com/group/pwm-general?hl=en.-Hide quoted text -
for the ldap_bind_s function. It currently returns "NULL" for all 3
values when I use the "ldp" utility. I assume that's the problem...
On Aug 25, 3:37 pm, Jason Rivard <jriv...@gmail.com> wrote:
> Sorry, I don't know what NtAuthIdentiy is. Did you change the LDAP URL in
> PWM to ldaps://hostname:636 ? Also set Promiscuous SSL mode to true, but
> just while your testing.
>
>
>
> On Thu, Aug 25, 2011 at 4:36 PM, Charlatat <charla...@gmail.com> wrote:
> > Installed certificate services, did everything listed at
>
> > > - Show quoted text -
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "pwm-general" group.
> > To post to this group, send email to pwm-g...@googlegroups.com.
> > To unsubscribe from this group, send email to
> > pwm-general...@googlegroups.com.
> > For more options, visit this group at
> > > - Show quoted text -
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "pwm-general" group.
> > To post to this group, send email to pwm-g...@googlegroups.com.
> > To unsubscribe from this group, send email to
> > pwm-general...@googlegroups.com.
> > For more options, visit this group at
Jason Rivard
Aug 25, 2011, 5:03:49 PM8/25/11
to pwm-g...@googlegroups.com
Not sure what ldp is either :) Maybe trying using something like apache directory studio to connect to your ldap server, that way you dont have to worry about PWM behavior and you can just focus on getting LDAPS working on your server.
Charlatat
Aug 25, 2011, 5:08:08 PM8/25/11
to pwm-general
looks like it was the Promiscuous SSL setting
After setting it to True, I don't get the red Warning in the Health
table
On Aug 25, 4:03 pm, Jason Rivard <jriv...@gmail.com> wrote:
> Not sure what ldp is either :) Maybe trying using something like apache
> directory studio to connect to your ldap server, that way you dont have to
> worry about PWM behavior and you can just focus on getting LDAPS working on
> your server.
>
>
>
> On Thu, Aug 25, 2011 at 5:00 PM, Charlatat <charla...@gmail.com> wrote:
> > That's the property which contains the username/password/domain info
> > for the ldap_bind_s function. It currently returns "NULL" for all 3
> > values when I use the "ldp" utility. I assume that's the problem...
>
> > On Aug 25, 3:37 pm, Jason Rivard <jriv...@gmail.com> wrote:
> > > Sorry, I don't know what NtAuthIdentiy is. Did you change the LDAP URL
> > in
> > > PWM to ldaps://hostname:636 ? Also set Promiscuous SSL mode to true,
> > but
> > > just while your testing.
>
> > > On Thu, Aug 25, 2011 at 4:36 PM, Charlatat <charla...@gmail.com> wrote:
> > > > Installed certificate services, did everything listed at
> > > >http://www.reborndigital.com/?p=200butstill having issues. I used
> > > > > >http://groups.google.com/group/pwm-general?hl=en.-Hidequoted text
After setting it to True, I don't get the red Warning in the Health
table
On Aug 25, 4:03 pm, Jason Rivard <jriv...@gmail.com> wrote:
> Not sure what ldp is either :) Maybe trying using something like apache
> directory studio to connect to your ldap server, that way you dont have to
> worry about PWM behavior and you can just focus on getting LDAPS working on
> your server.
>
>
>
> On Thu, Aug 25, 2011 at 5:00 PM, Charlatat <charla...@gmail.com> wrote:
> > That's the property which contains the username/password/domain info
> > for the ldap_bind_s function. It currently returns "NULL" for all 3
> > values when I use the "ldp" utility. I assume that's the problem...
>
> > On Aug 25, 3:37 pm, Jason Rivard <jriv...@gmail.com> wrote:
> > > Sorry, I don't know what NtAuthIdentiy is. Did you change the LDAP URL
> > in
> > > PWM to ldaps://hostname:636 ? Also set Promiscuous SSL mode to true,
> > but
> > > just while your testing.
>
> > > On Thu, Aug 25, 2011 at 4:36 PM, Charlatat <charla...@gmail.com> wrote:
> > > > Installed certificate services, did everything listed at
> > -
>
> > > > > - Show quoted text -
>
> > > > --
> > > > You received this message because you are subscribed to the Google
> > Groups
> > > > "pwm-general" group.
> > > > To post to this group, send email to pwm-g...@googlegroups.com.
> > > > To unsubscribe from this group, send email to
> > > > pwm-general...@googlegroups.com.
> > > > For more options, visit this group at
>
> > > > > - Show quoted text -
>
> > > > --
> > > > You received this message because you are subscribed to the Google
> > Groups
> > > > "pwm-general" group.
> > > > To post to this group, send email to pwm-g...@googlegroups.com.
> > > > To unsubscribe from this group, send email to
> > > > pwm-general...@googlegroups.com.
> > > > For more options, visit this group at
Jason Rivard
Aug 25, 2011, 5:09:50 PM8/25/11
to pwm-g...@googlegroups.com
Great! To be able to run with promiscuous mode off, you will need to import the AD servers certificate into the java keystore. Google has a gazillion hits on how to do that.
Reply all
Reply to author
Forward
0 new messages