Invalid value LDAP Contextless Login Roots
135 views
Skip to first unread message
Rafael Cabello
Jul 25, 2022, 8:09:40 AM7/25/22
to pwm-general
Hello, I want to use PWM with AD, but I'm can't make them connect propperly, here is an example of AD:
- my.domain
- OU1
- OU1.1
- Test_user
- Bind_user(The user that changes passwords)
- OU1.2
- OU...
- OU1.1
- OU2
- OU2.1
- Users
- OU2.2
- Users
- OU...
- Users
- OU2.1
- OU3
- OU...
- OU1
The users are in OU2.1,2.2,etc. When I set LDAP Contextless Login Roots to OU=OU2,DC=my,DC=domain and i test LDAP connection it says that it's an invalid value.
When i do the same with DC=my,DC=domain as value, the test is OK but I can't log in adn the logs tell me that PWM is unable to connect with LDAP.
If I set the value to OU=OU2.1,OU=2,DC=my,DC=domain it works, and the same happens with OU2.2 and the rest.
Lastly, if i do it with OU=1,DC=my.DC=domain everything is ok, same situation with OU3 and the rest.
I don't know why it does not work with OU2 when it's OK with OU1 and the other ones, and I need it to work with OU2 beacause is where the users are.
Jason Rivard
Jul 25, 2022, 5:38:22 PM7/25/22
to pwm-general
You didn't post the errors or logs, but most likely these are connect errors caused by AD issuing referrals (telling the LDAP client (PWM) to connect to a different server by DNS address). This happens even when there is a single AD server, it tells the client to connect to a different server using the DNS addresses configured in AD, which happens to be itself. It mostly does this when a search is performed from a high level in the container structure. This has been discussed on this list many many many times.
Your best bet is to configure each low-level context where your users are. PWM will search each one individually. Your other option is to use a high level context and fix the errors, which mostly means making sure AD configured DNS domains resolve to your actual AD servers by the PWM server.
Rafael Cabello
Jul 26, 2022, 5:19:24 AM7/26/22
to pwm-general
This is what happens with OU2, and I don't see anything in the logs about it.
These are the logs when using DC=my,DC=domain.
jason.e...@gmail.com
Jul 26, 2022, 9:53:32 AM7/26/22
to pwm-general
How do you have AD connection setup in PWM? The LDAP URL's specifically, do you have each of your domain controllers listed?
Rafael Cabello
Jul 26, 2022, 11:55:30 AM7/26/22
to pwm-g...@googlegroups.com
I only have 1 DC
--
You received this message because you are subscribed to a topic in the Google Groups "pwm-general" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/pwm-general/aJNUCOf5FQo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to pwm-general...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/3941ffee-20ef-4e0c-a04e-7f417246b502n%40googlegroups.com.
Jason Rivard
Jul 26, 2022, 12:20:21 PM7/26/22
to pwm-general
This happens even with just 1 DC. AD sends a referral back to itself, that's why your getting the unknown host error.
jason.e...@gmail.com
Jul 26, 2022, 12:56:46 PM7/26/22
to pwm-general
Have you tried to put OU=OU1,DC=my,DC=domain and OU=OU2,DC=my,DC=domain at the same time? You can also turn off follow referrals in PWM under LDAP Settings -> Global , we have contextless root set to dc=domain,dc=com and works fine even with referrals enabled
Rafael Cabello
Jul 26, 2022, 1:32:53 PM7/26/22
to pwm-g...@googlegroups.com
Yes, I've tried with both at the same time and i stil get the same message, I will try turning off that option.
By the way, thanks both for your help.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/194cb25b-f828-4c52-9526-f4c56f307bddn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages