adding a test user in the config file

[easyrhino]

Hi,

I have successfully connected PWM to the Active Directory but am thus
far unable to get the test user account working. I created a test user
as a normal user in Active Directory and added:

cn=pwmtest,cn=users,dc=easyrhino,dc=lcl

to the test user text box in the configuration. However, I continually
get:

unexpected ldap error while writing test user temporary random
password: [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A120C,
problem 5003 (WILL_NOT_PERFORM), data 0 ]

Is my syntax wrong? I confirmed that the pwn proxy user is setup to
read and manage password attributes.

Thanks

[Jason Rivard]

Are you connected over SSL? Usually that error is because your connected via ldap and not ldaps.

[Seth Chevalier]

I am not connected over SSL. I just started looking into creating the certificates for AD, a process much like pulling teeth.

On Wed, Oct 5, 2011 at 7:44 PM, Jason Rivard <jri...@gmail.com> wrote:

Are you connected over SSL? Usually that error is because your connected via ldap and not ldaps.

--
You received this message because you are subscribed to the Google Groups "pwm-general" group.

To view this discussion on the web visit https://groups.google.com/d/msg/pwm-general/-/FzPpNsi1gb0J.

To post to this group, send email to pwm-g...@googlegroups.com.
To unsubscribe from this group, send email to pwm-general...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/pwm-general?hl=en.

[Jason Rivard]

That's why the promiscuous SSL option (in the ldap section) exists :)

[Seth Chevalier]

Since this is a test box destined for the production environment I might as well go ahead and get SSL working now. Is there a recommended cryptographic service provider and key length? Thanks.

[Jason Rivard]

Nope, not as far as PWM is concerned.

[Seth Chevalier]

I seem to be in a bit of a rut. Do I want to create the certificate on the AD box and import it on the tomcat box or vice versa? I seem to be missing something here.

[Jason Rivard]

Your creating a server certificate for your AD ldaps:// server.   Your ldap server will use this certificate for encryption.  You will be importing the public key of that certificate into the tomcat (really Java's) keystore so it will trust your ldaps server.

[Seth Chevalier]

Hrm, this is what I've been trying... Install the Active Directory Certificate Service and created a .crt file. FTP that .crt file to the server running tomcat. run the keytool -import command to put the .crt file into the cacerts. So far, no good. Thanks for your assistance.

[Menno Pieters]

On Fri, Oct 7, 2011 at 3:14 AM, Seth Chevalier <fox...@gmail.com> wrote:

Hrm, this is what I've been trying... Install the Active Directory Certificate Service and created a .crt file. FTP that .crt file to the server running tomcat. run the keytool -import command to put the .crt file into the cacerts. So far, no good. Thanks for your assistance.

Make sure that the hostname in the certificate and the hostname you use in the ldap settings are identical. So if your host is dc1.mydomain.com and your connecting to 192.168.1.7, Java will complain. You may then correct the URL, possibly add the hostname and IP address to your hosts file or use the promiscuous mode. The latter, however, is not recommended in production and especially not if traffic is passing open and untrusted networks.

If all the above are correct, check connectivity and check whether the correct certificate is presented, using openssl command line tools:

$ openssl s_client -connect host.domain:636 -showcerts

Regards,

Menno Pieters

 

[Seth Chevalier]

Many thanks to all that helped. Running the test user does indeed require SSL. I had to allow promiscuous SSL for it to work properly on my end for now because the certificate is self signed. So in the near future we will be adding the true certificate and all will be running smoothly.