Server is unwilling to perform on MS AD
1,467 views
Skip to first unread message
Amar Kulo
Nov 19, 2012, 5:01:12 AM11/19/12
to rcdevs-t...@googlegroups.com
Hi.
I have installed the latest OpenOTP and configure it to access my domain on Win 2008 server.
The problem is when I try to activate user I get the following error in httpd.log
[Mon Nov 19 10:59:55 2012] [192.168.137.159] [Admin_8F43583A] Could not modify LDAP object 'CN=Amar Kulo,CN=Users,DC=sp,DC=local' (Server is unwilling to perform)
The proxy user is Administrator, so I don't think that it's privileges problem
Any suggestion where to look?
Tnx
Administrators
Nov 19, 2012, 6:42:18 AM11/19/12
to RCDevs Security Solutions - Technical
Generally this is because you set a AD password and you do not connect
the AD through LDAP SSL.
AD refuses to set/update user passwords without a SSL connection.
the AD through LDAP SSL.
AD refuses to set/update user passwords without a SSL connection.
Message has been deleted
Amar Kulo
Nov 19, 2012, 8:47:57 AM11/19/12
to rcdevs-t...@googlegroups.com
I don't understand why it doesn't work and what kind of auth it needs, connection is SSL, port 636, I have followed all instructions from WebADM_install.pdf
From console I can update info on AD with ldapmodify.
From WebADM I can change user details, like displayName, Name, etc. but not activate user.
All other operations are executed properly but not user activation.
I have exported certificate from AD as .pfx file, converted it to .pem and then created cert and key files which are now in server.xml, but still doesn't work.
What to do now?
Tnx for help.
Amar
Administrators
Nov 19, 2012, 11:04:02 AM11/19/12
to RCDevs Security Solutions - Technical
Ok if the connection is SSL. Then that's not the problem.
Did the graphical setup successfully extended your AD schema with the
webadmAccount objectclass?
Activating an account in OpenOTP just means adding the webadmAccount
class to the user.
Another point: It's 2008 so DO NOT use the tweak in webadm.conf for AD
2003.
-> You MUST have : webadm_account_oclasses "webadmAccount"
-> And NOT : webadm_account_oclasses "webadmAccount", "user"
Did the graphical setup successfully extended your AD schema with the
webadmAccount objectclass?
Activating an account in OpenOTP just means adding the webadmAccount
class to the user.
Another point: It's 2008 so DO NOT use the tweak in webadm.conf for AD
2003.
-> You MUST have : webadm_account_oclasses "webadmAccount"
-> And NOT : webadm_account_oclasses "webadmAccount", "user"
Amar Kulo
Nov 20, 2012, 2:47:25 AM11/20/12
to rcdevs-t...@googlegroups.com
Setup has extended AD schema without problems, I can see it on left hand side.
In webadm.conf I have default values for 2008 server.
# With ActiveDirectory 2003 only, you need to add the 'user' objectclass to the
# webadm_account_oclasses and the 'group' objectclass to the webadm_group_oclasses.
webadm_account_oclasses "webadmAccount"
webadm_group_oclasses "webadmGroup"
webadm_config_oclasses "webadmConfig"
Is there way to enable even more debug in logs?
Linux server is Ubuntu 12.04.01 LTS.
Administrators
Nov 20, 2012, 3:59:25 AM11/20/12
to RCDevs Security Solutions - Technical
It's the AD who refuses the LDAP operation and sends back the "server
is unwilling to perform".
Debugging should be in AD in this case because webadm does have any
other information.
Try to extend your user with the minimal required attributes
(generally just set none of them).
Also try the extension via the "Add Extension" combo in the edit page.
At least if it works, its one the attribute format which is refused.
is unwilling to perform".
Debugging should be in AD in this case because webadm does have any
other information.
Try to extend your user with the minimal required attributes
(generally just set none of them).
Also try the extension via the "Add Extension" combo in the edit page.
At least if it works, its one the attribute format which is refused.
Amar Kulo
Nov 20, 2012, 4:01:53 AM11/20/12
to rcdevs-t...@googlegroups.com
Hmm, strange, because AD is allowing me to change all other user attributes from WebADM but not adding new ones or creating new user.
Empty user attributes are not working, I'm getting the same error.
Amar Kulo
Nov 20, 2012, 4:33:41 AM11/20/12
to rcdevs-t...@googlegroups.com
So I have tried with adding of attributes.
I was able to add email address attribute, description, preferred language, mobile phone number, but still after that I wasn't able to activate user neither was I able to add extension Webadmaccount.
Administrators
Nov 20, 2012, 5:19:34 AM11/20/12
to RCDevs Security Solutions - Technical
Sounds like this AD behaves like a 2003 regarding the LDAP auxilliary
classes.
Try the 2003 tweak in webadm.conf : add user to the
webadm_account_oclass
classes.
Try the 2003 tweak in webadm.conf : add user to the
webadm_account_oclass
Amar Kulo
Nov 20, 2012, 5:26:25 AM11/20/12
to rcdevs-t...@googlegroups.com
That did it. It seems that because of migrating of domain from 2003 to 2008 some things are still 2003-style.
Even raising of domain level to 2008 R2 didn't help.
Tnx a lot for help.
Amar Kulo
Nov 20, 2012, 5:58:03 AM11/20/12
to rcdevs-t...@googlegroups.com
Yes, this definitely works.
One other question, how to remove or select which users are in those 25 free that are allowed? I have Acronis backup user, IIS guest user, etc. and users that I don't want to have access to OpenOTP.
Administrators
Nov 20, 2012, 6:03:59 AM11/20/12
to RCDevs Security Solutions - Technical
In normal 2008 mode, it counts the users with the class.
And in 2003 mode, it counts the user with a webadmData attribute.
These are users which have used the OpenOTP once.
And in 2003 mode, it counts the user with a webadmData attribute.
These are users which have used the OpenOTP once.
Administrators
Nov 20, 2012, 6:07:29 AM11/20/12
to RCDevs Security Solutions - Technical
And to prevent any user from using OTP, you can set a 'Allowed Group'
in your WebADM Domain.
Check the WebADM Domain in Menu -> Infos -> Registered Domains
in your WebADM Domain.
Check the WebADM Domain in Menu -> Infos -> Registered Domains
Reply all
Reply to author
Forward
0 new messages