LDAP and AD: only domain admins can log on

martinb · June 12, 2006, 5:44pm

Hi,

I’'ve setup wildfire to authenticate against our win2003 AD and everything is working ok for anyone in the Domain Admins group but users in the Domain Users group cant log in. Im getting the following error from the debug.log:

2006.06.12 17:37:57 Trying to find a user’'s DN based on their username. sAMAccountName: user1, Base DN: cn=Users,dc=test,dc=internal…

2006.06.12 17:37:57 Creating a DirContext in LdapManager.getContext()…

2006.06.12 17:37:57 Created hashtable with context values, attempting to create context…

2006.06.12 17:37:57 … context created successfully, returning.

2006.06.12 17:37:57 Starting LDAP search…

2006.06.12 17:37:57 … search finished

2006.06.12 17:37:57 In LdapManager.checkAuthentication(userDN, password), userDN is: CN=joe bloggs…

2006.06.12 17:37:57 Created context values, attempting to create context…

2006.06.12 17:37:57 Caught a naming exception when creating InitialContext

javax.naming.AuthenticationException: LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030F, comment: AcceptSecurityContext error, data 569, vece

at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)

at com.sun.jndi.ldap.LdapCtx. <![CDATA[(&

(objectCategory=person)

(sAMAccountName=)

(memberOf=CN=IMAccess,CN=Users,DC=test,DC=internal)

)]]>

matt · June 13, 2006, 4:31am

martin,

Authentication works by trying to bind to the directory using the credentials that the user enters. Have you configured AD to not allow binding by normal users? Is this a normal AD setup?

Regards,

Matt

martinb · June 13, 2006, 8:32am

Thanks for the info matt.

As far as I know normal users should be able to read the AD setup - dont know about binding, is there any info on the net as to how I would check this out.

If this is the case, then what is the adminDN used for - i was under the impression that the admin would be used to perform all ldap queries on AD ?

Message was edited by: martinb

Luke · June 13, 2006, 10:33am

In my conf file I use OU instead of CN maybe you should give it a try.

martinb · June 13, 2006, 1:07pm

Luke , if I change the baseDN then no one can log in. I think matt may be on the right path with the binding - unfortunatly I cant seem to find any documentation on finding out what users/groups can an cant bind to AD

Message was edited by: martinb

martinb · June 13, 2006, 4:51pm

Guys solved the problem - stupid me, im banging my head of the table right now - I found a group policy only allowing domain admins network access to the AD server - so of course when a regular user tries to connect to the AD server, s/he is stopped. All sorted now.

Thanks for all the help