More LDAP Help

Alex1 · March 14, 2005, 8:13pm

I’‘ve been check it out the entire “A LDAP HowTo” thread up and down and i still can’‘t authenticate against my AD. I installed JiveMessenger 2.1.2 in my DC with Win2k Adv Srv. It’'s anything wrong with that? Do I need any other stuff besides the one that comes with a normal domain controller installation? Could anyone help me with this, please?

9090

9091

abe, bill, carl, dave

en

myDomain.edu.com

389

samAccountName

diplayName

mail

DC=myDomain,DC=edu,DC=com

CN=jabber,CN=Users,DC=myDomain,DC=edu,DC=com

12345

org.jivesoftware.messenger.ldap.LdapUserProvider

org.jivesoftware.messenger.ldap.LdapAuthProvider

matt · March 15, 2005, 5:03am

The adminDN doesn’'t look like it would be correct. Have you given that user permission to read the entire LDAP tree?

Regards,

Matt

Alex1 · March 15, 2005, 1:08pm

Thanks for your time Matt.

What is wrong with the adminDN? I’‘ve tried several ways, starting by the one included in Jive documentation and every single way that i’'ve seen in this forum. PLease be more especific, what would you recommend for that?

Anyway, i made that user member of the DomainAdmins group, so i think it has plenty of rights (more that i would like it to have, since that password is store somewhere in plain text).

That will be another useful point maybe you can help me: what especif level of permision it is necesary in order to read the LDAP tree as you said?

Thanks in advanced once more

Alex

Cameron_Moore · March 15, 2005, 2:26pm

Alex,

Are you sure your baseDN is “DC=myDomain,DC=edu,DC=com”? That’'s like saying your email address is alex@mydomain.edu.com. If your domain is “mydomain.edu”, your baseDN should be “DC=mydomain,DC=edu” – assuming AD was setup correctly. I think this is what Matt was referring to.

As for the permissions of the user, in my organization all users have read access to AD since all my users are members of the Domain Users group. I don’‘t think any special privileges are needed beyond that, but I’'m not 100% sure.

I’‘ve found using Softerra’'s free LDAP Browser to be a ton of help in troubleshooting AD LDAP stuff. http://www.ldapbrowser.com/download/index.php

One thing to note is that some places setup AD to create users where the Display Name is like “Doe, John” where the Display Name actually has a comma in it. Since AD sets the LDAP CN equal to the Display Name, you will need to escape the comma like “CN=Doe, John,CN=…”. I highly recommend that when creating the jabber user that you set the Display Name to just “jabber”.

–

Cameron

Renat · March 16, 2005, 5:49am

abe, bill, carl, davem, jabber ?

Regards,

Renat

Alex1 · March 16, 2005, 12:40pm

Hello Cameron:

Are you sure your baseDN is

“DC=myDomain,DC=edu,DC=com”? That’'s like saying your

email address is alex@mydomain.edu.com.

Yes, actually is domain.edu.cu, since that’'s my school intranet.

I’‘ve found using Softerra’'s free LDAP Browser to be a

ton of help in troubleshooting AD LDAP stuff.

Right now i’‘m navigating trough the AD with Softerra, i can log in with my administrative user, it’‘s all OK, but still doesn’'t work in Jive.

I highly recommend that when

creating the jabber user that you set the Display

Name to just “jabber”.

That’'s exactly what i did. Any more ideas?

Thanks a lot

Alex1 · March 16, 2005, 12:59pm

Hi Renat

abe, bill, carl, davem,

jabber ?

That one doesn’‘t fix it at all. I’'m desperate about this situation.

Thanks

malcontent · March 17, 2005, 8:28pm

Here is how I set up mine and it works great. This is with windows 2003 server BTW.

HostName

389

sAMAccountName

cn

mail

OU=domain users,DC=mydomain,DC=com

CN=Administrator,OU=System users,DC=mydomain,DC=com

MyAdminPassword

You could also try a non admin user once you have set it up and got it working.

The LDAP browser is great for finding out what your admin DN should be. In our network we have a separate OU for administrator accounts.

David_Gadelha · March 20, 2005, 6:53pm

From docs:

ou=People;dc=example;dc=com

You are using commas, aren’‘t you? According to docs it’'s wrong.

Alex1 · March 21, 2005, 1:27pm

I’‘ve tried both ways, commas and semicolons, and still don’'t get it.

In fact, i’'ve tried almost any given configuration and their combinations.

Is it possible that the fact of using a domain.edu.cu format may be messing the hole thing up?

Peter_Branderberg · March 21, 2005, 3:57pm

creo que tienes la configuracion inicial (la del primer mensaje) bien, excepto la de baseDN. Añade CN=Users al principio.

malcontent · March 21, 2005, 6:05pm

" I’‘ve tried both ways, commas and semicolons, and still don’'t get it.

In fact, i’'ve tried almost any given configuration and their combinations.

Is it possible that the fact of using a domain.edu.cu format may be messing the hole thing up?"

that should not matter at all. The only things that matter are that the DN is typed exactly like your ldap browser shows it and that the password is correct.

I have posted my configuration which works great with windows 2003 server.

Alex1 · March 21, 2005, 7:49pm

Yeesss! It WORKS! Thanks so much everybody. Here is a literal transcription of my xml conf file, in case anyone is interested in future. I used commas (,), not semicolons (;)

…

user1, user2, user3

en

domain.edu.cu

389

sAMAccountName

displayName

mail

CN=Users,DC=domain,DC=edu,DC=cu

CN=jabber,CN=Users,DC=domain,DC=edu,DC=cu

12345

org.jivesoftware.messenger.ldap.LdapUserProvider

org.jivesoftware.messenger.ldap.LdapAuthProvider

–>

org.jivesoftware.database.EmbeddedConnectionProvider