HPE Community
Operating System - HP-UX
1833059 Members
2700 Online
110049 Solutions
New Discussion

Ldap to windows 2003

 
wayne_104
Regular Advisor

‎07-19-2007 11:26 PM

‎07-19-2007 11:26 PM

Ldap to windows 2003

I have followed the documentation to the t.

The hp-ux client sees the 2003 domain controller.

however the proxy user has problems.
# /opt/ldapux/config/ldap_proxy_config -v
File Credentials verified - INVALID

Cannot understand thuis as when i setup the proxy user all is fine.

Has anyone had this problem or can point me in the right direction?

as below
0 Kudos
Reply
5 REPLIES 5
Steven E. Protter
Exalted Contributor

‎07-20-2007 12:00 AM

‎07-20-2007 12:00 AM

Re: Ldap to windows 2003

Shalom,

It might be helpful to "gag" look at the Windows 2003 Server event log. There should be an event corresponding in time stamp to your credential issue that might explain why Windows is unhappy.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
wayne_104
Regular Advisor

‎07-22-2007 07:43 PM

‎07-22-2007 07:43 PM

Re: Ldap to windows 2003

Thanks will lower my standards and do that.
0 Kudos
Reply
wayne_104
Regular Advisor

‎07-23-2007 02:23 AM

‎07-23-2007 02:23 AM

Re: Ldap to windows 2003

Mystery of mysteries. Windows logs have nothing about the validation.

As ferris bullers teacher said anyone anyone.

Can you help me please.
0 Kudos
Reply
Don Mallory
Trusted Contributor

‎07-24-2007 02:44 AM

‎07-24-2007 02:44 AM

Re: Ldap to windows 2003

A few things to check:

- The user must be a valid domain member.
- The user must have special read priviledges (Use Delegation Wizard from AD Users & Computers on the Users container)
- The user's account must not be locked out, disabled, expired, password expired or otherwise unavailable.
- The account options must have the "Use DES encryption types for this account" checked.
- The user does NOT need to have any of the UNIX attributes set.
- You may want to run /opt/ldapux/config/ldap_proxy_config -i and re-initialize the password and settings.
- Use /opt/ldapux/config/ldap_proxy_config -p to verify that they are correct. e.g:

server# /opt/ldapux/config/ldap_proxy_config -p
PROXY DN: CN=LDAP Proxy User,CN=Users,DC=mydomain,DC=com


I almost always locked it out during testing, thus messing up all the clients.

On the windows side, enable authentication failure and success messages in the event logs and try watching for those.

Good luck,
Don
0 Kudos
Reply
Shannon Petry
Honored Contributor

‎07-24-2007 08:32 AM

‎07-24-2007 08:32 AM

Re: Ldap to windows 2003

I don't envy you at all, we use split LDAP (NT for Windows and SunOne Directory for all Unix). In our testing, we found that the account would constantly lock, and he NT boys had to write a script that continually unlocked the proxy account.

The easiest test would be to manually search or bind with the proxy credentials you are passing to the NT server from LDAP-UX.

ldapsearch -h ntserver -p 389 -D "full_proxy_dn" -w "proxy account pw" -b "your base DN" samaccountname="some NT ID"

ldapsearch is pretty verbose in it's errors if authentication fails.

Microsoft. When do you want a virus today?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.