active directory - LDAP authentication works with DN but not with CN of AD -
recently had interact application interacts 2 ads on host1 , host2. find ldap connections have been failing when connecting 1 of hosts. error looks this:
connection 'ldap://[host1]/rootdse' failed. system.directoryservices.directoryservicescomexception (0x8007052e): logon failure: unknown user name or bad password.
for troubleshooting purposes installed apache directory tool , different cn/dn combinations , observations are:
when connecting host1 cn (in case, administrator) /[password], next error when fetching base of operations dns:
error while fetching base of operations dns [ldap: error code 49 - 80090308: ldaperr: dsid-0c0903a9, comment: acceptsecuritycontext error, info 52e, v1db1
when connecting host1 distinguished name administrator , same password, able retrieve base of operations dns
when connecting host2 cn (administrator again) /, can retrieve list of base of operations dns.
so question is, there advertisement settings can set allow authentication using cn instead of total dn?
i'm new ad, if there things can supply in question create improve people browsing similar issues, please allow me know. thanks.
what host1 , host2 - different domain controllers (dc) same domain or different domains? explaining seem different domains if case, host2 have different administrator different password.
to reply questions directly. advertisement allows cn used user logon if , if given cn unique. there no need create configuration that.
however there number of other ways login in ad. can utilize samaccountname or userprincipalname attributes of users, these contain usernames of user. first 1 contains username domain\username, domain ad's netbios domain name (i not sure exact term, using lack of better). sec attribute contains username in form username@example.com, example.com ad's dns domain name (although can different).
so if searching shorter dn utilize 1 of above.
active-directory ldap
No comments:
Post a Comment