Linux server + LDAP Active Directory Authentication

[mde@nexis.be]

Dear support,

I'm trying to configure the LDAP authentication against a Windows 2008R2 AD server. The test connection button result is successful but not when I try to login.
Here are some information:
Server: Linux CentOS 5.6 x64 2.6.18-238.9.1.el5
WingFTP: 3.8.7
LDAP Configuration:
IP: => ip of my AD server
Port: 389
Base DN: DC=domain,DC=local => (I don't put my real domain name for security)
User Filter: (&(objectClass=user)(sAMAccountName=%s))
LDAP Version: 3 (even when I change to 2, this setting is reverted back to 3 when I reopen the window)
SSL/TLS: No (with Yes, the test connection button fails)

I tried to define a Bind DN like this: CN=adm-ftp,OU=Services,OU=Administrators,DC=domain,DC=local
With adm-ftp member of Domain Admins or not it doesn't solve the issue.

In the Domains logs, I can found this line but not at every attempts:
[14] Tue, 31 May 2011 10:05:13 An error occurs when doing LDAP::ldap_bind_s. Error code=-1

What did I made wrong?

Kind regards,

Michel

[FTP]

Could you login with the account "adm-ftp"? If you still can't login with this account, please change the "User Filter" into:

Code: Select all

(&(objectClass=user)(sAMAccountName=%s)(ou=Services))

or

Code: Select all

(&(objectClass=user)(sAMAccountName=%s)(ou=Services)(ou=Administrators))

[mde@nexis.be]

Thank you for the answer.

I tried the 3 tips you gave but it still fails and I still have the same error:
[14] Tue, 31 May 2011 11:55:42 An error occurs when doing LDAP::ldap_search_s. Error code=1

[FTP]

I have tested the LDAP authentication with Windows AD server, there is no problem with my computer.

Here is a screenshot of LDAP dialog:



Please note line 4, it will return the user DN through base DN and user filter, from the screenshot, you can see the right user DN.

So please record your LDAP dialog via wireshark, then paste your result here.

[mde@nexis.be]

I took traces and see that like you, the 4th line return the correct LDAP path of my user but after that, it tries a bindRequest for the user <ROOT> 3 times and do a searchRequest on the Configuration, ForestDnsZones and DomainDnsZones but these operations fails with LDAP error DSID-0C0906DC "A successful bind must be completed on the connection".

Kind regards,

Michel

[FTP]

There is an article with similar problem: http://blogs.technet.com/b/pki/archive/2007/04/13/manually-publishing-a-ca-certificate-or-crl-into-a-ldap-store.aspx

On the bottom of that article, it says:

I had not configured correct SPNs for AD LDS service account. After registering the SPNs everything works fine.

[mde@nexis.be]

Do I need to install the AD LDS role on my Windows 2008R2 Domain Controller to make my DC compatible with WingFTP LDAP queries???

[mde@nexis.be]

ok, I found this post:
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_26659333.html
Solved by:

port 3268 is used by AD to have access to Global Catalog. Port 389 is meant for other LDAP search and has limited acess. Refer to the following url for details

http://technet.microsoft.com/en-us/library/cc978012.aspx

which help me without configuring/installing anything on the DC.

According to the wireshark traces, I understand that the server make a CN request using the bind user, use the answer to retry a binding with the full CN and the binding is now successful.

Is it the good solution for you (I don't know the risks of using the 3268 port)?

Thank you,

Michel

[danielch]

Using your details You should use
adm-ftp@domain.local" rel="nofollow as Bind DN (changing domain.local to your real data)
Regards,
Daniel

[leo462]

Hello. Did you ever get your problem resolved? Curious as to I'm having issues too. Thanks.