Linux server + LDAP Active Directory Authentication

Please post here if you have problems in using Wing FTP Server.
mde@nexis.be
Posts: 7
Joined: Tue May 31, 2011 8:11 am

Linux server + LDAP Active Directory Authentication

Post by mde@nexis.be »

Dear support,

I'm trying to configure the LDAP authentication against a Windows 2008R2 AD server. The test connection button result is successful but not when I try to login.
Here are some information:
Server: Linux CentOS 5.6 x64 2.6.18-238.9.1.el5
WingFTP: 3.8.7
LDAP Configuration:
IP: => ip of my AD server
Port: 389
Base DN: DC=domain,DC=local => (I don't put my real domain name for security)
User Filter: (&(objectClass=user)(sAMAccountName=%s))
LDAP Version: 3 (even when I change to 2, this setting is reverted back to 3 when I reopen the window)
SSL/TLS: No (with Yes, the test connection button fails)

I tried to define a Bind DN like this: CN=adm-ftp,OU=Services,OU=Administrators,DC=domain,DC=local
With adm-ftp member of Domain Admins or not it doesn't solve the issue.

In the Domains logs, I can found this line but not at every attempts:
[14] Tue, 31 May 2011 10:05:13 An error occurs when doing LDAP::ldap_bind_s. Error code=-1

What did I made wrong?

Kind regards,

Michel
FTP
Site Admin
Posts: 2072
Joined: Tue Sep 29, 2009 6:09 am

Re: Linux server + LDAP Active Directory Authentication

Post by FTP »

Could you login with the account "adm-ftp"? If you still can't login with this account, please change the "User Filter" into:

Code: Select all

(&(objectClass=user)(sAMAccountName=%s)(ou=Services))
or

Code: Select all

(&(objectClass=user)(sAMAccountName=%s)(ou=Services)(ou=Administrators))
mde@nexis.be
Posts: 7
Joined: Tue May 31, 2011 8:11 am

Re: Linux server + LDAP Active Directory Authentication

Post by mde@nexis.be »

Thank you for the answer.

I tried the 3 tips you gave but it still fails and I still have the same error:
[14] Tue, 31 May 2011 11:55:42 An error occurs when doing LDAP::ldap_search_s. Error code=1
FTP
Site Admin
Posts: 2072
Joined: Tue Sep 29, 2009 6:09 am

Re: Linux server + LDAP Active Directory Authentication

Post by FTP »

I have tested the LDAP authentication with Windows AD server, there is no problem with my computer.

Here is a screenshot of LDAP dialog:
Image


Please note line 4, it will return the user DN through base DN and user filter, from the screenshot, you can see the right user DN.

So please record your LDAP dialog via wireshark, then paste your result here.
mde@nexis.be
Posts: 7
Joined: Tue May 31, 2011 8:11 am

Re: Linux server + LDAP Active Directory Authentication

Post by mde@nexis.be »

I took traces and see that like you, the 4th line return the correct LDAP path of my user but after that, it tries a bindRequest for the user <ROOT> 3 times and do a searchRequest on the Configuration, ForestDnsZones and DomainDnsZones but these operations fails with LDAP error DSID-0C0906DC "A successful bind must be completed on the connection".

Kind regards,

Michel
FTP
Site Admin
Posts: 2072
Joined: Tue Sep 29, 2009 6:09 am

Re: Linux server + LDAP Active Directory Authentication

Post by FTP »

There is an article with similar problem: http://blogs.technet.com/b/pki/archive/2007/04/13/manually-publishing-a-ca-certificate-or-crl-into-a-ldap-store.aspx

On the bottom of that article, it says:
I had not configured correct SPNs for AD LDS service account. After registering the SPNs everything works fine.
mde@nexis.be
Posts: 7
Joined: Tue May 31, 2011 8:11 am

Re: Linux server + LDAP Active Directory Authentication

Post by mde@nexis.be »

Do I need to install the AD LDS role on my Windows 2008R2 Domain Controller to make my DC compatible with WingFTP LDAP queries???
mde@nexis.be
Posts: 7
Joined: Tue May 31, 2011 8:11 am

Re: Linux server + LDAP Active Directory Authentication

Post by mde@nexis.be »

ok, I found this post:
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_26659333.html
Solved by:
port 3268 is used by AD to have access to Global Catalog. Port 389 is meant for other LDAP search and has limited acess. Refer to the following url for details

http://technet.microsoft.com/en-us/library/cc978012.aspx
which help me without configuring/installing anything on the DC.

According to the wireshark traces, I understand that the server make a CN request using the bind user, use the answer to retry a binding with the full CN and the binding is now successful.

Is it the good solution for you (I don't know the risks of using the 3268 port)?

Thank you,

Michel
danielch
Posts: 1
Joined: Wed Jun 01, 2011 5:14 am

Re: Linux server + LDAP Active Directory Authentication

Post by danielch »

Using your details You should use
adm-ftp@domain.local" rel="nofollow as Bind DN (changing domain.local to your real data)
Regards,
Daniel
leo462
Posts: 1
Joined: Fri Sep 07, 2012 7:36 pm

Re: Linux server + LDAP Active Directory Authentication

Post by leo462 »

Hello. Did you ever get your problem resolved? Curious as to I'm having issues too. Thanks.
Post Reply