My controls network is isolated on a separate network and i am using Univention (UCS) for my AD server. All of the windows and Linux computers have joined the domain without issue but i have been trying for the last 2 months to us the AD server as a user source and have yet to accomplish this. My log just states : java.lang.Exception:Failed connecting to LDAP server.
Does anyone have any ideas about what i am doing wrong. i have to get this working before i enable a one way trust with the main company DC
Can you post the User Sources/AD settings on your Ignition Gateway? We may be able to point out the issue that way.
Cheers,
Oscar.
I figured it out.
For anyone else that is trying to use a linux ad server (i.e. Univention, Zentyal) you have to use the prefix and suffix.
prefix “uid=”
suffix “,cn=xxx,dc=xxx,dc=xxx”
All of this time it was the comma in front of the cn that tripped me up.
Now that i am able to login using ad. No users show up when i select manage users. log says error 32 no such object. Here is what i get with a s4 search on the server.
This is for anyone else trying to accomplish this. I was fully able to get this working by disabling :“ldap server require strong auth” in samba 4 thus not requiring an ssl which is not a problem on my isolated vlan.
Steps:
- Ensure user has read auth in samba or use admin account for browse
- Disable “ldap server require strong auth” to allow simple auth on port 389
3.User listing base according to DN (CN=xxx,DC=yyy,DC=zzzz - Samba 4 or Samba 4 with LDAP bridge can use default user list search filter and user name attribute
5.User name prefix in samba cn= - User name suffix in samba ",cn=user,dc=yyy,dc=zzz
With this i was able to test with Zentyal, Univention and Straight samba 4 including the turnkey DC lxc.
Any questions about DN just use a ldap browser ie. Apache Directory studio to find the Distinguished Name needed.
1 Like