Difference between revisions of "LDAP"
(→LDAP Troubleshooting Tools) |
(→LDAP Troubleshooting Tools) |
||
| Line 66: | Line 66: | ||
[http://www.ldapbrowser.com/info_softerra-ldap-browser.htm Softerra LDAP Browser] is a very good tool since it is a read-only device so it can't do anything dangerous. | [http://www.ldapbrowser.com/info_softerra-ldap-browser.htm Softerra LDAP Browser] is a very good tool since it is a read-only device so it can't do anything dangerous. | ||
| − | [http://directory.apache.org/studio/ Apache Directory Studio] This is a more powerful tool as it can write to directory structures, given proper credentials. By careful not to shoot yourself in the foot. | + | [http://directory.apache.org/studio/ Apache Directory Studio] This is a more powerful tool as it can write to directory structures, given proper credentials. By careful not to shoot yourself in the foot. Retain uses the Apache libraries so if this doesn't work for logging in then Retain will not be able to log in. |
Revision as of 20:26, 10 November 2016
Contents |
Lightweight Directory Access Protocol (LDAP)
LDAP is a protocol for directory structures (eDirectory and Active Directory) to talk to each other.
LDAP Structure
There are only four basic fields in LDAP Data Interchange Format (LDIF)
- dc Domain Component (dc=gwava,dc=com)
- ou Organizational Unit (ou=provo or ou=montreal)
- cn Common Name (cn=Stephan Fassmann or cn=confRm01)
- dn Distinguishing Name (dn=stephanf)
LDAP errors
Code 49
When setting up a system with LDAP authentication you may get an error code 49. This indicates an authentications error. The particular error will help resolve the issue, that will be listed next to data. [1]
LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580]
- 525 user not found
- 52e invalid credentials
- 530 not permitted to logon at this time
- 531 not permitted to logon at this workstation
- 532 password expired
- 533 account disabled
- 701 account expired
- 773 user must reset password
- 775 user account locked
Code 32
This indicates a rights error. The user does not have rights to the container you are trying to access.
LDAP: error code 32 - 0000208D: NameErr: DSID-031522C9, problem 2001 (NO_OBJECT), data 0, best match of:
'CN=InformationStore,
CN=EXCH01,
CN=Servers,
CN=Exchange Administrative Group (FYDIBOHF23SPDLT),
CN=Administrative Groups,
CN=gwava Organization,
CN=Microsoft Exchange,
CN=Services,
CN=Configuration,
DC=aria,
DC=local']; remaining name 'CN=Mailbox Database,
CN=First Storage Group,
CN=InformationStore,
CN=EXCH01,
CN=Servers,
CN=Exchange Administrative Group (FYDIBOHF23SPDLT),
CN=Administrative Groups,
CN=gwava Organization,
CN=Microsoft Exchange,
CN=Services,
CN=Configuration,
DC=gwava,
DC=local'
This can be very difficult to resolve. This requires following that path and finding the Impersonation User in that location in Active Directory Sites and Services and giving them proper rights so they can traverse the tree.
AD Solution to LDAP error code 32 Issue [2]
LDAP Troubleshooting Tools
There are a few tools take can be handy in dealing with LDAP issues.
Softerra LDAP Browser is a very good tool since it is a read-only device so it can't do anything dangerous.
Apache Directory Studio This is a more powerful tool as it can write to directory structures, given proper credentials. By careful not to shoot yourself in the foot. Retain uses the Apache libraries so if this doesn't work for logging in then Retain will not be able to log in.
