LDAP credentials invalid

[jscully65]

I having issues with LDAP returning credentials invalid with the LDAP module. I need the ability to look at the logs but they are not there for the LDAP module. Where are they located so I can see why it is returning this error. When connecting with ldapsearch with the same credential set I'm able to list the user base from the AD both with no encryption and TLS/SSL so the issue seems to be with freescout.

[freescout-helpdesk]

The module does not provide LDAP connection logs.

"Credentials invalid" error is the sign of incorrect "Bind DN" or "Bind Username". Admin user must be located in "Bind DN" and must have "inetOrgPerson" object class.

[tiredofit]

Just to correct @freescout-helpdesk, there is no requirement on object class to be able to bind. You can use a SimpleSecurityObject (DSA), a regular account with elevated permissions (administrator like).

You'll need to provide some details like your LDAP backend, and some information on what your bind DN / username is. If you have access to the LDAP server as well you should be able to see what is being queried and what is wrong.

[freescout-helpdesk]

Right, inetOrgPerson object class is required to import users: #842

[jscully65]

Is it a requirement that the user be at the same level as the "Bind DN" or can be at an OU lower than the Bind DN. I'm using the exact same username and password on the same server when performing a query via either ldapsearch via the command line or trying to get the schema information via the plug in. The username is being accepted via ldapsearch and returning data. However, I get invalid credentials when trying via the plugin. On the AD server I'm not getting a corresponding Audit failure credential validation. I do get a credential validation failure on the AD with ldapsearch if I put in the incorrect password in the command line.

[freescout-helpdesk]

The admin user must be at the same level as the "Bind DN".

[jscully65]

OK, I moved the user to the bind dn and I'm still getting invalid credentials for the module but it is still working for the ldapsearch from the command line. I'm still not seeing the request at the AD with a failed login attempt. Interestingly if I connect to the test LDAP from the documentation https://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/ I can connect to that. As we are using Active Directory with several LDAP security measures in place, ie., LDAP server signing requirements, LDAP server channel bindings etc in group policy, could these be getting in the way.

[freescout-helpdesk]

Everything is possible. Have you managed to solve the issue?

[jscully65]

No I haven't been able to locate the issue. I currently don't have the time to try and track the issue.

[geoffjukes]

Hi,

I just battled with this myself. I read the documentation, but it wasn't clear to me. I finally realized that the Bind DN must be the exact DN of the Binding username.

So take the full DN (for example):

CN=LDAP Bind,OU=Users,OU=Organization Name,DC=domain,DC=ext

and put everything after the CN into the Bind DN and just the value of CN in the Bind Username

I re-read the extension instructions, and they were not clear to me. But it's working now!