Subsonic Forum

[Farmeunit]

Tried using a variety of settings for the LDAP URL and search filter and tried Anonymous and user binds. Nothing has worked so far.

Version 4.7 (build 3106) – September 12, 2012
Server jetty-6.1.x, java 1.6.0_27, Windows Server 2008 (81.1 MB / 145.0 MB)
LDAP Server: Novell Netware 6.5 SP8

I've also tried 389 and 636. All methods have failed, but this one actually takes longer to say so.
ldap://10.0.1.3:389/ou=Staff,ou=school,o=csd
(sAMAccountName={0})
cn=user,ou=school,o=csd

I tried (uid={0}) also instead of the other.

I tried the base OU instead of Staff, which is where the user is located.

Not sure what else to do.

How do I see what is actually going on?

[larry.hanks]

You are on the right track with removing the "(sAMAccountName={0})" line cause eDir doesn't use samaccountname fields.

My suspicion is you may not have your ldap authentication user setup correctly. In Subsonic, what username did you set as the user that authenticates to eDir for LDAP lookups? Keep in mind that LDAP is different between eDir and AD so the syntax will be different depending on how you do it.

Larry

[Farmeunit]

I've tried using my own account, which is a regular user account in eDir, and the admin account. I thought about creating another user specifically for LDAP requests, but haven't yet.

[larry.hanks]

OK...I would do a few things to get this answered.

1) I would change the LDAP Search Filter field to read this: (cn={0})

2) I would make the user that you are using the authenticate for LDAPs (LDAP Manager DN) to read this: cn=admin,o=csd (I assume your admin is located in the organization which it looks like is csd.) Then just update the password accordingly.

Finally, if all that doesn't work, I would download an LDAP browser to look at your eDir. Use it to test what settings you need to do the following:

1) What you need for the LDAP URL
2) What you need for the LDAP Search filter
3) What you need for the LDAP Manager DN

For what you need for the LDAP Search filter, you'll probably have a few different options. When you get the LDAP browser to connect to your eDir tree just click on one of the users and see what LDAP attribute best fits what you want to use for searching by.

You can download the LDAP browser here: http://www.ldapbrowser.com/download.htm
Make sure you download the LDAP browser and not the LDAP administrator cause the browser is free and you don't need the features of the administrator to get the answers you need.

Let me know if you need any more help as you go through this. I've done a lot of LDAP stuff with AD and eDir so I can probably help you out. It has been a while since I've done eDir LDAP stuff so I might be wrong on some of this stuff (especially the (cn={0}) part) but it won't take me long to get the bugs out.

Larry

[larry.hanks]

Another thought.... you might need to look at your LDAP settings on the LDAP server. Again it's been a while since I've looked at these things but I vaguely remember you need to go in to ConsoleOne and look for an object regarding the server that's acting as the LDAP server. I can't remember right now if it's the actual server object or if there's an LDAP object or what.

[Astronutty]

Thanks for all your questions and answers Shane and Larry.

This seems pretty simple... yet

ldap://10.0.1.3:389/ou=Staff,ou=school,o=csd
(cn={0})
cn=quallss,o=csd

ldap://10.0.1.3:389/ou=school,o=csd
(cn={0})
cn=admin,o=csd

Since the default admin account for Subsonic is "admin" would this cause issues reaching out to the eDirectory with the same username?

I already have preexisting accounts in Subsonic that match the Novell accounts I am trying to log in with.

[larry.hanks]

It shouldn't matter that the default admin username for Subsonic is admin because that's a local username to Subsonic and not an LDAP username. As long as you're not logging in to Subsonic with admin and expecting that username to use LDAP, then you should be fine. If you do want admin to be LDAP'd you'll have to do a few tweaks.

If you already have subsonic accounts that match Novell accounts, you probably have one of two options....
1) delete the subsonic accounts and recreate them by logging in to subsonic so LDAP takes over and creates them.
or
2) Go in to the USERS section of subsonic. Then select the user you want to modify and check the box that says, "Authenticate user in LDAP".
That should just make the password redirect to LDAP and authenticate in eDir

Have you tried using that LDAP browser to test with? That is always a good way to find answers with LDAP issues.

On another note, if you're still having problems with LDAP working at all, I think by default Novell doesn't allow LDAP to work without TLS/SSL (389). By default it's set to only allow TLS/SSL (LDAPS - 636) connections. To change that you need to go in to that ConsoleOne server object I was talking about in a previous post and there is a check box in there that you just uncheck. The box says something about forcing TLS/SSL or something like that. When you uncheck it then you can use standard, clear-text ldap over 389.

Again, on that last part, I don't have a live eDir system setup for me to look exactly at the settings to tell you 100% what to do but it's in that general area.

Larry