Error "Insufficent access rights" when add nethserver to AD

NethServer Version: NethServer release 7.3.1611 (Final)
Module: Accounts Provider

When trying to add the nethserver to ad (Windows Server 2008R2 with LDAPS), I get the message:

“Insufficent access rights (49/710): specify alternative LDAP bind credentials in Accounts provider configuration”

I looked for solutions in the forum, but I did not find something that solved. How to solve ?

The reason is explained here

http://docs.nethserver.org/en/v7/accounts.html#join-an-existing-active-directory-domain

Go to Accounts provider > Advanced settings and set the credentials. The inline help gives further details about field values.

Good news are we are going to drop this requirement soon (at least for the Server Manager application).

Yes, I created a user named “root” in the “Nethserver” OU with administrative permissions, and I still receive the notification. The curious thing is that even with the notification, “Nethserver” can authenticate users of the Windows domain. Only squid is not yet authenticating.

Are not required; read-only access is enough.

To be fully operational NethServer requires an additional account to perform simple LDAP binds. Create a dedicated user account in AD, and set a complex non-expiring password for it.

Please refer to the inline help for more info about required credentials.

This is another issue. Proxy clients use kerberos/GSSAPI, NTLM or HTTP basic auth against squid. The additional credentials you set are not involved.

Sorry, but I can not understand. By default, do users created in AD already have read permission? When I create a user without administrative privileges, nethserver notifies you of “invalid credentials”, only with administrator permission that it registers in the AD but with the red “Insufficent access rights” notification.

The status in domain account apparently it’s ok.

Yes, all AD users have LDAP read access.

Some applications like NextCloud, Roundcube, Webtop, ejabberd and Server Manager (until next update) require to access LDAP directly to read users and groups information. They cannot use the machine account credentials, like those based on PAM/NSS/SSSD (ie postfix, dovecot, samba…), so they require some other user credentials.

To join an AD domain administrative credentials are required. It is a one time action. Provided credentials are forgotten immediately and never used to browse LDAP.

Could you open a root shell and paste here the output of

account-provider-test dump

A similar (but different) problem

[maicon@nethserver ~]# account-provider-test dump
{
“startTls” : “”,
“bindUser” : “NETHSERVER$”,
“userDN” : “dc=company,dc=local”,
“port” : 636,
“isAD” : “1”,
“host” : “company.local”,
“groupDN” : “dc=company,dc=local”,
“isLdap” : “”,
“ldapURI” : “ldaps://company.local”,
“baseDN” : “dc=company,dc=local”,
“bindPassword” : “”,
“bindDN” : “COMPANY\NETHSERVER$”
}
[maicon@nethserver ~]#

It’s strange because everything seems ok, but the red notification continues.

It looks like you’re still missing this step!