Ejabberd: LDAP bind failed

v7
ejabberd
activedirectory

(snao1) #1

in NethServer release 7.4.1708, kernel 3.10.0-693.5.2.el7.x86_64
successfully joined an existing Samba domain, I’m not able to slet ejabberd works, error in log:

2017-11-22 17:12:10.940 [info] <0.37.0>@ejabberd_app:start:76 ejabberd 16.01 is started in the node ejabberd@localhost
2017-11-22 17:12:10.940 [info] <0.7.0> Application ejabberd started on node ejabberd@localhost
2017-11-22 17:12:10.949 [warning] <0.434.0>@eldap:report_bind_failure:1007 LDAP bind failed on server2.taimsrl.lan:389
Reason: strongAuthRequired
2017-11-22 17:12:15.950 [info] <0.434.0>@eldap:connect_bind:1062 LDAP connection on server2.taimsrl.lan:389
2017-11-22 17:12:15.955 [warning] <0.434.0>@eldap:report_bind_failure:1007 LDAP bind failed on server2.taimsrl.lan:389
Reason: strongAuthRequired

anyone has experienced same issue?

thanks


(Rob Bosch) #2

My best guess is that you need to change your (domain admin) password that meets the requirements. Or change the requirements for authentication in your Samba domain controller.

This article might help you further: https://support.ca.com/us/knowledge-base-articles.tec1723689.html


(snao1) #3

Hi robb, thanks for prompt reply.

If I change my domain admiin password, do you think I need to disconnect Nethserver from domain and then rejoin it again?

Thanks


(Rob Bosch) #4

I was just reading the article I linked. Looks like your Samba domain demands LDAPS instead of LDAP to connect. So, no reason to leave and rejoin the domain, just change the method you bind to the domain with ejabber service.


(Giacomo Sanchietti) #5

It depend on authentication required by the LDAP AD.

Go to “Account provider” page and enable TLS.


(snao1) #6

TLS was already enabled, I tried to disable and enable it again, no success. No success even with a more complex domain password by the way.


(Giacomo Sanchietti) #7

Then try to switch to ldaps and set TLS to disabled :slight_smile:


(snao1) #8

I would like to not touch the controller domain’c configuration… is there a way to “force” the communication without strongAuthRequired way?


(Giacomo Sanchietti) #9

Yes, you don’t need to modify the AD: on the page I told you before, change “ldap://” to “ldaps://” and port to 636 (or whatever is in your AD).

If this doesn’t work, you need to change the AD policies.


(Jeroen Visser) #10

Try that and see what happens … SOGo has the same issue.


(snao1) #11

ok, thanks: I will work on this direction and as soon I will have update I’ll keep you posted
Thanks all of you for help :slight_smile:


(snao1) #12

Changed and… perfectly working now ^___^
Thanks again :thumbsup:


(Michael Träumner) #13

Could you mark the topic as solved please. Here is an instruction how to do it.

Howto mark a topic as solved


(Jeff Swank) #14

So, I use the local Samba DC so all my accounts provider page has is:
So I don’t have the options to change those settings.
How would I change what to fix this?

Thanks


(Markus Neuberger) #15

Hi @Socs28,

is it really the same problem because it usually works with local AD?

Do you have similar log entries?

2017-11-22 17:12:10.949 [warning] <0.434.0>@eldap:report_bind_failure:1007 LDAP bind failed on server2.taimsrl.lan:389 Reason: strongAuthRequired


(Matthieu Gaillet) #16

I believe that the new dc and sssd server modules (in testing) solves this. At least it worked for me.

yum --enablerepo=nethserver-testing update nethserver-dc nethserver-sssd