Ejabberd: LDAP bind failed

snao1 · November 23, 2017, 10:33am

in NethServer release 7.4.1708, kernel 3.10.0-693.5.2.el7.x86_64
successfully joined an existing Samba domain, I’m not able to slet ejabberd works, error in log:

2017-11-22 17:12:10.940 [info] <0.37.0>@ejabberd_app:start:76 ejabberd 16.01 is started in the node ejabberd@localhost
2017-11-22 17:12:10.940 [info] <0.7.0> Application ejabberd started on node ejabberd@localhost
2017-11-22 17:12:10.949 [warning] <0.434.0>@eldap:report_bind_failure:1007 LDAP bind failed on server2.taimsrl.lan:389
Reason: strongAuthRequired
2017-11-22 17:12:15.950 [info] <0.434.0>@eldap:connect_bind:1062 LDAP connection on server2.taimsrl.lan:389
2017-11-22 17:12:15.955 [warning] <0.434.0>@eldap:report_bind_failure:1007 LDAP bind failed on server2.taimsrl.lan:389
Reason: strongAuthRequired

anyone has experienced same issue?

thanks

robb · November 23, 2017, 10:41am

My best guess is that you need to change your (domain admin) password that meets the requirements. Or change the requirements for authentication in your Samba domain controller.

This article might help you further: https://support.ca.com/us/knowledge-base-articles.tec1723689.html

snao1 · November 23, 2017, 10:46am

Hi robb, thanks for prompt reply.

If I change my domain admiin password, do you think I need to disconnect Nethserver from domain and then rejoin it again?

Thanks

robb · November 23, 2017, 10:47am

I was just reading the article I linked. Looks like your Samba domain demands LDAPS instead of LDAP to connect. So, no reason to leave and rejoin the domain, just change the method you bind to the domain with ejabber service.

giacomo · November 23, 2017, 11:12am

It depend on authentication required by the LDAP AD.

Go to “Account provider” page and enable TLS.

snao1 · November 23, 2017, 11:18am

TLS was already enabled, I tried to disable and enable it again, no success. No success even with a more complex domain password by the way.

giacomo · November 23, 2017, 11:36am

Then try to switch to ldaps and set TLS to disabled

snao1 · November 23, 2017, 2:12pm

I would like to not touch the controller domain’c configuration… is there a way to “force” the communication without strongAuthRequired way?

giacomo · November 23, 2017, 3:05pm

Yes, you don’t need to modify the AD: on the page I told you before, change “ldap://” to “ldaps://” and port to 636 (or whatever is in your AD).

If this doesn’t work, you need to change the AD policies.

planet_jeroen · November 23, 2017, 3:44pm

Try that and see what happens … SOGo has the same issue.

snao1 · November 23, 2017, 4:28pm

ok, thanks: I will work on this direction and as soon I will have update I’ll keep you posted
Thanks all of you for help

snao1 · November 24, 2017, 7:42am

Changed and… perfectly working now ^___^
Thanks again

m.traeumner · November 24, 2017, 10:37am

Could you mark the topic as solved please. Here is an instruction how to do it.

Howto mark a topic as solved

Socs28 · December 29, 2017, 8:58pm

So, I use the local Samba DC so all my accounts provider page has is:
So I don’t have the options to change those settings.
How would I change what to fix this?

Thanks

mrmarkuz · December 30, 2017, 1:51am

Hi @Socs28,

is it really the same problem because it usually works with local AD?

Do you have similar log entries?

2017-11-22 17:12:10.949 [warning] <0.434.0>@eldap:report_bind_failure:1007 LDAP bind failed on server2.taimsrl.lan:389 Reason: strongAuthRequired

pagaille · January 15, 2018, 12:49pm

I believe that the new dc and sssd server modules (in testing) solves this. At least it worked for me.

yum --enablerepo=nethserver-testing update nethserver-dc nethserver-sssd

Francenildo · October 10, 2019, 1:16pm

Guys I solved this problem just changing ldap_port = 636 and ldap_encrypt = tls.