[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Active directory and openldap
>keep on meeting the
>following error:
>
>Constraint violation
> additional info: 0000216C: AtrErr: DSID-031D0AC0, #1:
> 0: 0000216C: DSID-031D0AC0, problem 1005 (CONSTRAINT_ATT_TYPE),
>data 0, Att 9005a (unicodePwd)
This happens in AD when the unicodePwd is badly formatted.
Create an LDIF file like this with the dn set correctly. (This changes the
user password to secret).
dn: CN=yourname,cn=users,dc=aaa,dc=bbb,dc=ccc
changetype: modify
replace: unicodePwd
unicodePwd:: IgBzAGUAYwByAGUAdAAiAA===
Modify the AD LDAP entry with
ldapmodify -H ldaps://your-ad-server -D "cn=Administrator",cn=Users,
dc=aaa, dc=bbb,dc=ccc" -W -x -f yournew.ldif
If this works, then your problem is that your unicodePwd is not formatted
correctly. Check my earlier mail. You *must* put it in double-quotes then
put it in unicode then base64 it for binary representation.
Mark Benson
Propero Ltd. UK.
|--------+------------------------------------>
| | Luca Scamoni |
| | <luca.scamoni@sys-net.it> |
| | Sent by: |
| | owner-openldap-software@Op|
| | enLDAP.org |
| | |
| | |
| | 13/06/2003 11:16 |
| | Please respond to |
| | luca.scamoni |
| | |
|--------+------------------------------------>
>----------------------------------------------------------------------------------------------------------|
| |
| To: Mark.Benson@propero.net |
| cc: OpenLDAP-software@OpenLDAP.org |
| Subject: Re: Active directory and openldap |
>----------------------------------------------------------------------------------------------------------|
I'm trying to achieve the same objective but keep on meeting the
following error:
Constraint violation
additional info: 0000216C: AtrErr: DSID-031D0AC0, #1:
0: 0000216C: DSID-031D0AC0, problem 1005 (CONSTRAINT_ATT_TYPE),
data 0, Att 9005a (unicodePwd)
Did you, by chance, met this error too? All the rest works nicely but
this error keeps haunting me and the few info I found on the net didn't
help.
Any help is welcome
Mark.Benson@propero.net wrote:
>I don't know if this helps, but I have LDAP->AD replication working, but
>there were a few problems to overcome including a slurpd mod.
>
>This is based on a transformed replog on LDAP.
>
>Passwords were the first challenge. The password attribute type in AD is
>called unicodePWD and is a unicode representation of the plain text
>password enclosed in double quotes ("secret"). The base64 representation
of
>the password secret is IgBzAGUAYwByAGUAdAAiAA=== see
>http://support.microsoft.com/?kbid=269190 for more details.
>
>This replication *must* be done using LDAP over SSL on say port 636. If
you
>try and set an AD password on plain LDAP (on say 389) it will fail (quite
>right too!). Test this out using ldapmodify with -H
>ldaps://your.ad.server:636. slurpd does LDAP over TLS/SSL using the
>start_tls mechanism (tls=yes in the replica entry in slapd.conf). AFAIK
>this doesn't work with AD because it doesn't support the start_tls
extended
>operation needed. This is why ldapsearch etc. with -Z fails with AD and
>works with -H ldaps://your.ad.server:636.
>
>To overcome this, I submitted a patch (to slapd and slurpd) that allows
the
>replica host to be specified as a URI ( replica
>uri=ldaps://your.ad.server:636). I only submitted it yesterday!
>
>I can now replicate LDAP ADD/MODIFY/DELETE to AD.
>
>Mark Benson
>Propero Ltd. UK.
>
>
>
>|--------+------------------------------------>
>| | Jerome Walter |
>| | <walter+openldap@efrei.fr>|
>| | Sent by: |
>| | owner-openldap-software@Op|
>| | enLDAP.org |
>| | |
>| | |
>| | 13/06/2003 07:40 |
>| | Please respond to |
>| | walter+openldap |
>| | |
>|--------+------------------------------------>
> >
----------------------------------------------------------------------------------------------------------|
> |
|
> | To: OpenLDAP-software@OpenLDAP.org
|
> | cc:
|
> | Subject: Re: Active directory and openldap
|
> >
----------------------------------------------------------------------------------------------------------|
>
>
>
>
>On Wed, May 21, 2003 at 09:13:23AM -0700, Lon Tierney wrote:
>
>
>>What you will soon find is that you have to replicate all userPassword
>>values to AD in the clear - AD can not accept hashed or encrypted values.
>>So, if you store the passwords in the clear in your OpenLDAP server, you
>>should be fine.
>>
>>
>
>Perhaps i don't get it, but having Trusted realm installed towards an Unix
>KDC, i have something like this in my AD ldif output :
>
>altSecurityIdentities: Kerberos:walter@USERS.ES.EFREI.FR
>
>You should understand that USERS.ES.EFREI.FR is the Unix (hem GNU/Linux)
>KDC.
>
>Having this, i am authenticating on the other KDC and get tickets from
both
>unix and AD realms without the need of the AD password for the user.
>
>Don't we just need then to replicate _valid_ AD schema data into the LDAP
>server of the AD DC to have the users working in the AD realm ?
>
>I am also currently working on this and get stuck with the way to
replicate
>slapd data to AD server and/or the other way. Does someone did get this
>working. It seems that University of Michigan has worked on this and setup
>a
>modified slurpd to get this working. Any info about this ? Anyone from
>UMich
>who could contribute ?
>
>Best Regards,
>
>Jerome Walter
>
>--
>-+-- Jérôme Walter - I2 EFREI ----+-
> Equipe Système - Efrei Robotique - Jap'Efrei - Erasmus Tutors
> "The World is my country" - "Nihon no tomodachi desu"
>EFREI System and Networking guide http://perso.efrei.fr/~walter/
>
>
>
>
>
>
>