LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
Reload this Page ldapsearch errors
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 04-18-2016, 03:55 PM   #1
oscarjiao
LQ Newbie
 
Registered: Apr 2016
Posts: 2

Rep: Reputation: Disabled
ldapsearch errors

I am trying to authenticate by user id with ldapsearch. However I am getting different kinds of errors with the following commands:

Code:
ldapsearch -x -H ldap://ldap.mdanderson.edu:389/ -D "djiao" -w "mypassword"
ldap_bind: Invalid credentials (49)
	additional info: 80090308: LdapErr: DSID-0C0903CF, comment: AcceptSecurityContext error, data 52e, v2580
Code:
ldapsearch -x -H ldap://ldap.mdanderson.edu:389/ -v uid=djiao -b dc=mdanderson,dc=edu
ldap_initialize( ldap://ldap.mdanderson.edu:389/??base )
filter: uid=djiao
requesting: -b dc=mdanderson,dc=edu 
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: uid=djiao
# requesting: -b dc=mdanderson,dc=edu 
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090748, comment: In order to perform this ope
 ration a successful bind must be completed on the connection., data 0, v2580

# numResponses: 1
Code:
ldapsearch -b dc=mdanderson,dc=edu -H ldap://ldap.mdanderson.edu:389 -W "(&(objectclass=person)(mail=djiao@mdanderson.org))"
Enter LDAP Password: 
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
	additional info: SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text (Server (ldap/ldap.mdanderson.edu@MDANDERSON.EDU) unknown while looking up 'ldap/ldap.mdanderson.edu@MDANDERSON.EDU' (cached result, timeout in 1200 sec))
The output messages do not say much about the actual error. What is the correct way to authenticate user against ldap server?
 
Old 04-21-2016, 10:43 AM   #2
dijetlo
Senior Member
 
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Blog Entries: 2

Rep: Reputation: Disabled
You failed to bind the ldap connection, you can probably find some useful information in syslog or dmesg.
It will likely tell you authentication failed, which is pretty common actually.

Take a look at here for some detailed instructions on how to resolve it.
 
Old 04-12-2019, 02:14 PM   #3
turiyag
LQ Newbie
 
Registered: Apr 2019
Posts: 1

Rep: Reputation: Disabled
For the future people
TL;DR: Try using the IP address of the Domain Controller directly:

Code:
# List all the IP addresses
$ dig @contoso.com contoso.com

# Print your local IP address
$ ifconfig | grep 'inet '

# Pick the closest IP address to your local IP address
$ ldapsearch -v -h 172.16.53.12 -U turiya.gouw -w 'MY_PASSWORD' -b 'DC=contoso,DC=com' '(objectClass=computer)'

I FINALLY got a single query to work, after getting this error time and again:
Code:
# I'm pretending that my login username is turiya.gouw@contoso.com, with a password of MY_PASSWORD.
# This search should find all computers in the domain, and since there MUST be at least one computer on the domain, it should always return a result

# I got this loads of times
$ ldapsearch -v -h contoso.com -U turiya.gouw -w 'MY_PASSWORD' -b 'DC=contoso,DC=com' '(objectClass=computer)'
ldap_initialize( ldap://contoso.com )
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
	additional info: SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text (Server (krbtgt/18.5.13@CONTOSO.COM) unknown)

But one time, it worked perfectly! So I figured, "Sweet, I've finally authenticated!" and then I tried it again and it didn't work!!! I was like, "hey wait wut?"

So it turned out that my Domain Controller was set to be fault tolerant and distributed. It had multiple computers running it, and I was "supposed to" use the one closest to me. I figured this out when I just did:
Code:
$ ping contoso.com
PING contoso.com (172.18.5.13): 56 data bytes
64 bytes from 172.18.5.13: icmp_seq=0 ttl=126 time=54.460 ms
64 bytes from 172.18.5.13: icmp_seq=1 ttl=126 time=54.861 ms
And I was like, "wow, 54ms? That's a slow domain controller!"
And then later, it said:
Code:
$ ping contoso.com
PING contoso.com (172.16.53.12): 56 data bytes
64 bytes from 172.16.53.12: icmp_seq=0 ttl=127 time=0.747 ms
64 bytes from 172.16.53.12: icmp_seq=1 ttl=127 time=1.016 ms
And I was like, "WAIT, that's 0ms! That's bloody quick!"

So it turned out that to force it to use the closest domain controller, I needed to do this, which worked 100% reliably:
Code:
$ ldapsearch -v -h 172.16.53.12 -U turiya.gouw -w 'MY_PASSWORD' -b 'DC=contoso,DC=com' '(objectClass=computer)'
You can find all of your domain controller's IP addresses with:
Code:
dig @contoso.com contoso.com
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
New to ldapsearch byran cheung Linux - Newbie 2 02-26-2015 09:23 AM
ldapsearch vs Apache DS LDAP browser (ldapsearch not working properly) eyemole80 Linux - Server 0 02-18-2014 02:45 PM
ldapsearch | ldapmodify eantoranz Linux - Software 1 01-28-2013 09:33 PM
ldapsearch help nano101 Linux - Software 1 04-24-2012 08:38 AM
ldapsearch cmontr Programming 4 11-15-2007 04:19 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 05:52 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration