Recently I had to interact with an application that interacts with 2 ADs on host1 and host2. I find that ldap connections have been failing when connecting to 1 of the hosts. The error looks like this:
Connection to 'LDAP://[host1]/RootDSE' failed.
Logon failure: unknown user name or bad password.
For troubleshooting purposes I installed Apache Directory tool and different CN/DN combinations and my observations are:
when connecting to host1 with the CN (in this case,
Administrator) /[password], I get the following error when fetching base DNs:
Error while fetching base DNs
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
when connecting to host1 with the distinguished name for Administrator and same password, I am able to successfully retrieve base DNs
when connecting to host2 with just the CN (
Administrator again) /, I can successfully retrieve the list of base DNs.
So my question is, are there AD settings I can set to allow authentication using just CN instead of the full DN?
I'm completely new to AD, so if there are things I can supply in my question to make it better for people browsing for similar issues, please let me know. Thanks.
What are host1 and host2 - are they different Domain Controllers (DC) for the same domain or are they for different domains? From what you are explaining they seem to be for different domains if that is the case, then host2 simply have different Administrator with different password.
To answer your questions directly. AD allows CN to be used for user logon if and only if the given CN is unique. So there is no need to make any configuration for that.
However there are a number of other ways to login in AD. You can use
userPrincipalName attributes of the users, these contain the usernames of the user. The first one contains the username from the
DOMAIN\username, where the
DOMAIN is the AD's NetBIOS domain name (I am not sure that is the exact term, but I am using it for lack of better). The second attribute contains the username in the form
email@example.com, where the
example.com is usually the AD's DNS domain name (although it can be different).
So if you are searching for something shorter than the DN use one of above.
User contributions licensed under CC BY-SA 3.0