Hi everyone.
After spending endless hours trying to figure out why I cannot join one more member server to my UCS domain I could need some help.
As several others in this forum I get the following error during univention-join:
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
I figured out, that this error message is a result of the failing of the following command (Here with a custom file for the password):
univention-ldapsearch -p '' -s base -h ucs.ig.intra -D uid=Administrator,cn=users,dc=ig,dc=intra --bindpwdfile /tmp/masterpwd dn
I am pretty sure, the password is correct. I expect this account to be the one used when logging to the web interface of the univention domain controller?
In some post (dont remember where) someone talked about a different DN with “cn” instead of “uid”, so I also tried:
univention-ldapsearch -p '' -s base -h ucs.ig.intra -D cn=Administrator,cn=users,dc=ig,dc=intra --bindpwdfile /tmp/masterpwd dn
That does work.
If I use that account in a LDAP client (Apache Directory Studio), I cannot find any DN with “uid=Administrator”. Alle users in CN=Users,DC=ig,DC=intra are written as “CN=…”.
If I change the Administrators password on the Domain controller with
udm users/user modify --dn='uid=Administrator,cn=users,dc=ig,dc=intra' --set password='<new password>'
that does work and I have to use the new password in the univention-ldapsearch command (with “cn=Administrator”) to be successfull.
If figured out that the script “univention-join” does get the full DN from the user name by using the command:
univention-ssh /tmp/masterpwd Administrator@ucs.ig.intra /usr/sbin/udm users/user list --filter uid=Administrator --logfile /dev/null
This delivers the following:
uid=Administrator
DN: uid=Administrator,cn=users,dc=ig,dc=intra
MRAccept: 0
MRAcceptConflictingTimes: 0
MRAcceptRecurringItems: 0
MRProcess: 0
…and so on…
I did not mess around with the LDAP. Before this problem I mostly only used the web interface to configure things. Maybe the kopano installation did? Before this server I successfully joined two more servers, on one of whichI installed kopano. None of these servers are productive, yet. Still, I would like to avoid to start all over an install the domain controller and all servers again.
BTW: I tried the same unvention-ldapsearch command on one of the already joined servers. Same problem here, it does not work with “uid=Administrator,…” but with “cn=Administrator,…”.
Questions:
- Is “uid=Administrator,cn=users,dc=ig,dc=intra” a diffent user than “cn=Administrator,cn=users,dc=ig,dc=intra”?
- Then why does the password change of “uid=Administrator” affect “cn=Administrator”?
- Why am I not able to find “uid=Administrator” in the LDAP?
- Where does the command “/usr/sbin/udm users/user list” on the domain controller get the information from?
- How can I fix the situation?
Clueless,
Ralph Reckert