I found Cool Solution - LDAP search user / simple authentication account explaining how to add an LDAP search user. I checked if the user is created in the Active Directory but, alas, it isn’t.
I didn’t find any explicit hint that there is no such thing as an AD search user. Is this correct? Do I have to use an LDAP simple authentication account or a full featured AD account?
hey there, did you find out? I currently want to connect a software which is compatible with MS AD but not with LDAP directly.
So I tried to connect to it usign ldapsearch for debugging:
URI ldaps://portal.domain.tld:636
BASE dc=domain,dc=tld
BINDDN synchuzer,cn=users,dc=domain,dc=tld
TLS_CACERT /opt/ldapsynch/ucs-root-ca.crt
I tried to replace BINDDN with different variables like “synchuser”, “synchuser@domain.tld” etc. but always got:
Invalid credentials (49)
8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db
I then created a user using MMC which has “domain admin”, but this results in the same error.
So now I found this post and wonder how to do it.
Oh, my, I fear I just used a full-featured account for searching the AD. It’s been half a year since then and I stumbled upon a few more issues with UCS. So, sorry, I cannot help you with that.
hey there
I wouldn’t say it’s an issue really.
So I also just use a full user now.
just a little update when someone else finds this…
the simple-search/authentication-user can only be used against ldap not against samba! and it can only read a limited amount of data. a full user can be used against ldap + samba, while ldap provides more attributes like a hash of the user password.