Using AWS AD Connector and UCS to log into AWS console


I setup UCS as AD and a directory in the AWS Directory Service. The directory is configured to get users and credentials from the UCS AD via AWS AD Connector.

As the credentials of the admin user are validated it seems to be connected but when I try to create an AWS group it is not possible to search for users.

Sadly there are no logfiles for the AD Connector but using tcpdump and Wireshark we could see that the request looks like this:

the result is:

Has someone successfully used the AWS AD connector with UCS?



We compared the supportedControls attribute of a AD Simple AD and an UCS AD.

The UCS AD is missing 3 controls. One of them is marked as critical in the query:

controlType: 2.16.840.1.113730.3.4.9 (LDAP_CONTROL_VLVREQUEST VLV)

As I understand it this control is a LDAP overlay (sssvlv). I tried to activate it by adding the line

overlay sssvlv

to /etc/ldap/slapd.conf and restart the service. But it fails to start.

# /etc/init.d/slapd restart
[info] Restarting ldap server(s).
[ ok ] Stopping ldap server(s): slapd ...done.
[FAIL] Starting ldap server(s): slapd ...failed.
[info] 55d1c82b OVER: Loading Translog Overlay 55d1c82b OVER: db_init 55d1c82b OVER: Configuring Translog Overlay 55d1c82b OVER: Configured Translog Overlay to use file "/var/lib/univention-ldap/listener/listener" 55d1c82b overlay "sssvlv" not found slapschema: bad configuration file!.

How do I activate this overlay/control?



I also had to add this line to /etc/ldap/slapd.conf


Now the slapd starts again but the control is still missing from the list of supported Controls.



The problem is tthat you have enabled the control module in OpenLDAP, but youd need it in Samba 4. Unfortunately I don’t neither if it is available for Samba 4 nor how you can activate it in Samba 4.

The AWS Simple AD also is a Samba 4 under the hood. So somehow they got it configured.