-
Notifications
You must be signed in to change notification settings - Fork 276
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Active directory Join failes because of missing bind DN #8195
Comments
We have the same issue here. Did you find a solution in the meantime? |
@FloFaber Guess i am stuck without the AD integration and only the Authentication Source and not realm and AD. |
@stgmsa
|
@stgmsa For us it works fine when using the default Computer OU. When using a different OU it fails with the same error already mentioned by @PejeDK. This reddit user seems to have fixed this issue by disabling LdapEnforceChannelBinding: reddit.com/r/PacketFence/comments/1dh938l/comment/lafhz0x/. However, this is not an option for us. |
@FloFaber That reddit user is working on the same system as this one :-) But the production system did not have the same result in either packetfence or with ldapsearch command. |
What was the PacketFence version are you using when hitting this error ? |
I am running latest packetfence on debian 11.9 with packetfence version 13.2. |
I ran into this problem trying to upgrade from 13.0 to 13.2. After upgrading I was no longer a member of the domain, and wasn't able to rejoin. I was getting the same error when attempting to re-sync the machine account by setting a new Machine account Password and providing the "Domain administrator username" and "Domain administrator password" on the Domain Edit screen under Configuration>Policies and Access Control>Domains>Active Directory Domains. As with others, my OU is also different from the default
I was not able to test disabling LdapEnforceChannelBinding at the time and instead rolled back to 13.0. |
The Domainjoin seems to work in Packetfence 13.1. However when specifying a custom Computer OU the computer object gets created in the default Computer OU. But the domain trust is not affected when moving the Computer Object into the correct OU after joining. So it seems the issue lies somewhere between 13.1 and 13.2. |
Hi
I am experiencing errors when I create a Active Directory Domain ( Joining ), inside packetfence, because anonymous binding is not allowed and somehow packetfence tries with anonymous and not the bind DN of the the admin username and password entered in the UI.
With a ldapsearch commandline i have to specify the bind options with full DN of the user, and it connects.
I have tested kinit also with success, so it should not be a port issue.
netcat tests on port 64, 88, 636, 389 are all working.
Is there any way to get this bind setting into packetfence ui or is it possible to create the active directory domain from cli ?
The Connection profile part works like charm, it is only the active Directory part (Configuration - Policies and Access control - Roles - Active Directory Domains)
I get the following error in the UI
I have added the LdapEnforceChannelBinding to registry and set it to 0 in value, but that did not fix my issue.
This was to see if it was the obvious security setting that was the issue. But i do get the same error in my lab with this setting enabled.
This ldapsearch command works:
If i do not add the bind statement i get this error:
Basically the samme error without the bind statement.
I am running latest packetfence on debian 11.9 with latest packetfence version.
I am sure that it is a security feature in the Active directory and tha fact that packetfence UI maybe does not include all the needed settings to work in a hardened Active directory domain.
The text was updated successfully, but these errors were encountered: