1

Hopefully I can get some help here as I have really been beating my head against the ol' keyboard over here.

So, here's the situation.

We recently migrated end users from an onsite Exchange server to Exchange Online, and the client chose to go with Barracuda Cloud Archiving for the archiving solution. Here is where all the trouble began. Barracuda told us that we would be able to authenticate against all three DC's when we started the project because we were under the assumption all three DC's were in the same forest.

Well, Barracuda was not able to authenticate against DC's because they are in a trust, not a forest. And Barracuda uses an outlook plugin that requires their server to authenticate against our ldap server to allow access to the end users Archive mailbox.

Now, Barracuda only can accept one LDAP connection to make the authentication, so we are stuck with 2/3's of our users unable to authenticate.

My idea as a workaround (other than rebuilding the Domain properly, which is in the plans, but isn't the highest priority or do we have the time and resources to migrate all user data to the main DC currently) was to build a Linux Server and use OpenLDAP and SASL Authentication for a pass through auth. to the correlating DC's.

Now I have spent at least 4 entire days at work trying to solve this , and I cannot get this to work. I can get the testsaslauthd to run successfully, using the following command and result.

testsaslauthd -u test@domain.com -p password
0: OK "Success."

But when I run an LDAP search command, here are the results:

ldapsearch -x -H ldap://maindc.domain.com -b dc=domain,dc=com -d uid=test,ou=people,dc=my-domain,dc=com -w password

ldap_bind: Invalid credentials (49)
additional info: 80090308:  LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580

So, my hope is that maybe someone here can help me correct this error, or maybe provide a better way to do what I am attempting to do. I'm just a Jr. System Admin, so take it east please.

Thanks for the help!

thedelorean
  • 11
  • 3
  • Your situation isn't rare, but I too am unaware of a solution for poorly written ldap libraries (that doesn't support trusts). Can you see if they support other authentication providers like radius? – Jacob Evans Jul 25 '17 at 20:49
  • I'm not familiar with the ldapsearch command on Linux, but looking at the man page the `-d` switch is to specify debug level. What you specified doesn't look like a debug level. Are you sure you didn't mean to use `-D "test@my-domain.com"`? Also, I recommend using just `-W` instead of `-w passwd` because Unix is keeping a log of all the commands you type in at the command prompt. It is considered bad practice, and a security risk, to type in passwords on the command line. `-W` will prompt for the passwd so you can type it in. – Appleoddity Jul 25 '17 at 21:05
  • @Appleoddity Thanks for the -W tip. I will take that into usage from here on in. I attempted to look at the debug level, and I am unable to get this to produce debugging results. Just another failed command. Any advice? – thedelorean Jul 26 '17 at 13:28

1 Answers1

0

I'll post this as an answer so I get more than 400 characters.

I think you might have misunderstood me in my comment. In your question you said you used to following command: ldapsearch -x -H ldap://maindc.domain.com -b dc=domain,dc=com -d uid=test,ou=people,dc=my-domain,dc=com -w password

Like I stated earlier, I'm not real familiar with the ldapsearch command. But, your error messages is: Invalid credentials (49)

If I look at the ldapsearch man page here, https://linux.die.net/man/1/ldapsearch, I see that -d is to set a debug level. And I'm not sure what uid=test,ou=people,dc=my-domain,dc=com corresponds to.

The problem here is that you have not specified a username to login to active directory with. So, I thought you might have mixed up -d for -D.

Is it possible you should be replacing -d uid=test,ou=people,dc=my-domain,dc=com with -D "test@my-domain.com"?

Even if I am interpreting part of your command incorrectly, at the very least, you do need to specify a username AND a password when connecting to active directory. So, you need to use -D and -W in your command in some fashion.

Appleoddity
  • 3,488
  • 2
  • 13
  • 33