06-06-2012 11:31 AM - edited 07-03-2021 10:15 PM
I have a problem with a ldap connection in a 2112 WLC.
I hava a WLC that suddenly stop to work with the ldap integration for webauth.
I checked that the Base DN, the bind user and bind password are fine. Nothing changed.
It was working for years, but few days ago the integration is not working.
I suspect the problem is in the windows side.
The customer said that the do not make any changes in the Windows Domain Conntroller.
No firewall, no blocked port, etc. The WLC and the ldap server (windows DC) are in the same subnet.
I need make sure that the ldap service is working in the windows side. What are the requerements for the bind user?.
What tool can help me with this?.
Thanks.
PD.
The message in the console is the following:
*LDAP DB Task 2: Jun 05 10:33:13.795: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 2, reason: 1005 (LDAP bind failed).
*LDAP DB Task 1: Jun 05 10:33:16.994: %LOG-3-Q_IND: ldap_db.c:1038 Could not connect to LDAP server 2, reason: 1005 (LDAP bind failed).[...It occurred 2 times.!]
*LDAP DB Task 1: Jun 05 10:33:16.994: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 49 (Invalid credentials).
*LDAP DB Task 2: Jun 05 10:33:18.794: %LOG-3-Q_IND: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 49 (Invalid credentials).[...It occurred 2 times.!]
06-09-2012 04:12 AM
Actually the problem shown to be that your WLC is not able to connect to the AD.
seet that:
*LDAP DB Task 1: Jun 05 10:33:16.994: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 49 (Invalid credentials).
it is obviously metnioned an invalid credentials. Please double check username credentials. write them again on WLC if needed.
HTH
Amjad
06-09-2012 08:04 AM
Thanks Amjad,
the credentials are fine. I checked that. I tested it login to the active directory. The credential never expires.
As I mentioned, It was working for years. suddenly stop. I sure the problem is in the windows AD side, but I need something to proof to the customer.
06-09-2012 10:43 AM
well, it does not necessarily that the credentials are incorrect, but the wlc at least does not see them correct.
i would again suggest you re-enter the credentials on wlc ldap configuration.
Try using simple bind and test if it works?
make sure that the correct ldap server is selected for the configuration.
also, try to check from windows side why the auth request refused which gives more accurate picture for you about why it fails.
HTH
Amjad
06-13-2012 11:13 PM
Dude Simple bind wont work with AD by default.
Only Authenticated binding works with AD by default.
For Raf the requirements for bind user is the capability to read everything to be authenticated from AD.
For more about how AD LDAP works, check the following link:
http://technet.microsoft.com/en-us/library/cc755809%28v=ws.10%29.aspx
--------------------------------------------------------------------------------------
Please Dont forget to rate correct answers
06-15-2012 05:19 AM
you are right. anonymous bind not allowed by default with active directory. but the config example describes how to enable it.
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a03e09.shtml
it is always more secure to use authenticated bind. anonymous bind should be only usedfor testing purposes.
HTH
Amjad
Sent from Cisco Technical Support iPad App
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: