sslactive-directoryldaptls1.2openldap

Error while creating an account on Windows from a Linux server using LDAP (Issues with TLS/SSL connection)


I am trying to create an account on Windows AD from a Linux(RHEL) server using the ldapadd command.

When I ran the ldapadd command without a TLS/SSL connection, I encountered the following error:

ldapadd -d 255 -v -H ldap://[Window IP] -D "admin@[Domain Name] -w [Password] -f ldap_user.ldif

Error: ldapadd server is unwilling to perform (53) Additional info: 0000209A: SvcErr: DSID-031A1030, problem 5003 (WILL_NOT_PERFORM), data 0

I couldn't find any information about the 209A error code anywhere.

The command:

ldapsearch -H ldap://[Window IP] -b [~] -D "admin@[Domain Name] -w [Password]

works perfectly fine.

So, I thought that an ldapSSL/TLS connection might be necessary.

I generated a certificate for the computer account from the Windows server's MMC and received it in base64 format (filename: ca.cer).

When I executed the command:

ldapadd -d 255 -v -H ldaps://[Window IP]:636 -D "admin@[Domain Name] -w [Password] -f ldap_user.ldif

(Note: I changed it to ldaps://~:636), I got the same error: ldapadd server is unwilling to perform (53) Additional info: 0000209A: SvcErr: DSID-031A1030, problem 5003 (WILL_NOT_PERFORM), data 0

The debug log showed: tls_read: want=5 error=Bad file descriptor

When I ran:

openssl s_client --connect [Window IP]:636 -CAfile ca.cer

I received: "Verify return code: 21 (unable to verify the first certificate)".

I checked if it is an IP and port with SSL/TLS access.

I also registered the certificate on the Linux server.

What else can I try?

Any help would be greatly appreciated.


Solution

  • AD requires that the connection be encrypted to set the password. So yes, you need to get LDAPS working.

    For TLS to work (in general, not just for ldapadd) your computer needs to trust the certificate - either trust the issuer, or specifically trust that one cert, which is sounds like you did. But also, the domain name on the cert has to match the domain name you're using to connect. In this case, you're using an IP address to connect, which will never match. You need to change ldaps://[Window IP]:636 to use the domain name in the cert. For example, ldaps://example.com:636. If DNS isn't setup for the domain name you used, then add the IP and domain to /etc/hosts