Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1252
Views
0
Helpful
8
Replies

LDAP Error with VCS Control

Kim Fitzgerald
Level 1
Level 1

‎10-03-2013 11:46 AM - edited ‎03-18-2019 01:55 AM

                   I am trying to set up LDAP communication on the VCS Control.  I am currently experiencing an error on the VCS Control with software X7.2.1.  error message reads Invalid VCS Bind Credentials.  All of the credentials and LDAp tree path have been validated, we have reset the password in AD and re-entered on the VCS, we have tried to use the digest setting as well as none on the SASL field.  Our LDAP administrator states the account is set up in AD, and is set as read only account with no special privledges.

Is anyone aware of any bugs with this particular setup?  Will the credentials fail if we are using a complex password (capital letters, lower case letters, characters, numbers) ? Any recommendations for the VCS Control?  The error message indicates this is on the LDAP side, however the administrator indicates the LDAP is set up correctly.

Has anyone else has run into a similar issue?

Labels:
0 Helpful
8 Replies 8

Zac Colton
Cisco Employee
Cisco Employee

‎10-03-2013 12:21 PM

Can you provide a screen shot of the settings you are using?

Sent from Cisco Technical Support iPhone App

0 Helpful

Kim Fitzgerald
Level 1
Level 1

‎10-03-2013 02:53 PM

The following is entered in the screens:

0 Helpful

Zac Colton
Cisco Employee
Cisco Employee

‎10-03-2013 03:03 PM

So it does not allow you to save the settings? Is that when the error is shown? I would recommend taking a tcpdump if the VCS at the time of saving the settings. You can filter the capture in wire shark for ldap. The response on the bind attempt should provide more details. I would also recommend looking at the windows event logs at the time. Quick question: is your Active Directory if a single domain, or are their subdomains?

Sent from Cisco Technical Support iPhone App

0 Helpful

Kim Fitzgerald
Level 1
Level 1
In response to Zac Colton

‎10-08-2013 06:52 AM

Hi Zachery,

We are able to save the settings, and then the invalid bind crendtials message comes up.  The account has been reset multiple times as well. they are using a single domain.

Thanks.

0 Helpful

Zac Colton
Cisco Employee
Cisco Employee
In response to Kim Fitzgerald

‎10-08-2013 06:57 AM

Kim,

I would suggest a packet capture to identify what the AD DC is returning in response to the bind request. Have you tried pointing to the Global Catalogue port (3268)?

- Zac

0 Helpful

Kim Fitzgerald
Level 1
Level 1
In response to Zac Colton

‎10-09-2013 10:55 AM

The VCS log is showing the following: 

2013-10-09T11:42:13-04:00 sshd[32364]: Module="nss_ldap" Level="ERROR" UTCTime="2013-10-09 15:42:13,120" Detail="Could not search LDAP server" Reason="Server is unavailable"

2013-10-09T11:42:13-04:00 sshd[32364]: Module="nss_ldap" Level="INFO" UTCTime="2013-10-09 15:42:13" Detail="Failed to bind to LDAP server" URI="

ldap://10.10.1.99" Reason="Invalid credentials"

2013-10-09T11:42:13-04:00 sshd[32364]: Module="nss_ldap" Level="ERROR" UTCTime="2013-10-09 15:42:13,120" Detail="Could not search LDAP server" Reason="Server is unavailable"

2013-10-09T11:42:13-04:00 sshd[32364]: Module="nss_ldap" Level="INFO" UTCTime="2013-10-09 15:42:13" Detail="Failed to bind to LDAP server" URI="

ldap://10.10.1.99" Reason="Invalid credentials"

And the windows server from what i currently have access/feedback on does not appear to have an attempt, i have this being rechecked.  i believe the communication from the control to the server is failing, yet under the active directory on the configuration page, it shows there is a link and communication between to the two. 

Any ideas on why we show a valid link to the exchange server, but the server may not respond or ever see the request? Do I need to be looking at other ports other than port 389 (nonsecure) for this communication? 

Apprecitate any thoughts/feeback.

0 Helpful

Zac Colton
Cisco Employee
Cisco Employee
In response to Kim Fitzgerald

‎10-09-2013 11:03 AM

Have you taken a packet caputure on the VCS while saving this configuration? In it you will see the bind request and the response form the server you are trying to bind to.

I'm assuming when you references your Exchange server that the Exchange server is a Domain Controller. The Active Directory Service page is not for LDAP. That is for the winbind service - the VCS being joined to and being a memeber of the Adctive Directory Domain. This is a completely different animal.

0 Helpful

Martin Koch
VIP Alumni
VIP Alumni
In response to Kim Fitzgerald

‎10-09-2013 02:33 PM

Unsing some 3rd party ldap tool and try to access the data might also be interesting.

You should know best what can be used to authenticate. But for me it looks that info is not ok.

Please remember to rate helpful responses and identify helpful or correct answers.

Please remember to rate helpful responses and identify

0 Helpful
Customers Also Viewed These Support Documents