Last week, one of my customers has changed their domain controller infrastructure and so ldap server ip address has been changed basically. I’m not only synchronizing the phone users over this ldap server, but also managing user authentications from it. After that, they send me the new ldap server ip address and I tried to synchronize users over the ldap server.
The problem started at this point. This system was working perfectly so long time but I cannot make ldap initiating.
It gave an error like this:
Error while connection to ldap://ip-address:389, null
It seems like ldap server can’t let me make lookup. So I did these steps:
- Tried changing admin password,
- Tried these formats:
- username@domain.local,
- username@domain.com,
- DOMAIN\username
- Full canonical name(cn=username, ou=users, dc=domain, dc=local)
- Tried changing admin account’s credentials (it was under domain admin group, also added to administrators group),
- Tried another admin account,
- Tried another search base,
- Tried with/without ldap custom filter
Nothing solved my problem.
By the way, I was able to connect successfully by ( C:\ telnet LDAP-SERVER-IP 389).
Also I can verify myself as I could make a lookup but no answer came back from ldap server by writing username or password wrong.
So, to define whether I can access successfully LDAP server or not, I tried a 3rd party LDAP browser software named “Softerra LDAP Browser”.
It says “A stronger authentication method is required for this server.”
After a quick search, I found nothing to resolve my issue clearly on cisco support and configuration webpages. But, I found an issue effected websense. I basically apply this solution to my case, then everything was perfect both synchronization and authentication.
It says we need to change Domain controller: LDAP server signing requirements to NONE and Network security:LDAP client signing requirements to NEGOTIATE.
I hope this would be helpful and informative for you. If you encounter this, I firstly suggest you to check all those above steps under the first picture.
PS: I also opened a TAC case and an engineer investigated the problem. He said “this is a server issue and you should forward this to your server administrator or solve yourself.”