Synchronization Agreement LDAP Problem

[jlandry]

I am trying to set up the synchronization agreement based on the instructions on pages 16-20 of Chapter 1 of Exchange and Scalix Server Coexistence.

When running the test for data extraction, I get the following error:

2006-02-13 14:37:11 INFO: test searching from EXCHANGE_IP ...
2006-02-13 14:37:11 INFO: search base is cn=Recipients,ou=MY_SITE,o=MY_ORGANIZATION
ldap_bind: Invalid credentials
ldap_bind: additional info: 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
2006-02-13 14:37:11 ERROR: failed to run omldapsearch
2006-02-13 14:37:11 INFO: test searching from localhost ...
2006-02-13 14:37:11 INFO: search base is o=Scalix
2006-02-13 14:37:12 INFO: ... test searched OK.
2006-02-13 14:37:12 STATUS: Configuration of sync01 completed ########
Common tasks menu for syncid sync01

I am using the Administrator account for exchange and I have checked the "Search" permissions box in the properties for the site in exchange. Why the invalid credentials error?

This is for exchange 5.5

Thanks

[ScalixSupport]

If you look at Step 7 regarding the Exchange Administrator, did you make the Administrator a Service Account Admin as well? That's critical in order to search the Exchange LDAP Directory.

Thanks,
Rachel

[jlandry]

The account was already a Service Account Admin. I did notice that even though the account was a Service Account Admin, the "search" permission was not granted. I checked the box to grant search permission and tried again to no avail. Maybe the service needs to be restarted before the permission is actually granted...

I'll have to try again in the morning.

Thanks

[ScalixSupport]

Okay. Let's get Scalix out of the way for now. So, open a shell prompt and type:

Code: Select all

ldapsearch -xh exchange.domain.com -b cn=Recipients,ou=MY_SITE,o=MY_ORGANIZATION -D cn=administrator,cn=Recipients,ou=MY_SITE,o=MY_ORGANIZATION -W

and see if you're able to do an authenticated bind to your LDAP server.

Thanks,
Rachel

[jlandry]

I have set the Anonymous Account in the DS Site Configuration to the built-in AD "Guest" account. The password for the account is specified in the Anonymous Access section of the DS Site Configuration.

I have given the administrator "search" rights at the Site level. This makes the "Role" for the administrator "Custom" instead of "Service Acccount Admin" which it was originally.

Upon typing in the following command on the linux machine:

ldapsearch -xh exchange.domain.com -b cn=Recipients,ou=MY_SITE,o=MY_ORGANIZATION -D cn=administrator,cn=Recipients,ou=MY_SITE,o=MY_ORGANIZATION -W

I get this:

Enter LDAP Password:

After I enter the Administrator password, I get this:


ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893

I am positive that the password is correct.

I have also tried to make an alternate account "ldapsearch" in AD and give it the permission to search at the site level.

Tried the command with the ldapsearch user instead of administrator:

ldapsearch -xh exchange.domain.com -b cn=Recipients,ou=MY_SITE,o=MY_ORGANIZATION -D cn=administrator,cn=Recipients,ou=MY_SITE,o=MY_ORGANIZATION -W

Same error:

ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893

[ScalixSupport]

Hi. First, are you certain you're pointing to your Exchange server and not an Active Directory server? A google search for "AcceptSecurityContext error" seems to point to an AD error rather than an Exchange 5.5 error. Basically what the error means is that either your DN or password is incorrect.

Thanks,
Rachel

[jlandry]

Unfortunately, our exchange server is also set up to be a domain controller. This is something I am trying to fix by migrating to Scalix. Is there a way around this? I'm trying to set up a couple of accounts on the Scalix server and forward their mail from the exchange server. Once this is successful, I can go ahead and get approval to move everything onto the Scalix server.

[ScalixSupport]

Hi. Running Exchange on the PDC shouldn't be a problem. If it's an AD server, then that's a different story. Assuming it's PDC/BDC, then go onto your Exchange server and go into Configuration, Protocols, LDAP and either screenshot or post what's on each tab. Make sure you're allowing Plaintext Authentication, but please post all of the data so we can check your settings.

Thanks,
Rachel

[jlandry]

It is an AD server. What's the next step in this case?

[jlandry]

A nmap scan of the machine follows:

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-02-14 17:01 EST
Interesting ports on SERVER.DOMAIN.COM (XX.XX.XX.XX):
(The 1636 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
25/tcp open smtp
27/tcp open nsw-fe
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
389/tcp open ldap
443/tcp open https
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
993/tcp open imaps
995/tcp open pop3s
1026/tcp open LSA-or-nterm
1029/tcp open ms-lsa
1067/tcp open instl_boots
1068/tcp open instl_bootc
2232/tcp open ivs-video
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5800/tcp open vnc-http
5900/tcp open vnc
6103/tcp open RETS-or-BackupExec

[ScalixSupport]

The fact that you have Exchange 5.5 running on an AD server would have been nice to know up front as it would have saved quite a bit of time. Both AD and Exch55 have an LDAP server and since AD starts first, it grabs the LDAP (389) port. You have several choices. You can disable LDAP on the AD server, you can move the AD LDAP server to a different socket or you can move the LDAP server on Exchange 5.5 to a different socket. If you choose the latter, which is probably the easiest, you will need to change your test ldapsearch. For example if you change the Exchange LDAP socket to 8389, then the ldapsearch line would be:

Code: Select all

ldapsearch -xh exchange.domain.com -b -p 8389 cn=Recipients,ou=MY_SITE,o=MY_ORGANIZATION -D cn=administrator,cn=Recipients,ou=MY_SITE,o=MY_ORGANIZATION -W

You'll also need to edit the omldapsync file so it includes the correct socket as well.

Thanks,
Rachel

[jlandry]

I have changed the LDAP port in exchange to 390 and restarted the machine.

Now upon running this command:

Code: Select all

ldapsearch -xh XX.XX.XX.XX -p 390 -b cn=Recipients,ou=SITE,o=ORGANIZATION -D cn=administrator,cn=Recipients,ou=SITE,o=ORGANIZATION -W -v

I get this:

ldap_initialize( ldap://XX.XX.XX.XX:390 )
Enter LDAP Password:

filter: (objectclass=*)
requesting: ALL
# extended LDIF
#
# LDAPv3
# base <ou=Recipients,ou=SITE,o=ORGANIZATION> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object
matchedDN: o=ORGANIZATION

# numResponses: 1

[ScalixSupport]

See if this works for you

ldapsearch -xh XX.XX.XX.XX -p 390 -b cn=Recipients,ou=SITE,o=ORGANIZATION -D cn=administrator -W -v

That worked for me ;-)

Cheers,

Sascha.

[jlandry]

Ok, I got it working. I was using the wrong ou. I used a program called ldp.exe to look at the ldap structure and get the real ou. For some reason, exchange is showing a different name for the site than is what is specified in ldap. Mysterious...

Thanks alot for all the help.