Latest post Wed, May 22 2019 1:00 PM by Macindries. 5 replies.
Page 1 of 1 (6 items)
Sort Posts: Previous Next
  • Tue, May 14 2019 9:48 PM

    • Macindries
    • Not Ranked
    • Joined on Thu, Oct 13 2005
    • Belgium
    • Posts 54
    • Points 515

    ldap sync not working?

    Hi,

     

    I am in the setup of a new site and want to use the ldap sync app to import useers from a new domain we set up.

    However, it seems i cannot authenticate. It keeps giving the error of a faulty DN of paw.

    However, if a test by commandline of third party test app, all seems to work.

     

    Anyone know more about this? Is there a bug?

     

    Thank you...

  • Wed, May 15 2019 8:18 AM In reply to

    • Macindries
    • Not Ranked
    • Joined on Thu, Oct 13 2005
    • Belgium
    • Posts 54
    • Points 515

    Re: ldap sync not working?

    error:

    WARNING: Connection error: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C090579, comment: AcceptSecurityContext error, data 52e, v3839 ]

  • Thu, May 16 2019 12:37 PM In reply to

    • NYnutz
    • Top 500 Contributor
    • Joined on Wed, Nov 25 2009
    • New York City
    • Posts 378
    • Points 4,485

    Re: ldap sync not working?

    microsoft says that error code -49 is invalid credentials. What i have found with LDAP sync tool is that using the full Base DN for the user name does not work reliably at all sites. It's better to use the account shortname, you may need to use the domain prefix, ex: {DOMAIN}\{UserName}

    Dave

    Post Production Infrastructure Engineer

    "A very big network"

     

  • Fri, May 17 2019 2:46 PM In reply to

    • Macindries
    • Not Ranked
    • Joined on Thu, Oct 13 2005
    • Belgium
    • Posts 54
    • Points 515

    Re: ldap sync not working?

    Hi,

     

    I tried that.

    Seems that there is an issue.

    We did the same new setup o another site of ours, and they have the same issue.

    So, we entered a case at Avid.

     

    We'll see...

  • Tue, May 21 2019 6:00 PM In reply to

    Re: ldap sync not working?

    I used a tool from the Sysinternals folks called Active directory Explorer (https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer) to prove that the logon credentials that were declared for NEXIS to log into the AD were correct to access the AD system. This tool is also very useful for verifying that the syntax used for the LDAP User DN and Base DN objects are correct for the LDAP system being connect to. This is a very useful step to be sure that you are starting with the right credentials and syntax.

    Also important in getting this to work is ensuring that the workstation or server platform you use for running the LDAP sync software must be able resolve both the NEXIS server name and the LDAP server name correctly. Similarly the NEXIS Engine running the System Director service must be able to resolve the LDAP server name correctly. It is important that DNS is configured on the NEXIS Engines so that server addresses declared in the External Authentication dialogue can be resolved (use the Tools Menu of the Engine running the System Director service Web Agent to ping the AD server using the host name and FQDN to prove that the DNS server is able to resolve the server name).

    NEXIS software version 7.3 onwards requires that the Domain Name entry in the NEXIS Management Console External Authentication dialogue should no longer include the Top-Level Domain name components. Domain names have several components and are separated with a full stop (period)  character. For example for a University Media department’s domain we might see the following full domain name:

    media.prestigious.ac.uk

    The Top Level components here are likely to be ac.uk and they can be removed for this configuration.

    If the Active Directory server is a standalone domain server for the Media department (without being a child domain in the school’s “prestigious” campus domain) then the domain name for the purposes of the NEXIS configuration is simply “media”. If the Media department server has a domain relationship with the campus server the Domain Name entry here might be “media.prestigious”.

    Also for NEXIS v2018.x systems, the Address entry in this dialogue must be the Active Directory server’s Fully Qualified Domain Name (FQDN) (NEXIS External Authentication will fail if the simple host name or the server’s IP address is declared here). In the example above, if the server hosting the “media” domain is called “ad-dc1” its FQDN will likely be:

    ad-dc1.media.prestigious.ac.uk

    If the LDAP server is Windows Server 2016 or later, then later versions of NEXIS will not be able to authenticate against the Active Directory service in this OS unless the Active Directory (AD) Certificate services is installed in the environment (on the AD server) as an additional role.  You will get similar messages to those you quoted if this is the case. I found that these two articles very helpful for installing the AD Certificates Services role, and then installing a certificate (a self generated certificate was good enough to allow NEXIS to authenticate properly in my tests):

    http://pdhewaju.com.np/2016/04/08/installation-and-configuration-of-active-directory-certificate-services/

    http://pdhewaju.com.np/2017/03/02/configuring-secure-ldap-connection-server-2016/

    I hope that this helps!

    With warm regards

    Neal

  • Wed, May 22 2019 1:00 PM In reply to

    • Macindries
    • Not Ranked
    • Joined on Thu, Oct 13 2005
    • Belgium
    • Posts 54
    • Points 515

    Re: ldap sync not working?

    You are absolutely right.

     

    We had input from Avid that we needed to define a certificate in the domain server,

    We also had to simplify the domain name in the Nexis administration tool.

     

    Now it works like it should.

     

    Thank you all for replying...

Page 1 of 1 (6 items)

© Copyright 2011 Avid Technology, Inc.  Terms of Use |  Privacy Policy |  Site Map |  Find a Reseller