Some AD Users cannot log in

General eFa discussion
Post Reply
SharazJek
Posts: 70
Joined: 01 Sep 2016 05:15
Location: Dallas, TX

Some AD Users cannot log in

Post by SharazJek »

i have recently updated my domain from 2008R2 to 2016. its a completely new domain unrelated to the old one, but all user names are identical to the old (email domain migrated, so all email addresses are identical).

My AD user can login, but others cannot. all the users show up when go to user management. i also know my account is not local, as i recently changed my AD password and it is allowing me to log in and see my own emails. i cannot figure out where to start troubleshooting this issue, as the only log message i get is baduser/password in httpd logs.
Zwabber
Posts: 69
Joined: 14 Feb 2016 21:26

Re: Some AD Users cannot log in

Post by Zwabber »

- Change password of one of this users to a simple password without special characters
- Create new user with simple password
- Try other login - domain/username - only username - mailaddress
- Sure LDAP is working fine?
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Some AD Users cannot log in

Post by shawniverson »

There's debug script here that could help.

https://github.com/mailwatch/MailWatch/pull/1016/files
SharazJek
Posts: 70
Joined: 01 Sep 2016 05:15
Location: Dallas, TX

Re: Some AD Users cannot log in

Post by SharazJek »

whats the best way to get that test file down to my box? (i know how to wget... i just dont know how to git... im not a programer) :)
SharazJek
Posts: 70
Joined: 01 Sep 2016 05:15
Location: Dallas, TX

Re: Some AD Users cannot log in

Post by SharazJek »

Zwabber wrote: 01 Jan 2018 21:13 - Change password of one of this users to a simple password without special characters
- Create new user with simple password
- Try other login - domain/username - only username - mailaddress
- Sure LDAP is working fine?
my password recently changed, so i know its not cacheing a password from the previous AD server, and thus also this confirms the new AD DN settings are correct (new domain has completely different structure/OUs).

creating a new user is something ive not done, i thought about that but never did it. ill try that and report back.
SharazJek
Posts: 70
Joined: 01 Sep 2016 05:15
Location: Dallas, TX

Re: Some AD Users cannot log in

Post by SharazJek »

OK here is some output from the ldaptest.php:

my credentials:

[root@emx01 ~]# php ldaptest.php
Test connection to server
enable AD compatibility
Try authenticating as DOMAIN\extauth
authentication for searching the account was successful
search for jhorne@lalala.com in LDAP directory
search done
found 1 accounts matching the filter
Trying to authenticate as user: Jonathan Horne
authentication success
db data for account: Mail: jhorne@lalala.com; Internal account idJonathan Horne
login success

any other user, including a test user i just now created:

[root@emx01 ~]# php ldaptest.php
Test connection to server
enable AD compatibility
Try authenticating as DOMAIN\extauth
authentication for searching the account was successful
search for tuser@lalala.com in LDAP directory
search done
found 1 accounts matching the filter
Trying to authenticate as user: tuser
PHP Warning: ldap_bind(): Unable to bind to server: Invalid credentials in /root/ldaptest.php on line 105

i can log that test user in on the OWA site just fine.
SharazJek
Posts: 70
Joined: 01 Sep 2016 05:15
Location: Dallas, TX

Re: Some AD Users cannot log in

Post by SharazJek »

anyone have any guesses on this one?
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Some AD Users cannot log in

Post by shawniverson »

Not sure if it applies, but check this out. It may be a case sensitivity issue...

https://github.com/mailwatch/MailWatch/issues/1013
Post Reply