Defect #20699
openldap error - not permitted to logon at this workstation
0%
Description
I configured "LDAP authentication" for our Active Directory.
On Windows 2003 server x68 and Windows 2012 server x64 login attempts ends with the error (logged using WireShark):
LDAPMessage bindResponse(1) invalidCredentials (80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 531, vece)
which means "not permitted to logon at this workstation". The solution is to add AD server to "userWorkstations" list of each domain user, and it works. But it is a bad solution and our administrators does not accept this.
This behavior was commented a year ago:
#1913#note-29
Files
Updated by xuezhi li over 7 years ago
I had the same problem with you. Have you solved this problem without adding AD server to "userWorkstations" list of each domain user?
Updated by Alexander Ryabinovskiy about 7 years ago
xuezhi li wrote:
I had the same problem with you. Have you solved this problem without adding AD server to "userWorkstations" list of each domain user?
No, currently I`m using solution with Apache + sspi mod :(
http://www.redmine.org/boards/2/topics/127?page=2
Updated by Alexander Ryabinovskiy about 7 years ago
I used this patch for auth_source_ldap to enable ldap authentification in my situation.
The idea is based on this description of "error 531" and confirmed with my tests:
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 531, v893 HEX: 0x531 - not permitted to logon from this workstation DEC: 1329 - ERROR_INVALID_WORKSTATION (Logon failure: user not allowed to log on to this computer.) LDAP[userWorkstations: <multivalued list of workstation names>] NOTE: Returns only when presented with valid username and password/credential.
So, if this error was returned - username / password are ok, and I return "true" as a authenticate_dn result.
I understand that searching in error text is not very good solution, but I don`t have any other, and it works.