PrevPrev Go to previous topic
NextNext Go to next topic
Last Post 04/08/2017 8:18 AM by  Roger French
ldapbind issue
 9 Replies
Sort:
You are not authorized to post a reply.
Author Messages
kshields
Lawson Admin
Private
Basic Member
(27 points)
Basic Member
Posts:11


Send Message:

--
04/06/2017 11:34 PM

    We are building a new Infor10 environment. LSF is installed as is Lawson for Infor Ming.le. It's version 10.0.9 with all current patches. This server will be a target for an upgrade from LSF 9.0.1.13.

    All smoke tests for LSF pass and the system seems to behave exactly as expected. Now I am trying to perform an ldapbind using the same bind information as was used on the LSF9 server. I haven't run ldapbind before, so I'm not 100% sure what to expect, but I've browsed thru Guru posts and it looks like you enter the command and answer prompts as they come up. I confirmed that with a consultant who just finished using the exact same version of ldapbind for another client, which worked fine. 

    After I enter $GENDIR/bin/ldapbind, it immediately responds, "bind successful". No prompts, nothing. There are no entries in any $LAWDIR/system/*log, no messages anywhere that I see, just "bind successful". I verified in ssoconfig that it made no changes, so it's just not doing anything. I've tried running it as lawson and as root, with lawsec on and lawsec off, but get the same result. I've also tried using the optional parameters like so (192.168.x.x is the client's ldap to which I'm trying to bind):

    ldapbind -D CN=serviceacct,CN=Users,DC=client,DC=ORG -h 192.168.x.x -p 3268 -q

    With this format, at least it tries to do something, but we get this response even after entering what I believe is the correct password:

    Please enter bind password:
    ldap_bind: Invalid credentials
    ldap_bind: additional info: 80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 52e, v2580

    Any help would be appreciated. I have a support case open with Infor but it's been slow going getting responses, and I'm half expecting to hear that they don't provide support for this tool anyway.


    Roger French
    Private
    Private
    Veteran Member
    (1266 points)
    Veteran Member
    Posts:522


    Send Message:

    --
    04/07/2017 7:11 AM
    You running the ldapbind as 'lawson' user? Did you run your . cv to set the system variables (assuming this in AIX/Unix).

    Assuming the two steps above, all you have to enter in is "ldapbind". It should ask you for your credentials which are the same credentials for ssoconfig. If it doesn't then I would be concerned.
    The ldapbind command is a type of command-line wizard. It will keep asking you the parameters of which AD or DC you wish to bind to.
    kshields
    Lawson Admin
    Private
    Basic Member
    (27 points)
    Basic Member
    Posts:11


    Send Message:

    --
    04/07/2017 9:16 AM

    Yes, I have set the environment before running the command. And lawson is the user that's used to go into ssoconfig, so it seems like that's the right user to run ldapbind with. Something is making it think it's done before it does anything at all - I just don't know what that could be.

    Roger French
    Private
    Private
    Veteran Member
    (1266 points)
    Veteran Member
    Posts:522


    Send Message:

    --
    04/07/2017 12:23 PM

    After you enter ldapbind in the command line and hit Enter key

    ...what happens next? Does it ask you this question: "Please enter the password used for Lawson security utilites:" 

     

    If it does, what do you type in? The password it's asking for is the same password used for ssoconfig.

    kshields
    Lawson Admin
    Private
    Basic Member
    (27 points)
    Basic Member
    Posts:11


    Send Message:

    --
    04/07/2017 12:44 PM
    No, it does not ask for the password or anything else. It immediately displays "bind successful" and ends.
    Roger French
    Private
    Private
    Veteran Member
    (1266 points)
    Veteran Member
    Posts:522


    Send Message:

    --
    04/07/2017 12:47 PM

    Then there is a problem with the ldapbind or your system. 

    Was your system's ldapbind ever working previously?

    It should ask for the password right away. It should not immediately say "bind successful".

    Roger French
    Private
    Private
    Veteran Member
    (1266 points)
    Veteran Member
    Posts:522


    Send Message:

    --
    04/07/2017 12:49 PM

    I've never seen or heard of the ldapbind NOT asking for the password right away.

    Because think about it, if you don't enter in a password, then anyone could type in and use whatever server/parameters in the ldapbind.

    I would check your lase logs in LAWDIR/system. Maybe there is some clue there.

    kshields
    Lawson Admin
    Private
    Basic Member
    (27 points)
    Basic Member
    Posts:11


    Send Message:

    --
    04/07/2017 1:03 PM
    This is a new build, so first time using ldapbind on this one. The exact same version works correctly on another system. There is nothing in any of the LAWDIR/system logs, unfortunately. I compared environment variables, etc., and really don't see a difference. I haven't yet looked at LawSec - guess I'll do that next.
    kshields
    Lawson Admin
    Private
    Basic Member
    (27 points)
    Basic Member
    Posts:11


    Send Message:

    --
    04/07/2017 2:28 PM
    Found it. There was something in the PATH that ldapbind did not like. We have an environment-setting script that adds some stuff in front of the path that ". cv" sets, and something in there was interfering. So using . cv instead of running that script fixed it. Looks like we're off and running now.
    Roger French
    Private
    Private
    Veteran Member
    (1266 points)
    Veteran Member
    Posts:522


    Send Message:

    --
    04/08/2017 8:18 AM

    Good to hear you all fixed it.

    You are not authorized to post a reply.