+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 20
Virtual Learning Platforms Thread, Google Apps and Active Directory integration - help before it drives me mad! in Technical; So we're generally fed up of Fronter and the lack of decent support and are looking at alternatives. A school ...
  1. #1

    Join Date
    Mar 2008
    Location
    Norfolk
    Posts
    227
    Thank Post
    5
    Thanked 10 Times in 8 Posts
    Rep Power
    20

    Google Apps and Active Directory integration - help before it drives me mad!

    So we're generally fed up of Fronter and the lack of decent support and are looking at alternatives. A school i went on a little visit to recently is using Google Apps and are loving it. I thought we'd have a look to to see ifs for us. Part of the requirements for us is that it links to another system for user creation etc, so that we don't have another system to maintain in parallel.

    So i found the Google Apps Directory Sync application and started filling in details. Didn't get very far as the ldap connection will not work. I've tried all manner of combinations of distinguished name for the server and login account, and have tried the normal AD port for communications and the Global Catalogue port while pointed at the relevant server, all to no avail. The specific error appears to be generated by the java library they're using to make the connection and complains about being unable to bind - this suggests the user details are at fault, but not sure what else to try that doesn't involve a hammer.

    Any suggestions?

    The specific error message is as follows:

    Error: Connection failed
    Exception: javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece

    Further info: I did try using ADAM on another machine to supply a 'flattened' version with anonymous access enabled, but data extraction problems still abound, even if the connection initially worked...

  2. #2

    Join Date
    May 2011
    Location
    Jus North of London, close but not too close
    Posts
    739
    Thank Post
    172
    Thanked 56 Times in 54 Posts
    Rep Power
    35
    Are you behing the counties Filter/Proxy by any chance. We had to use a 3G dongle at last place to powershell to Live@EDU.

  3. #3

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,211 Times in 761 Posts
    Rep Power
    394
    It looks more like the connection to the domain controller is failing than the connection to Google, so I don't think a proxy is to blame. My settings are as follows for reference (anonymised, obviously), and in this example my domain is ANGRYTECH with the FQDN being angrytech.internal

    Connection type: Standard LDAP
    Host Name: mydc.angrytech.internal (just the plain hostname also works for me)
    Port: 389
    Base DN: OU=People,DC=angrytech,DC=internal (this connects to an OU I created called People in the root of the AD)

    Authentication type: Simple
    Authorized user: ANGRYTECH\gads (this is a standard user I set up just for GADS)
    Password: blahblahblah

  4. #4


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    I agree with angrytechnician that it looks like a problem connecting to the domain controller.
    I would check that the server you are running ADSync on can access port 389 (or global cat) by running telnet against it. If it fails it's likely to be a firewall. Also check the AntiVirus isn't blocking comms which can happen sometimes.

  5. #5
    morganw's Avatar
    Join Date
    Apr 2009
    Location
    Cambridge
    Posts
    816
    Thank Post
    46
    Thanked 132 Times in 126 Posts
    Rep Power
    39
    Don't you have to allow unsigned LDAP requests for your DCs?

  6. #6

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,211 Times in 761 Posts
    Rep Power
    394
    Quote Originally Posted by morganw View Post
    Don't you have to allow unsigned LDAP requests for your DCs?
    I didn't have to change this setting, though I can't guarantee it wasn't set already from when we used to be CC3. How would I check?

  7. #7
    morganw's Avatar
    Join Date
    Apr 2009
    Location
    Cambridge
    Posts
    816
    Thank Post
    46
    Thanked 132 Times in 126 Posts
    Rep Power
    39
    See if you have a policy set for:

    Computer Configuration / Windows Settings / Security Settings / Local Policies / Security Options / Domain controller: LDAP server signing requirements

    I think that's the right one to look at anyway, it's been a while since I adjusted my own to allow Moodle authentication via LDAP.

  8. #8

    Join Date
    Mar 2008
    Location
    Norfolk
    Posts
    227
    Thank Post
    5
    Thanked 10 Times in 8 Posts
    Rep Power
    20
    Quote Originally Posted by AngryTechnician View Post
    It looks more like the connection to the domain controller is failing than the connection to Google, so I don't think a proxy is to blame. My settings are as follows for reference (anonymised, obviously), and in this example my domain is ANGRYTECH with the FQDN being angrytech.internal

    Connection type: Standard LDAP
    Host Name: mydc.angrytech.internal (just the plain hostname also works for me)
    Port: 389
    Base DN: OU=People,DC=angrytech,DC=internal (this connects to an OU I created called People in the root of the AD)

    Authentication type: Simple
    Authorized user: ANGRYTECH\gads (this is a standard user I set up just for GADS)
    Password: blahblahblah
    Angrytech is spot on in that the problem is the connection to the domain controller. Problem is, i tried the exact same format as he did to connect, only for me it is not working.
    I have checked the relevant policies for the domain controller and unsigned requests are allowed
    I have tweaked the Symantec Endpoint firewall rules to specifically allow LDAP connections. This firewall has been such little trouble i had forgotten it even existed.
    I try Telnet to connect to the DC via port 389; initially received 'lost connection to host', but since tweaking Endpoint it now takes me to a blank command prompt screen when i run the command. Not sure if this indicates success or not..

    But still, Google Apps Directory Sync wont connect to AD. Any further ideas?

  9. #9


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Quote Originally Posted by cheredenine View Post
    I try Telnet to connect to the DC via port 389; initially received 'lost connection to host', but since tweaking Endpoint it now takes me to a blank command prompt screen when i run the command. Not sure if this indicates success or not..
    Yes this is a good start. A blank screen with flashing cursor means its connected on 389. are you still getting the same error message though?

  10. #10

    Join Date
    Mar 2008
    Location
    Norfolk
    Posts
    227
    Thank Post
    5
    Thanked 10 Times in 8 Posts
    Rep Power
    20
    Quote Originally Posted by CyberNerd View Post
    Yes this is a good start. A blank screen with flashing cursor means its connected on 389. are you still getting the same error message though?
    Yeah, same error message! Haven't tried again this morning - scheduled a server restart over night, just in case that trick works... Can't think what else could be the issue!

    Edit: Restart has made no difference; just tried installing on another server using same config file, but same error appears!
    Last edited by cheredenine; 2nd December 2011 at 08:44 AM.

  11. #11


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    can you run wireshark on the dc and see if the request is getting through.

  12. #12
    Netman's Avatar
    Join Date
    Jul 2005
    Location
    56.343515, -2.804118
    Posts
    911
    Thank Post
    367
    Thanked 190 Times in 143 Posts
    Rep Power
    54
    You could try using port 3268 (works for me) - Google says:
    What port numbers should be used in Google Apps Directory Sync when connecting to Global Catalog server?
    By default, Google Apps Directory Sync connects to an LDAP server with the standard LDAP port 389 to query users from a single domain/LDAP server.
    If you need to query users over multiple domains/LDAP servers that have trust relationship, configure Google Apps Directory Sync to connect to a Global Catalog server with the standard Global Catalog server port 3268.
    More here: Common Issues

  13. #13

    Join Date
    Mar 2008
    Location
    Norfolk
    Posts
    227
    Thank Post
    5
    Thanked 10 Times in 8 Posts
    Rep Power
    20
    The wireshark comment is interesting - have installed and tested and a connection is received, the data request is recieved, then the connection is closed. So there isn't a block, but still its not working. Not sure how to proceed - not sure if Wireshark shows me anything i can use to diagnose further now its shown the request is getting through...

    Had already tried using the Global Catalogue port to the relevant server - no dice...

  14. #14


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Quote Originally Posted by cheredenine View Post
    The wireshark comment is interesting - have installed and tested and a connection is received, the data request is recieved, then the connection is closed. So there isn't a block, but still its not working. Not sure how to proceed - not sure if Wireshark shows me anything i can use to diagnose further now its shown the request is getting through...
    So the request gets there, but active directory doesn't send a response, just closes the connection? sounds a bit odd. Does anything else on your network use LDAP successfully? I'm wondering if it is an active directory security setting? Does the account that you're binding with have read access (it should by default)

  15. #15
    wesleyw's Avatar
    Join Date
    Dec 2005
    Location
    Kingswinford
    Posts
    2,205
    Thank Post
    223
    Thanked 50 Times in 44 Posts
    Blog Entries
    1
    Rep Power
    30
    Isn't there a setting in the GPO I seem to remember for allowing LDAP access something to do with NT4 compatibility?

    Wes

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Moodle 2.x with integrated Google Apps and GMail - anyone had success?
    By Bumbles in forum Virtual Learning Platforms
    Replies: 0
    Last Post: 24th November 2011, 10:19 AM
  2. GPO and Active Directory...HELP
    By erfanos in forum Windows
    Replies: 1
    Last Post: 18th May 2011, 07:26 AM
  3. CMIS and Active Directory Integration
    By Tricky_Dicky in forum MIS Systems
    Replies: 3
    Last Post: 8th January 2010, 12:47 PM
  4. Exchange Server 2007 and Active Directory
    By MarkB in forum Windows
    Replies: 7
    Last Post: 16th April 2007, 10:53 AM
  5. Wireless bridgeing and Active directory replication
    By HodgeHi in forum Wireless Networks
    Replies: 5
    Last Post: 7th February 2007, 12:12 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •