Virtual Learning Platforms Thread, Google Apps and Active Directory integration - help before it drives me mad! in Technical; So we're generally fed up of Fronter and the lack of decent support and are looking at alternatives. A school ...
29th November 2011, 03:42 PM #1
Google Apps and Active Directory integration - help before it drives me mad!
So we're generally fed up of Fronter and the lack of decent support and are looking at alternatives. A school i went on a little visit to recently is using Google Apps and are loving it. I thought we'd have a look to to see ifs for us. Part of the requirements for us is that it links to another system for user creation etc, so that we don't have another system to maintain in parallel.
So i found the Google Apps Directory Sync application and started filling in details. Didn't get very far as the ldap connection will not work. I've tried all manner of combinations of distinguished name for the server and login account, and have tried the normal AD port for communications and the Global Catalogue port while pointed at the relevant server, all to no avail. The specific error appears to be generated by the java library they're using to make the connection and complains about being unable to bind - this suggests the user details are at fault, but not sure what else to try that doesn't involve a hammer.
The specific error message is as follows:
Error: Connection failed
Exception: javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece
Further info: I did try using ADAM on another machine to supply a 'flattened' version with anonymous access enabled, but data extraction problems still abound, even if the connection initially worked...
29th November 2011, 04:18 PM #2
Are you behing the counties Filter/Proxy by any chance. We had to use a 3G dongle at last place to powershell to Live@EDU.
29th November 2011, 05:02 PM #3
It looks more like the connection to the domain controller is failing than the connection to Google, so I don't think a proxy is to blame. My settings are as follows for reference (anonymised, obviously), and in this example my domain is ANGRYTECH with the FQDN being angrytech.internal
Connection type: Standard LDAP
Host Name: mydc.angrytech.internal (just the plain hostname also works for me)
Base DN: OU=People,DC=angrytech,DC=internal (this connects to an OU I created called People in the root of the AD)
Authentication type: Simple
Authorized user: ANGRYTECH\gads (this is a standard user I set up just for GADS)
29th November 2011, 06:09 PM #4
I agree with angrytechnician that it looks like a problem connecting to the domain controller.
I would check that the server you are running ADSync on can access port 389 (or global cat) by running telnet against it. If it fails it's likely to be a firewall. Also check the AntiVirus isn't blocking comms which can happen sometimes.
29th November 2011, 11:48 PM #5
Don't you have to allow unsigned LDAP requests for your DCs?
30th November 2011, 09:41 AM #6
I didn't have to change this setting, though I can't guarantee it wasn't set already from when we used to be CC3. How would I check?
Originally Posted by morganw
30th November 2011, 09:09 PM #7
See if you have a policy set for:
Computer Configuration / Windows Settings / Security Settings / Local Policies / Security Options / Domain controller: LDAP server signing requirements
I think that's the right one to look at anyway, it's been a while since I adjusted my own to allow Moodle authentication via LDAP.
1st December 2011, 12:25 PM #8
Angrytech is spot on in that the problem is the connection to the domain controller. Problem is, i tried the exact same format as he did to connect, only for me it is not working.
Originally Posted by AngryTechnician
I have checked the relevant policies for the domain controller and unsigned requests are allowed
I have tweaked the Symantec Endpoint firewall rules to specifically allow LDAP connections. This firewall has been such little trouble i had forgotten it even existed.
I try Telnet to connect to the DC via port 389; initially received 'lost connection to host', but since tweaking Endpoint it now takes me to a blank command prompt screen when i run the command. Not sure if this indicates success or not..
But still, Google Apps Directory Sync wont connect to AD. Any further ideas?
1st December 2011, 05:29 PM #9
Yes this is a good start. A blank screen with flashing cursor means its connected on 389. are you still getting the same error message though?
Originally Posted by cheredenine
2nd December 2011, 09:35 AM #10
Yeah, same error message! Haven't tried again this morning - scheduled a server restart over night, just in case that trick works... Can't think what else could be the issue!
Originally Posted by CyberNerd
Edit: Restart has made no difference; just tried installing on another server using same config file, but same error appears!
Last edited by cheredenine; 2nd December 2011 at 09:44 AM.
2nd December 2011, 10:01 AM #11
can you run wireshark on the dc and see if the request is getting through.
2nd December 2011, 10:12 AM #12
You could try using port 3268 (works for me) - Google says:
What port numbers should be used in Google Apps Directory Sync when connecting to Global Catalog server?
By default, Google Apps Directory Sync connects to an LDAP server with the standard LDAP port 389 to query users from a single domain/LDAP server.
If you need to query users over multiple domains/LDAP servers that have trust relationship, configure Google Apps Directory Sync to connect to a Global Catalog server with the standard Global Catalog server port 3268.
More here: Common Issues
2nd December 2011, 11:46 AM #13
The wireshark comment is interesting - have installed and tested and a connection is received, the data request is recieved, then the connection is closed. So there isn't a block, but still its not working. Not sure how to proceed - not sure if Wireshark shows me anything i can use to diagnose further now its shown the request is getting through...
Had already tried using the Global Catalogue port to the relevant server - no dice...
2nd December 2011, 02:59 PM #14
So the request gets there, but active directory doesn't send a response, just closes the connection? sounds a bit odd. Does anything else on your network use LDAP successfully? I'm wondering if it is an active directory security setting? Does the account that you're binding with have read access (it should by default)
Originally Posted by cheredenine
10th January 2012, 05:54 PM #15
Isn't there a setting in the GPO I seem to remember for allowing LDAP access something to do with NT4 compatibility?
By Bumbles in forum Virtual Learning Platforms
Last Post: 24th November 2011, 11:19 AM
By erfanos in forum Windows
Last Post: 18th May 2011, 08:26 AM
By Tricky_Dicky in forum MIS Systems
Last Post: 8th January 2010, 01:47 PM
By MarkB in forum Windows
Last Post: 16th April 2007, 11:53 AM
By HodgeHi in forum Wireless Networks
Last Post: 7th February 2007, 01:12 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)