I am asking the community if anyone has come this way? I am trying to put together the pieces of this puzzle with PAM, Pass-through Authentication, Winbind, Windows ADAM and ADFS, Samba etc.

I’ve got same error as Patric and arne: “LDAP error: invalid credentials. Error Code: 49?.

Did You find any solution to this? I’ve tripple rechecked all accounts credentials, and those are fine.

What error message are you getting and where are you getting it?

syncadm does not have a blank password. I have given a password to him at creation time. Moreover I have checked this particular password when I logged in with this credentials to the Windows desktop.

It seems as if it is working with the certificate but not with the password.
Another strange effect is: when I check the checkbox “Check hostname against name in certificate for outbound connections” the error changes into “81 – LDAP error: Can’t contact LDAP server”. It is weired as they are in the same subnet and no firewall etc. is in between…

It means what it says, the credential is invalid. Not specifying a password to syncadm works because syncadm has a blank password.

I have this two accounts. Both are working fine.
When I run directly from the FDS

[root@ldap1 slapd-ldap1]# ldapsearch -H ldaps://dc1.rack -x -D “cn=syncadm” -s base -b “” objectclass=*

it gives back success:
…
# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root@ldap1 slapd-ldap1]#

I even don’t need to put in a password as I do have configured the .ldaprc file with the certificate:
[root@ldap1 slapd-ldap1]# cat ~/.ldaprc
# TLS_CACERT /root/CertificateAuthorityRACK-cacert.pem
TLS_REQCERT allow
[root@ldap1 slapd-ldap1]#

The error log file on the FDS gives me the same bloody message hundered times:

[16/Apr/2009:19:15:38 +0200] slapi_ldap_bind – Error: could not read bind results for id [cn=syncadm,dc=w2k3,dc=rack] mech [SIMPLE]: error 49 (Invalid credentials)

So coming back to the manual ldapsearch try it is not working when I run the same command but put in with -w password the password of the AD user:

[root@ldap1 slapd-ldap1]# ldapsearch -H ldaps://dc1.rack -x -D “cn=syncadm” -w password -s base -b “” objectclass=*
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
[root@ldap1 slapd-ldap1]#

I guess we are on the last steps solving this if we can find an answer for the question: Why the login to the AD is possible only without giving the password, but the .pem file.

Furthermore I guess that a workaround would be to let the passowrd field empty while creating the Windows Sync Agreement. Unfortunately this isn’t possible at all as the next button is disabled in that case.

Any Ideas?

The replication plugin connects to two servers, Fedora Directory Server and Active Directory Server, that’s why it uses two accounts. Make sure both of them exists.

Replication Plugin to Fedora Directory Server
uid=SMaster,cn=config (exists in FDS)

Replication Plugin to Active Directory Server
cn=fds,dc=acme,dc=local (exists in ADS)