Problem with AD Connection String - LDAP

Jul 27, 2009 at 10:56 PM
Edited Jul 28, 2009 at 11:12 PM

Hello,

I have WSS setup in a farm. 1 machine is WSS 3.0, 1 is SQL, and 1 is the AD machine.

I have installed the software, and can get to the change password, and add user components.

However when I go to configure LDAP I keep getting "Cannot connect using this connection string".

the "AD machine is ABC-123.GDE.internal" the "SQL machine ABC-456.GDE.internal" and "WSS is ABC-789.GDE.internal"

the Internet domain is for example http://GDEinfo.com

the organization unit is GDE, and GDE_users.

So right now on the WSS maching I have LDAP://ABC-123.GDE.INTERNAL/OU=GDE,DC=ABC-123,DC=GDE,DC=INTERNAL

My organizational unit is GDE_Users this is all from the Active Directory Settings Page.

What am I doing wrong that it cannot connect to my AD machine.

 

Jul 29, 2009 at 10:39 PM
Edited Jul 30, 2009 at 3:24 AM

Here is an update.

Using the adsvd.exe application that came with the install pack I verified my ADsPath as follows LDAP://abc-123.gde.internal/OU=GDE,DC=GDE,DC=INTERNAL .

Also while connected through adsvd.exe on my WSS server, I was able to connect to the AD machine and update a users password. Which tells me that at least the LDAP path pointing to the AD machine is working. It just will not work when setting the path in the SharePoint site.

In Active Directory Settings I added that path to the Active Directory Connection String and Under Organisation Unit: I put GDE_Users and verified that this Organisational Unit exists.

Once I click save I get the same error message. Cannot connect using this connection string.

Does anyone else have this running in a Farm enviroment, 1 AD machine, 1 SQL machine, 1 WSS machine, with internet access to the Sharepoint site. and have SharePoint Account Provision working? At least where you can add users? If so please place an example of your AD machine name, domain, etc.. (fictional of course don't want prying eyes) and then the LDAP string you used.

Does anyone have any ideas?

Aug 5, 2009 at 9:19 AM

We have this running in a farm environment.

Our setup is:

Active Directory:

Domain: blah.com

---- OU: CompanyX

--------- OU: Users

In the Active Directory Settings in SharePoint:

Active Directory Connection String: "LDAP://blah.com/OU=CompanyX,DC=blah,DC=com"

Organisation Unit: Users

 

Is the OU "GDE_Users" a child of the OU "GDE"?

 

Aug 11, 2009 at 4:47 PM

Yes it is a child, I am looking into whether or not there is some sort of security issue that is blocking the LDAP script running in SharePoint to the AD server. Funny how it works in the utility but not in SharePoint. Are their any security settings you know of in SharePoint or AD that would stop it from connecting?

Aug 11, 2009 at 5:04 PM
Edited Aug 11, 2009 at 5:05 PM

How does your blah.com site know to redirect the LDAP string to your AD server? I would assume that blah.com does not reside on your AD server.

For Account Provisioning to work does SharePoint have to be installed in "Active Directory Creation Mode"?

Aug 12, 2009 at 8:12 AM

Yes, the application pool identity needs to be a member of the "Account Operators" group.

This discussion deals with permission problems, maybe this will solve your problems.

http://spaccountprovision.codeplex.com/Thread/View.aspx?ThreadId=54554

Aug 12, 2009 at 4:04 PM
Edited Aug 12, 2009 at 4:05 PM

I am a bit confused on your answer, I have confirmed the Application Pool Identity is a member of Account Operators and confirmed this account (gde\SPConfig) in site administration.

Could you clarify two things;

1.) For Account Provisioning to work does SharePoint have to be installed in "Active Directory Creation Mode"?

2.) Do I have to be logged in with the Application Pool Identity account to set the LDAP path?

Thank you for all your help!

 

Aug 13, 2009 at 9:50 AM

1.) For Account Provisioning to work does SharePoint have to be installed in "Active Directory Creation Mode"?

No

2.) Do I have to be logged in with the Application Pool Identity account to set the LDAP path?

No

Aug 20, 2009 at 7:22 PM

Melq,

Does the application allow us to work directly with the internal AD DSN, or do we have have to use the external domain associated with the site.

Thanks for your help,

Joshua

Aug 20, 2009 at 7:24 PM

If we have to use the external domain which ports do we use or do we have to open all of them?