Active directory Join failes because of missing bind DN

[PejeDK]

Hi

I am experiencing errors when I create a Active Directory Domain ( Joining ), inside packetfence, because anonymous binding is not allowed and somehow packetfence tries with anonymous and not the bind DN of the the admin username and password entered in the UI.

With a ldapsearch commandline i have to specify the bind options with full DN of the user, and it connects.
I have tested kinit also with success, so it should not be a port issue.

netcat tests on port 64, 88, 636, 389 are all working.

Is there any way to get this bind setting into packetfence ui or is it possible to create the active directory domain from cli ?

The Connection profile part works like charm, it is only the active Directory part (Configuration - Policies and Access control - Roles - Active Directory Domains)

I get the following error in the UI

    Unable to add machine account with following error:
    {'result': 1, 'description': 'operationsError', 'dn': '', 'message': '000004DC: 
    LdapErr: DSID-0C09128C, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4f7c\x00', 'referrals': None, 'type': 'addResponse'}

I have added the LdapEnforceChannelBinding to registry and set it to 0 in value, but that did not fix my issue.
This was to see if it was the obvious security setting that was the issue. But i do get the same error in my lab with this setting enabled.

This ldapsearch command works:

    ldapsearch -LLL -x -H ldap://192.168.11.11 -W "CN=Peter Jensen,OU=All-Users,OU=domain.dk,DC=domain,DC=local" -b DC=domain,DC=local -D "domain\user"

If i do not add the bind statement i get this error:

    Operations error (1)
    Additional information: 000004DC: LdapErr: DSID-0C090C78, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4f7c

Basically the samme error without the bind statement.

I am running latest packetfence on debian 11.9 with latest packetfence version.

I am sure that it is a security feature in the Active directory and tha fact that packetfence UI maybe does not include all the needed settings to work in a hardened Active directory domain.

[FloFaber]

We have the same issue here. Did you find a solution in the meantime?

[PejeDK]

@FloFaber
Unfortunately not, i have tried multiple solutions without any luck.

Guess i am stuck without the AD integration and only the Authentication Source and not realm and AD.

[stgmsa]

Hi @PejeDK and @FloFaber
can you provide some details when trying to join the domain ?

[PejeDK]

@stgmsa
The only error i can find i Packetfence logs are the one provided

    Unable to add machine account with following error:
    {'result': 1, 'description': 'operationsError', 'dn': '', 'message': '000004DC: 
    LdapErr: DSID-0C09128C, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4f7c\x00', 'referrals': None, 'type': 'addResponse'}

[FloFaber]

@stgmsa For us it works fine when using the default Computer OU. When using a different OU it fails with the same error already mentioned by @PejeDK.

This reddit user seems to have fixed this issue by disabling LdapEnforceChannelBinding: reddit.com/r/PacketFence/comments/1dh938l/comment/lafhz0x/.

However, this is not an option for us.

[PejeDK]

@FloFaber
That reddit post does not work either for us.

That reddit user is working on the same system as this one :-)
It worked on the test system, but not in production.
I disabled the binding requirement, joined packetfence and enabled it again, and it worked.

But the production system did not have the same result in either packetfence or with ldapsearch command.
I still needed the bind for it to work..

[stgmsa]

What was the PacketFence version are you using when hitting this error ?
And Windows server version?

[PejeDK]

I am running latest packetfence on debian 11.9 with packetfence version 13.2.
Tested on Windows 2016 and Windows 2019 domains.