--------------------------------------------------------------------------------
I had the same problem with you. Have you solved this problem without adding AD server to "userWorkstations" list of each domain user?
--------------------------------------------------------------------------------
xuezhi li wrote:
> I had the same problem with you. Have you solved this problem without adding AD server to "userWorkstations" list of each domain user?

No, currently I`m using solution with Apache + sspi mod :(
http://www.redmine.org/boards/2/topics/127?page=2

--------------------------------------------------------------------------------
I used this patch for auth_source_ldap to enable ldap authentification in my situation.
The idea is based on this description of "error 531" and confirmed with my tests:
<pre>
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 531, v893
HEX: 0x531 - not permitted to logon from this workstation
DEC: 1329 - ERROR_INVALID_WORKSTATION (Logon failure: user not allowed to log on to this computer.)
LDAP[userWorkstations: <multivalued list of workstation names>]
NOTE: Returns only when presented with valid username and password/credential.
</pre>
So, if this error was returned - username / password are ok, and I return "true" as a authenticate_dn result.
I understand that searching in error text is not very good solution, but I don`t have any other, and it works.
--------------------------------------------------------------------------------