First, I would suggest changing the LDAP Schema to "Automatically Detect". Secondly, the DN does not look correct. Usually this contains something like "uid=john.doe,ou=People,dc=example,dc=com". Lastly, is the Search User "Login Access" an AD admin that has permissions to search for and authenticate Users in "Palermo"?
Cheers.
if I run this command
ldapsearch -H ldap://localhost -x -b "ou=Palermo,o=cnr,c=it" -LLL -D "cn=LoginAccess,ou=Palermo,o=cnr,c=it" -w MyPass uid=alessandro.pensato
it will return the result
dn: cn=PENSATO ALESSANDRO,ou=dipendenti,ou=IRIB,ou=Palermo,o=cnr,c=it
uid: alessandro.pensato
mail: alessandro.pensato@cnr.it
MATRICOLA: 11924
EMAILPERPUK: alessandro.pensato@ibim.cnr.it
ACCOUNTSTATUS: Active
homePhone: 0916407111
CNRCOGNOME: PENSATO
CNRNOME: ALESSANDRO
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: QMAILUSER
objectClass: RADIUSPROFILE
objectClass: CNRPERSON
objectClass: eduPerson
objectClass: VACATION
EMAILESTERNO: alessandro.pensato@ibim.cnr.it
CNRAPP8: si
CNREXTRA4: Collaboratore Tecnico E.R. VI livello
EMAILCERTIFICATOPERPUK: alessandro.pensato@irib.cnr.it
departmentNumber: 234300
cn: PENSATO ALESSANDRO
PUKHASH: {MD5}d724c626cad72e83b5f3d720bc78d85b
CNREXTRA5: inservizio
MAILFORWARDINGADDRESS: alessandro.pensato@cnrsc.onmicrosoft.com
CNRGRUPPO3: IRIB
Okay, it’s just odd, I’ve never seen one in that format before. Did you change the schema and retest?
Cheers.
KevinTheJedi
Modified schema does not affect the result if it is automatic or posix, if i set AD i was unable to list remote users
Then I would recommend updating your Search Base to the format ou=Palermo,dc=cnr,dc=it, Search User to cn=LoginAccess,ou=Palermo,dc=cnr,dc=it, and retest.
Cheers.
the format is o=cnr,c=it the problem is not the LDAP config if it was a problem related to LDAP, please tell me why if i can login as AGENT
I am unable to replicate this issue so I am not sure. Based on your earlier logs you provided you receive error 32. Upon researching that error typically the cause is incorrect or incorrectly formatted DN. This is why I’m suggesting you use the typical format to see if that fixes the issue.
Cheers.
I provide you the log for a login as AGENT and also as CLIENT, if you look at they you can see that there are some differences. it seems that the authentication code for the AGENT is different from the code for the CLIENT
I can't reconfigure my LDAP server only for this problem, all other services works without problems
You are not reconfiguring your AD server simply the DN you use in the plugin instance config.
Cheers.
Ok but the correct BaseDN is o=cnr,c=it if i confirue dc=cnr,dc=it i was unable to save the changes to the LDAP plugin i get a connection error to localhost
Can you change your LDAP Servers setting from ldap://localhost to the actual domain? Can you also try without putting ldap://?
Cheers.
Also, when you changed the DN in the Search Base did you also change the DN in the Search User? They potentially both need to be the same.
Cheers.
the only configuration that works (with all other problems) is with o=cnr,c=it
Did you see this comment?
Cheers.
KevinTheJedi
Yes, but the right config is with o=cnr,c=it and all other as configured 
So you’re not going to change the LDAP Servers setting from local host to your actual domain?
Cheers.
localhost is the ldap server, what should I change?
Change localhost to the actual domain. We use that in part of the lookup/search so it might be failing as it’s expecting the domain but getting localhost.
Cheers.
