[Pki-users] setting up Directory-based authentication

Hi there, I’m having a hard time setting up the directory-based authentication for dogtag 10.3.3-1. I did follow the instructions as http://pki.fedoraproject.org/wiki/Directory-Authenticated_Profiles and I get an error when trying to bind/authenticate against directory service (Microsoft AD2008) as follows: [26/Jul/2016:08:27:27][http-bio-8443-exec-1]: DirBasedAuthentication: authenticate: before authenticate() call [26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating UID=john.luk [26/Jul/2016:08:27:27][http-bio-8443-exec-1]: UidPwdDirAuthentication: Authenticating: Searching for uid=john.luk base DN=OU=IT,dc=domain,dc=com [26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating: User authentication failure: netscape.ldap.LDAPException: error result (1); 000004DC: LdapErr: DSID-0C0906DD, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1772 [26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating: closing bad connection The directives (bellow) are used to bind the AD2008 and I already tested the account and it is working. auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Service Account,ou=IT,dc=domain,dc=com auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=password John Luk is applying for the certificate using the web enrollment process (caDirUserCert profile). What am I missing? Thx, sergio