8 Replies Latest reply on Feb 3, 2009 6:56 PM by billdimit

    From LDAP to AD

    billdimit
      Hi,
      I need to convert all CF LDAP validation pages in my apps (OpenLDAP) to the new AD server validations. No luck so far.

      I cannot make an anonymous bind to AD using LDAP so I do need to bind to AD prior to authenticating user. I’ve got a username/password account created for it. I have also been told by System Admin that maybe I would need to use tha AD userPrinciple

      The LDAP code that works with the OpenLDAP:

      <CFLDAP
      SERVER="ldap.test.com.au"
      PORT="389"
      USERNAME="uid=#form.username#,ou=people,ou=staff,o=test.com.au"
      PASSWORD="#form.password#"
      ACTION="QUERY"
      NAME="GetLDAPResults"
      ATTRIBUTES="dn,ou,o,uid,cn,sn,title,mail,l,telephonenumber,roomnumber"
      FILTER="uid=#form.username#"
      START="ou=people,ou=staff,o=test.com.au">

      I have tried this code with AD without any success:

      <CFLDAP
      SERVER="ad.test.com.au"
      port="389"
      scope="subtree"
      USERNAME="#form.username#,OU=staff,DC=test,DC=com,DC=au"
      PASSWORD="#form.username#"
      ACTION="QUERY"
      NAME="GetLDAPResults"
      ATTRIBUTES="cn,mail"
      filter="(#form.username#)"
      START="OU=staff,DC=test,DC=com,DC=au">

      The error message is:
      Authentication failed:[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]

      The binding is the problem. How do I bind to AD?

      Thanks,
      b.
        • 1. Re: From LDAP to AD
          billdimit Level 1
          Anyone?
          b.
          • 2. Re: From LDAP to AD
            Level 7
            billdimit wrote:
            > Hi,
            > I need to convert all CF LDAP validation pages in my apps (OpenLDAP) to the
            > new AD server validations. No luck so far.
            >
            > I cannot make an anonymous bind to AD using LDAP so I do need to bind to AD
            > prior to authenticating user. I?ve got a username/password account created for
            > it. I have also been told by System Admin that maybe I would need to use tha AD
            > userPrinciple
            >
            > The LDAP code that works with the OpenLDAP:
            >
            > <CFLDAP
            > SERVER="ldap.test.com.au"
            > PORT="389"
            > USERNAME="uid=#form.username#,ou=people,ou=staff,o=test.com.au"
            > PASSWORD="#form.password#"
            > ACTION="QUERY"
            > NAME="GetLDAPResults"
            > ATTRIBUTES="dn,ou,o,uid,cn,sn,title,mail,l,telephonenumber,roomnumber"
            > FILTER="uid=#form.username#"
            > START="ou=people,ou=staff,o=test.com.au">
            >
            > I have tried this code with AD without any success:
            >
            > <CFLDAP
            > SERVER="ad.test.com.au"
            > port="389"
            > scope="subtree"
            > USERNAME="#form.username#,OU=staff,DC=test,DC=com,DC=au"
            > PASSWORD="#form.username#"
            > ACTION="QUERY"
            > NAME="GetLDAPResults"
            > ATTRIBUTES="cn,mail"
            > filter="(#form.username#)"
            > START="OU=staff,DC=test,DC=com,DC=au">
            >
            > The error message is:
            > Authentication failed:[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334,
            > comment: AcceptSecurityContext error, data 525, vece ]
            >
            > The binding is the problem. How do I bind to AD?
            >
            > Thanks,
            > b.
            >
            >

            All I can tell you is that I don't do anything special with my
            <cfldap...> tag to connect to Active Directory. A couple of possible
            things to look at.

            scope="subtree": Active directory can be very picky about permissions
            and if the account you are using in username and password for *EVER*
            branch and leaf of the entire subtree below your starting point you will
            get this error. Try being more specific in your Start and|or only pick
            the current branch until you have isolated what is causing the problem.

            USERNAME="#form.username#,OU=staff,DC=test,DC=com,DC=au": That is not
            the way my username field looks for accessing our active directory. For
            us it goes username="windowsDomain\ADUserName".
            • 3. From LDAP to AD
              billdimit Level 1
              Hi,

              I've tried everything and it still doesn't work.

              Anyway, it is time for a break.

              Thanks for your help. Merry Xmas and Happy New Year.

              b.
              • 4. From LDAP to AD
                billdimit Level 1
                Hi,

                I've tried everything and it still doesn't work.

                Anyway, it is time for a break.

                Thanks for your help. Merry Xmas and Happy New Year.

                b.
                • 5. Re: From LDAP to AD
                  speeves1
                  Instead of pounding your brain from the CF side, try using the command-line tool LDIFDE:
                  http://support.microsoft.com/kb/237677

                  It will give you a straight-forward interface to test your user/pass, queries, etc, without the blackbox.
                  • 6. From LDAP to AD
                    billdimit Level 1
                    Hi,

                    I'd like to re activate this topic. One month later and still the same problem.
                    In the meantime I've managed to do validation using C#. I didn't use the service account at all. It binds with user's credentials.

                    The .NET code is:

                    public static bool checkUser(string userName, string password)
                    {
                    DirectoryEntry de = new DirectoryEntry("LDAP://ad.test.com.au");
                    de.Username = userName;
                    de.Password = password;
                    try
                    {
                    object o = de.NativeObject;

                    DirectorySearcher ds = new DirectorySearcher(de);
                    ds.Filter = "samaccountname=" + userName;
                    ds.PropertiesToLoad.Add("samaccountname");

                    SearchResult sr = ds.FindOne();

                    if (sr == null)
                    {
                    throw new Exception();
                    }

                    return true;
                    }
                    catch
                    {
                    return false;
                    }
                    }


                    This is a new version of my ldap tag:

                    <CFLDAP
                    ACTION="QUERY"
                    SERVER="ad.test.com.au"
                    USERNAME="SAMAccountName=#form.username#,OU=Staff,DC=ad,DC=test,DC=com,DC=au"
                    PASSWORD="#form.password#"
                    NAME="GetLDAPResults"
                    scope="subtree"
                    ATTRIBUTES="*"
                    filter="(SAMAccountName=#form.username#)"
                    START="OU=Staff,DC=ad,DC=test,DC=com,DC=au">

                    The error message:
                    Authentication failed:[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]

                    If I change the LDAP tag's usename attribute to:

                    USERNAME="CN=john smith,OU=Staff,DC=ad,DC=test,DC=com,DC=au"

                    the validation works fine.

                    Any idea?

                    B.


                    • 7. Re: From LDAP to AD
                      billdimit Level 1
                      Anyone?

                      B.
                      • 8. From LDAP to AD
                        billdimit Level 1

                        Ian Skinner was right.

                        It was the USERNAME attribute format.

                        Instead of:

                        USERNAME="SAMAccountName=#form.username#,OU=Staff,DC=ad,DC=test,DC=com,DC=au

                        The rigth format is domain\#form.username#.

                        In my case:

                        USERNAME: ad\#form.username#

                        B.