• Quick note - the problem with Youtube videos not embedding on the forum appears to have been fixed, thanks to ZiprHead. If you do still see problems let me know.

Help me with Active Directory[LDAP]

TobiasTheViking

Resident Viking Autist
TobiasTheViking
Joined
Jun 25, 2005
Messages
6,925
Help me with Active Directory[LDAP] please. :)

I am trying to connect to an AD and get an email address for a given username.

I am doing this on a windows computer where i have tested that it works(through its own "Address Book" search).

I am trying to do the same(for starters) with ldapsearch.exe from openldap.com which i have installed.

I tell it to search on Active Directory, and it works as expected.

When i try to do the same with ldapsearch i get nothing usable.

From the properties of the Active Directory directory service i entered the following into my ldap.conf

URI ldap://172.16.1.15:3268
BASE NULL
Click to expand...
Yes, the base in the search is "NULL", which i find odd. A tooltip says "If the search base information is required, it will be supplied by the directory service".

Now i have tried, with ldapsearch, to use a lot of different bases.. But none of them giev me any relevant information. So i am trying to figure out how to find the proper base.

Can anyone help me, or give me a hint?
 
Last edited:
-x "" or -x "name=g-to" or -x "name=Tobias" or -x "name=Tobias Ussing"

g-to being my login name
 
Last edited:
Okay, so your problem is two fold. First, the base should NOT be null. Set it to the root of your domain.

e.g.
BASE DC=Headquarters, DC=MyCompany, DC=local

Second, your flags are all wrong.
The line should read more along the lines of

ldapsearch "name=tobias"

-x stands for simple authentication


Third, you most likely have not given anonymous users browse rights to your AD (which you shouldn't). So when you attempt to "search" the active directory using an anonymous login, the results returned are nothing. And a search on nothing returns nothing.

The easiest way to fix this is by changing your command to:

ldapsearch -D "CN=MyUserName, OU=SmartPeople, OU=Users, DC=Headquarters, DC=MyCompany, DC=local" -W "name=tobias"

Now you can authenticate and use proper rights for the search.
Change OU to CN if you are using a container somewhere instead of an organizational unit. (Yes, users happen to be containers...)

Just note that the password will be sent in plain text, so make sure to use encryption!

Sorry for the rather curt response.
Time is not on my side. ;o)

Speeder
 
Yes, and my problem is that i don't know what the BASE is. And i want to know how i can find out what the BASE is.

I know the OU's i need to use, but not the DC's. :/

But thanks for the reply :)
 
Change your URI to

ldap://someip:3268

This will connect you to the Global Catalog
And use the search

ldapsearch -b "" -LLL "" dn

To do anything more, without compromising security, you'll have to authenticate.

Chow.
 
i'll try it friday.


Authentification shouldn't be a problem as i DO have an account on the Active Directory Server.
 
np.

Oh, just to clarify. By "compromising security" I meant giving anonymous users browsing rights, not something nefarious. ;o)
 
Well, security of the server is not something i'm really concerned with, since it has nothing to do with me and it is outside of the scope of my assignment. :)

Searching(with the windows util) doesn't work if i disable authentification, but if i enable it then i get a result, even if the username and password i give is wrong. Very odd, but, there it is.
 
Security is everyone's responsibility! ;)

Which utility are you talking about? And what do you mean by "disabling authentication"?
 
well i can't actually influence the security, if i could, i would.

As for the utitlity, i believe it is just called "address book"

"Start -> Search -> Computers, printers, people on the network -> Search for people"

Or something like that. Then i can selcet where to search "i select active directory", then i can right click on the combobox where i select where to search, and i can select which server, base, and username/password to use for the AD connection.

The standard BASE in there was NULL. The standard username was NULL, no password was given.
 
Ah. My guess is that you are using a computer which is part of the domain and logging into windows with a domain account.

And since you probably have SPA (secure Password Authentication) enabled the token being passed to the domain controller for the search will end up being the one representing the domain user account that you logged in with. :cool: ;)
 
Well, i've made quite a bit of progress through trial and error.

going through
start -> programs -> accessories -> address book

Then click "find people", that is where i looked up accounts before.

So i made a new directory service to use in there(instead of the standard one). Doing that i have found, and verified, the BASE, and the login i need to use.


The BASE being the initial "DC=tomsgroup,DC=dom" i tried.
The username being tomsgroup\g-to
And the password being something secret.
Fisrt I disabled SPA and didn't enter acurate account information, and i got an error. Then i entered the above information, and it worked.

For BASE i first left it at "NULL" and it worke,d i changed it to the above, and it worked, and then i changed it to "DC=tomsgroup,DC=dod" and it failed.

So i now feel i have verified the information for the AD access.

BUT, i can't figure out how to log in(with my own java program, or with ldapsearch).

My domain is "studenter-it.tomsgroup.dom", and i've tried the following commands, to no avail.

ldapsearch.exe -v -D "CN=Tobias Ussing,DC=studenter-it,DC=tomsgroup,DC=dom" -W ""
ldapsearch.exe -v -D "CN=Tobias Ussing,DC=tomsgroup,DC=dom" -W ""
ldapsearch.exe -v -D "CN=g-to,DC=studenter-it,DC=tomsgroup,DC=dom" -W ""
ldapsearch.exe -v -D "CN=g-to,DC=tomsgroup,DC=dom" -W ""
ldapsearch.exe -v -D "CN=tomsgroup\g-to,DC=studenter-it,DC=tomsgroup,DC=dom" -W ""
ldapsearch.exe -v -D "CN=tomsgroup\g-to,DC=tomsgroup,DC=dom" -W ""
ldapsearch.exe -v -D "CN=tomsgroup\\g-to,DC=studenter-it,DC=tomsgroup,DC=dom" -W ""
ldapsearch.exe -v -D "CN=tomsgroup\\g-to,DC=tomsgroup,DC=dom" -W ""
Click to expand...

But in all cases i get

Enter LDAP Password: ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurtyContext error, data 525, v893
Click to expand...

I'm rather lost right now. Any ideas?

And thanks for your help so far. :)

ETA: Invalid credentials being non existing user. it is NOT bad username and password
 
You need to put the Container/OU that your username is in.

e.g. -D "CN=Tobias Ussing, CN=Odd People, OU=Users, DC=Studenter, DC=TomsGroup, DC=dom"

Base can be null as long as you connect to the global catalog (port 3268) and you specify it as -b "" in the commands passed to ldapsearch.

;)
 
You can use SASL if you want to use a "user name" instead of plain text authorizations where you need to know the distinguished name of the user.

np
 
Last edited:
Got it working

I finally got it working, and i was so close all along.

For some reason this works:
"CN=Tobias Ussing,OU=External,OU=Users,OU=DK,DC=tomsgroup,DC=dom"

but this doesn't:
"CN=Tobias Ussing,OU=DK,OU=Users,OU=External,DC=tomsgroup,DC=dom"

Very odd, in my opinion.

But it works. And i can search and find what i want and everything. so. woohoo


Thanks for all your help
 
Oh. Lol. Sorry. I thought you knew that distinguished names are written from left to right....

np
 
nope, no one told me that. This endeavour is, so far, my only probing of AD.

And the DC isn't backwards like the OU is.

Which i find odd.

Oh well, it works.

The functions i needed to implement in java were "find email address based on user id" and "check if userid is member of IT group". After i got the login working(in some other program i had downloaded) it took 30s to get it working in my own java application. And then 10 min to figure out how to do filters properly.

It just works. :D

And thanks for your endeavour, even if, in the end, i solved it by accident. But it means a lot that you tried, and i did learn from it :D which is the most important thing.

Sincerely
A Barstard Commie
 
You must log in or register to reply here.

Back
Top Bottom