From LDAP to AD

Report · Dec 17, 2008

Hi,
I need to convert all CF LDAP validation pages in my apps (OpenLDAP) to the new AD server validations. No luck so far.

I cannot make an anonymous bind to AD using LDAP so I do need to bind to AD prior to authenticating user. I’ve got a username/password account created for it. I have also been told by System Admin that maybe I would need to use tha AD userPrinciple

The LDAP code that works with the OpenLDAP:

<CFLDAP
SERVER="ldap.test.com.au"
PORT="389"
USERNAME="uid=#form.username#,ou=people,ou=staff,o=test.com.au"
PASSWORD="#form.password#"
ACTION="QUERY"
NAME="GetLDAPResults"
ATTRIBUTES="dn,ou,o,uid,cn,sn,title,mail,l,telephonenumber,roomnumber"
FILTER="uid=#form.username#"
START="ou=people,ou=staff,o=test.com.au">

I have tried this code with AD without any success:

<CFLDAP
SERVER="ad.test.com.au"
port="389"
scope="subtree"
USERNAME="#form.username#,OU=staff,DC=test,DC=com,DC=au"
PASSWORD="#form.username#"
ACTION="QUERY"
NAME="GetLDAPResults"
ATTRIBUTES="cn,mail"
filter="(#form.username#)"
START="OU=staff,DC=test,DC=com,DC=au">

The error message is:
Authentication failed:[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]

The binding is the problem. How do I bind to AD?

Thanks,
b.

Report · Dec 21, 2008

Anyone?
b.

Report · Dec 22, 2008

billdimit wrote:
> Hi,
> I need to convert all CF LDAP validation pages in my apps (OpenLDAP) to the
> new AD server validations. No luck so far.
>
> I cannot make an anonymous bind to AD using LDAP so I do need to bind to AD
> prior to authenticating user. I?ve got a username/password account created for
> it. I have also been told by System Admin that maybe I would need to use tha AD
> userPrinciple
>
> The LDAP code that works with the OpenLDAP:
>
> <CFLDAP
> SERVER="ldap.test.com.au"
> PORT="389"
> USERNAME="uid=#form.username#,ou=people,ou=staff,o=test.com.au"
> PASSWORD="#form.password#"
> ACTION="QUERY"
> NAME="GetLDAPResults"
> ATTRIBUTES="dn,ou,o,uid,cn,sn,title,mail,l,telephonenumber,roomnumber"
> FILTER="uid=#form.username#"
> START="ou=people,ou=staff,o=test.com.au">
>
> I have tried this code with AD without any success:
>
> <CFLDAP
> SERVER="ad.test.com.au"
> port="389"
> scope="subtree"
> USERNAME="#form.username#,OU=staff,DC=test,DC=com,DC=au"
> PASSWORD="#form.username#"
> ACTION="QUERY"
> NAME="GetLDAPResults"
> ATTRIBUTES="cn,mail"
> filter="(#form.username#)"
> START="OU=staff,DC=test,DC=com,DC=au">
>
> The error message is:
> Authentication failed:[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334,
> comment: AcceptSecurityContext error, data 525, vece ]
>
> The binding is the problem. How do I bind to AD?
>
> Thanks,
> b.
>
>

All I can tell you is that I don't do anything special with my
<cfldap...> tag to connect to Active Directory. A couple of possible
things to look at.

scope="subtree": Active directory can be very picky about permissions
and if the account you are using in username and password for *EVER*
branch and leaf of the entire subtree below your starting point you will
get this error. Try being more specific in your Start and|or only pick
the current branch until you have isolated what is causing the problem.

USERNAME="#form.username#,OU=staff,DC=test,DC=com,DC=au": That is not
the way my username field looks for accessing our active directory. For
us it goes username="windowsDomain\ADUserName".

Report · Dec 23, 2008

Hi,

I've tried everything and it still doesn't work.

Anyway, it is time for a break.

Thanks for your help. Merry Xmas and Happy New Year.

b.

Report · Dec 23, 2008

Hi,

I've tried everything and it still doesn't work.

Anyway, it is time for a break.

Thanks for your help. Merry Xmas and Happy New Year.

b.

Report · Dec 23, 2008

Instead of pounding your brain from the CF side, try using the command-line tool LDIFDE:
http://support.microsoft.com/kb/237677

It will give you a straight-forward interface to test your user/pass, queries, etc, without the blackbox.

Report · Feb 02, 2009

Hi,

I'd like to re activate this topic. One month later and still the same problem.
In the meantime I've managed to do validation using C#. I didn't use the service account at all. It binds with user's credentials.

The .NET code is:

public static bool checkUser(string userName, string password)
{
DirectoryEntry de = new DirectoryEntry("LDAP://ad.test.com.au");
de.Username = userName;
de.Password = password;
try
{
object o = de.NativeObject;

DirectorySearcher ds = new DirectorySearcher(de);
ds.Filter = "samaccountname=" + userName;
ds.PropertiesToLoad.Add("samaccountname");

SearchResult sr = ds.FindOne();

if (sr == null)
{
throw new Exception();
}

return true;
}
catch
{
return false;
}
}

This is a new version of my ldap tag:

<CFLDAP
ACTION="QUERY"
SERVER="ad.test.com.au"
USERNAME="SAMAccountName=#form.username#,OU=Staff,DC=ad,DC=test,DC=com,DC=au"
PASSWORD="#form.password#"
NAME="GetLDAPResults"
scope="subtree"
ATTRIBUTES="*"
filter="(SAMAccountName=#form.username#)"
START="OU=Staff,DC=ad,DC=test,DC=com,DC=au">

The error message:
Authentication failed:[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]

If I change the LDAP tag's usename attribute to:

USERNAME="CN=john smith,OU=Staff,DC=ad,DC=test,DC=com,DC=au"

the validation works fine.

Any idea?

B.

Report · Feb 03, 2009

Anyone?

B.

Report · Feb 03, 2009

Ian Skinner was right.

It was the USERNAME attribute format.

Instead of:

USERNAME="SAMAccountName=#form.username#,OU=Staff,DC=ad,DC=test,DC=com,DC=au

The rigth format is domain\#form.username#.

In my case:

USERNAME: ad\#form.username#

B.

From LDAP to AD

1 Correct answer