I am trying to connect to an AD and get an email address for a given username.

I am doing this on a windows computer where i have tested that it works(through its own "Address Book" search).

I am trying to do the same(for starters) with ldapsearch.exe from openldap.com which i have installed.

I tell it to search on Active Directory, and it works as expected.

When i try to do the same with ldapsearch i get nothing usable.

From the properties of the Active Directory directory service i entered the following into my ldap.conf


URI ldap://172.16.1.15:3268
BASE NULL

Yes, the base in the search is "NULL", which i find odd. A tooltip says "If the search base information is required, it will be supplied by the directory service".

Now i have tried, with ldapsearch, to use a lot of different bases.. But none of them giev me any relevant information. So i am trying to figure out how to find the proper base.

Can anyone help me, or give me a hint?

What parameters are you passing ldapsearch?

-x "" or -x "name=g-to" or -x "name=Tobias" or -x "name=Tobias Ussing"

g-to being my login name

Okay, so your problem is two fold. First, the base should NOT be null. Set it to the root of your domain.

e.g.
BASE DC=Headquarters, DC=MyCompany, DC=local

Second, your flags are all wrong.
The line should read more along the lines of

ldapsearch "name=tobias"

-x stands for simple authentication


Third, you most likely have not given anonymous users browse rights to your AD (which you shouldn't). So when you attempt to "search" the active directory using an anonymous login, the results returned are nothing. And a search on nothing returns nothing.

The easiest way to fix this is by changing your command to:

ldapsearch -D "CN=MyUserName, OU=SmartPeople, OU=Users, DC=Headquarters, DC=MyCompany, DC=local" -W "name=tobias"

Now you can authenticate and use proper rights for the search.
Change OU to CN if you are using a container somewhere instead of an organizational unit. (Yes, users happen to be containers...)

Just note that the password will be sent in plain text, so make sure to use encryption!

Sorry for the rather curt response.
Time is not on my side. ;o)

Speeder

Yes, and my problem is that i don't know what the BASE is. And i want to know how i can find out what the BASE is.

I know the OU's i need to use, but not the DC's. :/

But thanks for the reply :)

Change your URI to

ldap://someip:3268

This will connect you to the Global Catalog
And use the search

ldapsearch -b "" -LLL "" dn

To do anything more, without compromising security, you'll have to authenticate.

Chow.

i'll try it friday.


Authentification shouldn't be a problem as i DO have an account on the Active Directory Server.

and thanks :)

np.

Oh, just to clarify. By "compromising security" I meant giving anonymous users browsing rights, not something nefarious. ;o)

Well, security of the server is not something i'm really concerned with, since it has nothing to do with me and it is outside of the scope of my assignment. :)

Searching(with the windows util) doesn't work if i disable authentification, but if i enable it then i get a result, even if the username and password i give is wrong. Very odd, but, there it is.

Security is everyone's responsibility! ;)

Which utility are you talking about? And what do you mean by "disabling authentication"?

well i can't actually influence the security, if i could, i would.

As for the utitlity, i believe it is just called "address book"

"Start -> Search -> Computers, printers, people on the network -> Search for people"

Or something like that. Then i can selcet where to search "i select active directory", then i can right click on the combobox where i select where to search, and i can select which server, base, and username/password to use for the AD connection.

The standard BASE in there was NULL. The standard username was NULL, no password was given.

Ah. My guess is that you are using a computer which is part of the domain and logging into windows with a domain account.

And since you probably have SPA (secure Password Authentication) enabled the token being passed to the domain controller for the search will end up being the one representing the domain user account that you logged in with. :cool: ;)

Well, i've made quite a bit of progress through trial and error.

going through
start -> programs -> accessories -> address book

Then click "find people", that is where i looked up accounts before.

So i made a new directory service to use in there(instead of the standard one). Doing that i have found, and verified, the BASE, and the login i need to use.


The BASE being the initial "DC=tomsgroup,DC=dom" i tried.
The username being tomsgroup\g-to
And the password being something secret.
Fisrt I disabled SPA and didn't enter acurate account information, and i got an error. Then i entered the above information, and it worked.

For BASE i first left it at "NULL" and it worke,d i changed it to the above, and it worked, and then i changed it to "DC=tomsgroup,DC=dod" and it failed.

So i now feel i have verified the information for the AD access.

BUT, i can't figure out how to log in(with my own java program, or with ldapsearch).

My domain is "studenter-it.tomsgroup.dom", and i've tried the following commands, to no avail.


ldapsearch.exe -v -D "CN=Tobias Ussing,DC=studenter-it,DC=tomsgroup,DC=dom" -W ""
ldapsearch.exe -v -D "CN=Tobias Ussing,DC=tomsgroup,DC=dom" -W ""
ldapsearch.exe -v -D "CN=g-to,DC=studenter-it,DC=tomsgroup,DC=dom" -W ""
ldapsearch.exe -v -D "CN=g-to,DC=tomsgroup,DC=dom" -W ""
ldapsearch.exe -v -D "CN=tomsgroup\g-to,DC=studenter-it,DC=tomsgroup,DC=dom" -W ""
ldapsearch.exe -v -D "CN=tomsgroup\g-to,DC=tomsgroup,DC=dom" -W ""
ldapsearch.exe -v -D "CN=tomsgroup\\g-to,DC=studenter-it,DC=tomsgroup,DC=dom" -W ""
ldapsearch.exe -v -D "CN=tomsgroup\\g-to,DC=tomsgroup,DC=dom" -W ""


But in all cases i get


Enter LDAP Password: ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurtyContext error, data 525, v893


I'm rather lost right now. Any ideas?

And thanks for your help so far. :)

ETA: Invalid credentials being non existing user. it is NOT bad username and password

You need to put the Container/OU that your username is in.

e.g. -D "CN=Tobias Ussing, CN=Odd People, OU=Users, DC=Studenter, DC=TomsGroup, DC=dom"

Base can be null as long as you connect to the global catalog (port 3268) and you specify it as -b "" in the commands passed to ldapsearch.

;)

so very confusing, will try on monday.

Thanks for your help speedy gonzales. :)

You can use SASL if you want to use a "user name" instead of plain text authorizations where you need to know the distinguished name of the user.

np

I finally got it working, and i was so close all along.

For some reason this works:
"CN=Tobias Ussing,OU=External,OU=Users,OU=DK,DC=tomsgroup,DC= dom"

but this doesn't:
"CN=Tobias Ussing,OU=DK,OU=Users,OU=External,DC=tomsgroup,DC= dom"

Very odd, in my opinion.

But it works. And i can search and find what i want and everything. so. woohoo


Thanks for all your help

Oh. Lol. Sorry. I thought you knew that distinguished names are written from left to right....

np

nope, no one told me that. This endeavour is, so far, my only probing of AD.

And the DC isn't backwards like the OU is.

Which i find odd.

Oh well, it works.

The functions i needed to implement in java were "find email address based on user id" and "check if userid is member of IT group". After i got the login working(in some other program i had downloaded) it took 30s to get it working in my own java application. And then 10 min to figure out how to do filters properly.

It just works. :D

And thanks for your endeavour, even if, in the end, i solved it by accident. But it means a lot that you tried, and i did learn from it :D which is the most important thing.

Sincerely
A Barstard Commie

DCs are "backwards" too.

lan.microsoft.com is

root: com
domain: microsoft
sub-domain: lan

Pshaw. What about my -D? hmmmm? Where's my commision? :D

Don't worry about.
Consequently. May I suggest "Mastering Windows Server 2003 (http://www.amazon.com/Mastering-Windows-Server-Mark-Minasi/dp/0782141307/sr=8-1/qid=1161641330/ref=pd_bbs_sr_1/102-2990093-8292124?ie=UTF8)" as a good read for you. I have one of my new employees reading it cover to cover right now. It's an excellent reference and should give you a leg up when it comes to this kind of stuff. It might not go into the truly gory details of LDAP and AD, but it does go deep enough that you'll feel much more comfortable in the windows environment.

Oren

well, this is a 2month student project, and AD is only a minor part of it. so i won't invest in a book.

But i'll keep the book in mind if it ever becomes relevant.

oh and thanks for the -D

* TobiasTheViking runs over and hugs SpeederA as thanks for the -D

:scared:

:cry1

:boxedin:

:hug1:

:hit: