I'm having trouble logging in to a specific OU in my ConsoleApp. I guess my LDAP string is incorrecct somehow, these are some output samples from my Test-App
This works fine
Path: LDAP://my.domain User: DOMAIN\user Pass: mypass
DOMAIN\user = Autenticated
But none of these
Path: LDAP://my.domain, ou=myou, dc=my, dc=domain User: user Pass: mypass
Path: LDAP://my.domain/ou=myou User: user Pass: mypass
Path: LDAP://my.domain/ou=myou User: DOMAIN\user Pass: mypass
They work in VBS though.. am I getting something all wrong or is it the AD guys that has to do something with my account? All I get is unknown user och wrong password.
They all work, if I leave out the "ou" part, conenctiong to my.domain is a breeze..
Regards
Your LDAP path should be something like:
LDAP://servername/ou=MyOU,dc=my,dc=domain
(you need to provide the server name that you want to use as DC - as your Domain Controller)
or:
LDAP://ou=MyOU,dc=my,dc=domain (for server-less binding)
You cannot specify a username/password to use right in the LDAP string. If you need that, you'll need to find another way to provide those credentials (like picking the right overloaded constructor for DirectoryEntry which allows you to specify a username/password to use for connecting to AD).
Update:
I think you should change your code to work like this:
string adPath = "LDAP://ou=myou,dc=my,dc=domain";
string adUser = "myuser";
string adPass = "mypass";
// you might need to play around with the "AuthenticationTypes" to get it to work
DirectoryEntry entry = new DirectoryEntry(adPath, adUser, adPass, AuthenticationTypes.None);
DirectorySearcher searcher = new DirectorySearcher(entry);
searcher.Filter = #"(objectClass=Person)";
I'm not sure if a LDAP string like this will work:
string adPath = "LDAP://my.domain/ou=myou,dc=my,dc=domain";
I vaguely remember I had to use a server name (not a domain name) to get this to work - something like this:
string adPath = "LDAP://dc01.my.domain/ou=myou,dc=my,dc=domain";
Related
We have a customers AD system that we authenticate users against using LDAP, specifically by doing a bind using their username and password. Depending on how the username is structured the results of an incorrect password are different. If we include the domain name on the username then ANY password will return an authenticated result. I've pasted some results using LDP.exe for each of the scenarios:
Bind with myusername & invalid (non blank) password:
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
{NtAuthIdentity: User='[username]'; Pwd= <unavailable>; domain = 'DC=[domain],DC=co,DC=uk'.}
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 8009030C: LdapErr: DSID-0C090585, comment: AcceptSecurityContext error, data 52e, v4563
Bind with myusername#domain.org & invalid (non blank) password:
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
{NtAuthIdentity: User='[myusername#domain.org]'; Pwd= <unavailable>; domain = 'DC=[domain],DC=co,DC=uk'.}
Authenticated as dn:'[username#domain.org]'.
What I have noticed is that the users full username is username#domain.org and the domain provided to LDAP is DC=domain,DC=co,DC=uk, not sure if this would make a difference?
Does anyone have any ideas on what maybe causing this and whether there is some sort of setup somehwere that needs addressing?
Cheers.
Is the Guest account enabled on the domain? If so, any random credentials will work. It will only tell you that the password is incorrect if you use a valid username.
When you use the myusername format, it must match the sAMAccountName attribute on the account. If you use the myusername#domain.org format, it must match the userPrincipalName on the account - so it's possible that myusername#domain.org is not really the userPrincipalName of your account.
I have written code using JNDI for creating users using DirContext in AD.
After I create the user I am not able to login with those credentials. When I manually reset the password for that user in AD, I am able to login.
Here I have placed my code for your reference,
Hashtable<String, String> ldapenv = new Hashtable<>();
ldapenv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
ldapenv.put(Context.PROVIDER_URL, "ldap://10.95.144.139:389");
ldapenv.put(Context.SECURITY_AUTHENTICATION, "simple");
ldapenv.put(Context.SECURITY_PRINCIPAL, "CN=Administrator,CN=Users,dc=Merck,dc=local");
ldapenv.put(Context.SECURITY_CREDENTIALS, "Merck2017");
DirContext context = new InitialDirContext(ldapenv);
Attributes attributes = new BasicAttributes();
// Create the objectclass to add
Attribute objClasses = new BasicAttribute("objectClass");
objClasses.add("top");
objClasses.add("person");
objClasses.add("organizationalPerson");
objClasses.add("user");
// Assign the username, first name, and last name
String cnValue = new StringBuffer(user.getFirstName()).append(" ").append(user.getLastName()).toString();
Attribute cn = new BasicAttribute("cn", cnValue);
Attribute sAMAccountName = new BasicAttribute("sAMAccountName", user.getUserName());
Attribute principalName = new BasicAttribute("userPrincipalName", user.getUserName()
+ "#" + "merck.local");
Attribute givenName = new BasicAttribute("givenName", user.getFirstName());
Attribute sn = new BasicAttribute("sn", user.getLastName());
Attribute uid = new BasicAttribute("uid", user.getUserName());
// Add password
Attribute userPassword = new BasicAttribute("userPassword", user.getPassword());
Attribute pwdAge = new BasicAttribute("pwdLastSet","-1");
Attribute userAccountControl = new BasicAttribute("userAccountControl", "544");
// Add these to the container
attributes.put(objClasses);
attributes.put(sAMAccountName);
attributes.put(principalName);
attributes.put(cn);
attributes.put(sn);
attributes.put(givenName);
attributes.put(uid);
attributes.put(userPassword);
attributes.put(userAccountControl);
attributes.put(pwdAge);
// Create the entry
try {
context.createSubcontext(getUserDN(cnValue,"Merck-Users"), attributes);
System.out.println("success === ");
} catch (Exception e) {
System.out.println("Error --- "+e.getMessage());
}
Please help me resolve the following issues:
How do I set AD user password while creating the user using the above code?
How do I set userAccountControl to 66048 in the above code?
How do I create the user enabled while using the above code?
How do I disable the option "user must change the password in next login" while creating the user in the above code?
Thanks in advance.
I don't have all the answers, but this should get you started:
Passwords can only be set over a secure channel, like LDAPS (LDAP over SSL). Since you are connecting to port 389, that is not SSL and AD won't let you set the password. You must connect to the LDAPS port: 636. You may run into issues trusting the SSL certificate. I can't help much here since I'm not a Java developer, but there is an example here.
The answer to your second and third questions is the same: Accounts with no passwords are always disabled. Since you haven't set the password properly, the account will be disabled. Once you figure out how to set the password, you can also set userAccountControl to whatever you need.
You are disabling the "user must change password" option correctly: by setting pwdLastSet to -1. That's the right way to do it. But you may have to fix the other issues first.
Another important thing: I have created AD accounts in .NET, and I have found that I had to create the account first, then go back and set the password and set the userAccountControl attribute after. You may have to do the same.
I just created computer object in active directory. I set password for computer object using SetPassword Command. How can we verify password for computer object or authenticate with that password? Is there any way to validate that password is valid with that computer?
Validating a computer account password can be done in the same way as user passwords. Computer accounts also have a username SamAccountName.
I'm not sure how to provide an example as you have not specified any programming platform but for the sake of it here is an example using c# and the System.DirectoryServices.AccountManagement namespace.
string password = "securepassword";
using (PrincipalContext context = new PrincipalContext(ContextType.Domain))
using (ComputerPrincipal computer = ComputerPrincipal.FindByIdentity(context, "Temp1"))
{
computer.SetPassword(password);
Console.WriteLine(context.ValidateCredentials(computer.SamAccountName, string.Empty).ToString()); // Returns False
Console.WriteLine(context.ValidateCredentials(computer.SamAccountName, password).ToString()); //Returns True
}
Do some of u guys have some experience with authentication in zabbix using lotus domino? Im not quite sure what to enter there. I know i made some authentication for IBM WebSphere but i cant get it working in zabbix. Can someone give me some tutorial? or explanations? :)
There is :
LDAP HOST : mydomino.local.address
Port : 389
Base DN : ???What is this???
Search attribute : cn;
Bind DN : ???my 'sudo'user / binduser???
Bind password : binduser.password
Ok so I tried it. Also i can easily telnet "mydomino.local.address" on 389 port. So there is nothing bad with connection. Maybe Base DN. Is this something special - unique for each LDAP server like "mycompany DomainName?" or can it be something universal? Alsosearch attribute. I know cn; or uid; or mail; works in WAS.
I would be really glad if someone could just help me with this.
In Domino there are different "Base DNs". For a user search the Base DN typically is o=YourOrganizer, so if your Notesnames look like CN=MartinFric/OU1=IT/O=YourCompany, then the base DN would be o=YourCompany.
Groups do NOT have a Base- DN. If you search for groups, then the Base DN has to be empty.
Bind- DN depends on the configuration of your Domino. Your mail- address will always work as well as your CN- name. So this might be "Martin Fric" or "martin.fric#yourcompany.com". Other variations might work as well. The bind password is the Internet- Password of the bind user (HTTP Password in person document in domino directory).
Usually one creates a specific LDAPBind user in the directory with an internet password to not expose user- passwords to any external program.
The search- attributes depend on what you want to achieve.
Open the Lotus- Notes- Program- Directory of any installed Lotus Notes client in a CMD and type the following:
ldapsearch.exe -h mydomino.local.address -p 389 -D "Martin Fric"
-w YourInternetPassword "(CN=Martin Fric)"
In this query the parameters are:
-h = LDAP HOST
-p = Port
-D = Bind DN
-w = Bind Password
"(cn=Martin Fric)" = Query that sais: Search in (Search attribute) cn for an entry with value "Martin Fric"
If this query succeeeds and the query returns values, then the parameters for zabbix are correct. In that case someone knowing zabbix has to help you further in debugging that.
If this query does NOT succeed, then you need to fix your domino -> Come back with the error mmessage you get for help.
I'm wondering what "principal" I should specify to login in to an Active Directory server. Should the principal be a user inside the AD I try to log into? Or it can be a user in the domain I specify as long as the user has privileges to access the AD?
I tried both with credentials error 49. But I can log in to the AD with ldp.exe by using the Administrator account of the server that AD is installed on.
Here is my code. Many thanks for any prompt help.
Hashtable env= new Hashtable(11);
env.put(Context.SECURITY_AUTHENTICATION,"simple"); // Also tried none w/ the same error
// What principal should I use??
env.put(Context.SECURITY_PRINCIPAL,"CN=Ross,OU=Eng,DC=RossInc");//User
//env.put(Context.SECURITY_PRINCIPAL, user + "#" + domain); // Tried w/ the same error
env.put(Context.SECURITY_CREDENTIALS, "ross");//Password
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL,"ldap://myserver:389/DC=RossInc");
DirContext ctx = new InitialDirContext(env); <-- Fails with AuthenticationException: [LDAP: error code 49 - 8009030C
You either can provide:
NT-style login name
Kerberos UPN (implicit UPN)
explicit UPN (if additional UPN suffices have been defined)
More over, NEVER ever perform a simple bind! Either Digest or GSS-API.
According to the following example from Oracle site, the security Principal is a distinguished name.
Here is some code working for me from a computer inside the domain :
Hashtable<String, String> ldapEnv = new Hashtable<String, String>(11);
ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
ldapEnv.put(Context.PROVIDER_URL, "ldap://societe.fr:389");
ldapEnv.put(Context.SECURITY_AUTHENTICATION, "simple");
ldapEnv.put(Context.SECURITY_PRINCIPAL, "cn=administrateur,cn=users,dc=societe,dc=fr");
ldapEnv.put(Context.SECURITY_CREDENTIALS, "test.2011");
ldapContext = new InitialDirContext(ldapEnv);
The principal can be a user inside the AD as long as he has privileges to access the AD.