Re: Active Directory authenticaion via UNIX

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Jason,

One of the rules of Active Directory is no Anonymous bind.  One way to get
around that is to build an account that is only used for 'anonymous' LDAP
searches and use that account's DN and password in the initial bind.

AD meets the letter of the law on this, but not the spirit.  Sigh.

  --Jim harle

On Thu, 13 Mar 2003, Jason Jolly wrote:

> I'm currently having a problem while trying to authenticate an NT userid
> (Active Directory) from UNIX over LDAP.
>
> I'm using the following code snippit to perform the search/authentication:
>
> ===========================
> == BEGIN
>
> #!/bin/perl -w
>
> use Net::LDAP qw(:all);
> use Net::LDAP::Util qw(ldap_error_name ldap_error_text ldap_error_desc);
>
> $ldap = Net::LDAP->new("XX.XX.X.XXX") || die "$@\n";
> my $msg = $ldap->bind(anonymous => 1, version => 3);
>
> if ( $msg->code ) {
>         print ("Message Error Code => " . $msg->code . "\n");
>         print ("Message Error Name => " . ldap_error_name($msg->code) . "\n");
>         print ("Message Error Text => " . ldap_error_text($msg->code) . "\n");
>         print ("Message Error Desc => " . ldap_error_desc($msg->code) . "\n");
> }
>
> $RS = $ldap->search (
>                      base => "MY_DOMAIN.net",
>                      scope => "sub",          # still doesn't work with or w/out this.....
>                      filter => "(uid=*)"      # also tried "mail=*", etc.
>                     );
>
> print ( "RS Count => " . $RS->count . "\n");
>
> $ldap->unbind();
>
> == END
> ===========================
>
> Now,
>
> This always returns the output:
>
>    RS Count => 0
>
> I can only assume that the bind is working...when I try to bind using the following command:
>
>   my $msg = $ldap->bind(dn=>"dc=MY_DOMAIN,dc=net,cn=MY_USER_ID", password=>"MY_PASSWORD") || die "No Auth: " . "$@\n";
>
> I receive the output:
>
>   Message Error Code => 49
>   Message Error Name => LDAP_INVALID_CREDENTIALS
>   Message Error Text => The wrong password was supplied or the SASL credentials could not be processed
>   Message Error Desc => Invalid credentials
>
> which is strange since I know that the credentials being sent are correct, nevertheless.....
>
> In talking with my NT admin, he sees no log of either binding attempt?
>
> Any suggestions -- I'm hoping that I just can't see the forest for the trees on this one.
>
> thnx,
>
> ~j