Re: AD LDAP Access

[Norbert K. <nor...@da...>]

--On Montag, 18. Februar 2002 09:19 +0000 Carsten Cramer=20
<Car...@lr...> wrote:

> Does anybody Know how to configure LDAP on a W2K Domain controller to
> make ldap binds through net::ldap possible?

You need to bind first before you can search AD, because by default=20
anonymous has no read permissions on the AD.

> I tried the 'searchldap' client from the iPlanet SDK as well, who runs in
> a verbose mode and returns error messages quit well.

Which error messages do you get?

> It seems to me that by default:
> - simple bind is not supported (even if the ldap call is from an domain
> integrated w2k-client. (kerberos authentication is wanted)
> - hosts, which are not w2k domain enabled, are refused

Simple bind is enabled by default. You neet the right DN though. Try=20
reading the namingContext attribute from the rootDSE (ldapsearch -h=20
ldap.example.com -s base -b "" objectclass=3D*). Your DN will probably be=20
something like "cn=3DCarsten Cramer, ou=3Dusers, dc=3Dlrz-muenchen, =
dc=3Dde".

For further information on SASL/GSSAPI/Krb5 see=20
http://www.daasi.de/staff/norbert/thesis/

> I couldn'd find any detailed LDAP logging option on the w2k Server, which
> might be helpfull. Configuring LDAP on W2k is like fishing in muddy
> whater...

There exists a knowlegdebase article which describes a registry setting to=20
enable ldap logging. This does not provide very detailed information=20
though. The best way to see what happens is to run NETMON on the W2k =
server.

--=20
Norbert Klasen, Dipl.-Inform.
DAASI International GmbH                 phone: +49 7071 29 70336
Wilhelmstr. 106                          fax:   +49 7071 29 5114
72074 T=FCbingen                           email: nor...@da...
Germany                                  web:   http://www.daasi.de