perl-ldap-dev

AD LDAP Access

[Carsten C. <Car...@lr...>]

Does anybody Know how to configure LDAP on a W2K Domain controller to make ldap binds
through net::ldap possible?
I tried the 'searchldap' client from the iPlanet SDK as well, who runs in a verbose mode
and returns error messages quit well.

It seems to me that by default:
- simple bind is not supported (even if the ldap call is from an domain integrated
w2k-client. (kerberos authentication is wanted)
- hosts, which are not w2k domain enabled, are refused

I couldn'd find any detailed LDAP logging option on the w2k Server, which might be
helpfull. Configuring LDAP on W2k is like fishing in muddy whater...

Cheers
-- 
+---------------------------------------------------------------+
| Dipl.Ing.(FH)Carsten Cramer | Leibniz Computing Centre of the |
| CNE                         | Bavarian Academy of Sciences    |
| Tel.  +49 +89 289 28790     | Barer Strasse 21                |
| Fax.  +49 +89 2809460       | 80333 Muenchen                  |
| Mail cr...@lr... | Germany                         |
+---------------------------------------------------------------+

Re: AD LDAP Access

[Norbert K. <nor...@da...>]

--On Montag, 18. Februar 2002 09:19 +0000 Carsten Cramer=20
<Car...@lr...> wrote:

> Does anybody Know how to configure LDAP on a W2K Domain controller to
> make ldap binds through net::ldap possible?

You need to bind first before you can search AD, because by default=20
anonymous has no read permissions on the AD.

> I tried the 'searchldap' client from the iPlanet SDK as well, who runs in
> a verbose mode and returns error messages quit well.

Which error messages do you get?

> It seems to me that by default:
> - simple bind is not supported (even if the ldap call is from an domain
> integrated w2k-client. (kerberos authentication is wanted)
> - hosts, which are not w2k domain enabled, are refused

Simple bind is enabled by default. You neet the right DN though. Try=20
reading the namingContext attribute from the rootDSE (ldapsearch -h=20
ldap.example.com -s base -b "" objectclass=3D*). Your DN will probably be=20
something like "cn=3DCarsten Cramer, ou=3Dusers, dc=3Dlrz-muenchen, =
dc=3Dde".

For further information on SASL/GSSAPI/Krb5 see=20
http://www.daasi.de/staff/norbert/thesis/

> I couldn'd find any detailed LDAP logging option on the w2k Server, which
> might be helpfull. Configuring LDAP on W2k is like fishing in muddy
> whater...

There exists a knowlegdebase article which describes a registry setting to=20
enable ldap logging. This does not provide very detailed information=20
though. The best way to see what happens is to run NETMON on the W2k =
server.

--=20
Norbert Klasen, Dipl.-Inform.
DAASI International GmbH                 phone: +49 7071 29 70336
Wilhelmstr. 106                          fax:   +49 7071 29 5114
72074 T=FCbingen                           email: nor...@da...
Germany                                  web:   http://www.daasi.de

Re: AD LDAP Access

[Graham B. <gb...@po...>]

On Mon, Feb 18, 2002 at 12:44:24PM +0100, Norbert Klasen wrote:
> http://www.daasi.de/staff/norbert/thesis/

Nice work. I especially like the PerLDAP / perl-ldap comparison :)

Graham.