Re: Non-Administrator users Can't do LDAP bind to AD
- From: ohaya <ohaya@xxxxxxx>
- Date: Sat, 22 Apr 2006 13:40:31 -0400
Joe,
P.S. So you don't think that I was ignoring your comments about SSPI
:)...
I am using this testing with ldifde and simple bind just to check that I
can access the AD successfully via LDAP, and to verify the baseDN, etc.
I have an application that we'll be using, so once I get things working
with ldifde, I know what to set the config parameters for my program
to. My app, which will eventually be running on a Solaris box, supports
both simple, clear binds, and simple, SSL binds, so the plan is to move
to SSL-protected connection once we have checked everything out.
I think that it was a good thing that we took this approach, because if
we do have a problem with the LDAP simple bind, hopefully this'll make
it easier to pinpoint the cause before we move to using the app.
Jim
ohaya wrote:
.
Joe,
I'll give your suggestions a try when I get a chance to get into the
lab.
Thanks,
Jim
"Joe Kaplan (MVP - ADSI)" wrote:
I'm not sure what was wrong, but it could have been something as simple as
an incorrect username or password specified. For example, this DN for the
user is definitely wrong:
dc=test1,cn=users,cn=mydomain,dn=com
I'm guessing you just mistyped that, but I thought I'd point that out. In
any event, I'd check for bind failures with ldp.exe first. You also need to
be certain that test1 was enabled, etc. LDP (and possibly AD U&C) are more
useful for troubleshooting bind failures than ldifde.
I also really really recommend against using LDAP simple binds with AD.
There is no reason to use them as AD supports SSPI based auth (even with
credentials) and simple binds are a security risk (unless you combine with
SSL). I realize this is just a test lab and all, but they are bad habit.
Note that if you do use SSPI auth, you can't use the DN as a username
syntax. You can use the NT name (domain\user) or UPN or just the username
though. AD also supports NT name and UPN for simple binds, so I tend to
recommend people use those 2 user name syntaxes with AD to get the best
possible compatibility.
Best of luck,
Joe K.
"ohaya" <ohaya@xxxxxxx> wrote in message news:44497168.7EAAF6D9@xxxxxxxxxx
Joe,
Thanks for the suggestions.
The Win2K3 instance I mentioned in my original post is in our lab, and I
don't know for sure what "baseline" they installed, so I'm not sure if
that machine was locked down in any way.
So, I'm in the process of doing a clean install of Win2K3 now, and I'll
try to do the same test I did in the lab to see if I have the problem
again.
If I do run into the problem, I'll try ldp as you suggested, and I'll
also try to post details.
If I DON'T run into the problem, I still need to figure out WHAT is
causing the ldifde from working in the lab, so I guess in the meantime,
while I wait for the installation to get done, I am still wondering what
could be causing the ldifde failure.
FYI, I was doing a simple basic ldifde export. Something like:
ldifde -f foo -d "dc=mydomain,dc=com" -a
"dc=test1,cn=users,cn=mydomain,dn=com" *
ldifde was successful if I made user "test1" a member of the
"Administrators" group. If I removed "test1" from the "Administrators"
group, the ldifde would fail.
Will post back in a bit...
Thanks again,
Jim
"Joe Kaplan (MVP - ADSI)" wrote:
Are you sure it is the bind that is failing and not some other operation?
Any user with a valid password who is not expired, disabled, locked out,
etc. should be able to do an LDAP simple (or preferably secure) bind.
Try
it with ldp.exe.
You might also consider providing and example of what you were doing.
Joe K.
"ohaya" <ohaya@xxxxxxxxx> wrote in message
news:1145639715.954223.239270@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,
I have a Win2K3 Server with AD. I am trying to do an LDAP simple bind
and am testing using ldifde.
I created a new user "test1" in ADUC, which is a member of Domain
Users, but when I try to use ldifde with this user using a simple bind,
I am getting a failure.
If I make the "test1" user a member of Administrators, the ldifde/bind
works.
What do I need to do so that "test1" can successfully do the LDAP bind?
Thanks,
Jim
- Follow-Ups:
- Re: Non-Administrator users Can't do LDAP bind to AD
- From: Joe Kaplan \(MVP - ADSI\)
- Re: Non-Administrator users Can't do LDAP bind to AD
- References:
- Non-Administrator users Can't do LDAP bind to AD
- From: ohaya
- Re: Non-Administrator users Can't do LDAP bind to AD
- From: Joe Kaplan \(MVP - ADSI\)
- Re: Non-Administrator users Can't do LDAP bind to AD
- From: ohaya
- Re: Non-Administrator users Can't do LDAP bind to AD
- From: Joe Kaplan \(MVP - ADSI\)
- Re: Non-Administrator users Can't do LDAP bind to AD
- From: ohaya
- Non-Administrator users Can't do LDAP bind to AD
- Prev by Date: Exchange 2000 SP2 on Windows 2000 SP4 in a W2K3 domain
- Next by Date: Access is Denied on domain admin console login
- Previous by thread: Re: Non-Administrator users Can't do LDAP bind to AD
- Next by thread: Re: Non-Administrator users Can't do LDAP bind to AD
- Index(es):
Relevant Pages
|
