Re: HELP! Really strange problem w/AD and LDAP/LDIFDE

---

• From: ohaya <ohaya@xxxxxxx>
• Date: Tue, 23 Jan 2007 18:47:49 -0500

---

Joe (et al),

I ended having to go onsite, because our other guys were at different sites, and I tested, changing the admin username format in the LDAP (simple) bind from the UPN format to the full DN format, and guess what?

The bind *WORKED*!!

We checked the AD at this one site, and it looks to be exactly the same Windows version, Windows 2003 Enterprise SP1, as the other FIVE sites that I've installed this same software, so we are REALLY puzzled about this.

I guess that I'm happy that it's working, but am still really befuddled as to why we had to use the full DN username format for the admin bind.

So to summarize:

- Six different environments, all using Win2K3 Enterprise SP1 with AD

- First five sites, my web app is configured with a UPN-formatted admin username to do the simple LDAP bind (myadmin@xxxxxxxxxxxx)

- This last site, when I configured my web app to use a UPN-formatted admin username (myadmin@whatever,com), the simple LDAP bind fails with INVALID_CREDENTIALS. When I change the admin username to full DN format (cn=myadmin,cn=users,dc=whatever,dc=com), the simple LDAP bind succeeds.

- Reminder: Using both UPN-formatted or full DN-formatted admin usernames with ldifde works in all six environments.

Question/Puzzle: What is it about that sixth site that allows the simple LDAP binds with the admin username to only work if the username is using full DN format?

Jim




Joe Kaplan wrote:

I don't suppose your web server LDAP stack can do Windows secure binds, can it? Like I said, I'm really unsure as to what is going on, but I can't remember seeing this issue when Windows auth is used in LDAP (GSS-SPNEGO SASL). As a .NET guy, I'm generally always using the MS LDAP APIs on a Windows OS machine to do my LDAP, so I generally don't run into these problems. I only use simple bind for ADAM, but I don't remember seeing issues with invalid passwords being accepted there either.

It may also be worth it to you to open a real PSS ticket and see if someone there can provide a more satisfactory answer.

Sorry I was less helpful this time, but perhaps that username syntax stuff will be useful. :)

Joe K.

.

---

• Follow-Ups:
  • Re: HELP! Really strange problem w/AD and LDAP/LDIFDE
    • From: ohaya

• References:
  • HELP! Really strange problem w/AD and LDAP/LDIFDE
    • From: ohaya
  • Re: HELP! Really strange problem w/AD and LDAP/LDIFDE
    • From: ohaya
  • Re: HELP! Really strange problem w/AD and LDAP/LDIFDE
    • From: Joe Kaplan
  • Re: HELP! Really strange problem w/AD and LDAP/LDIFDE
    • From: ohaya
  • Re: HELP! Really strange problem w/AD and LDAP/LDIFDE
    • From: Joe Kaplan

• Prev by Date: Re: Force kerberos to use TCP and consequences
• Next by Date: Re: "Enabling" an already enabled user account?
• Previous by thread: Re: HELP! Really strange problem w/AD and LDAP/LDIFDE
• Next by thread: Re: HELP! Really strange problem w/AD and LDAP/LDIFDE
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: "Invalid Credentials" problem ... Like Ulf said, you generally need a search base, search scope, a bind userid, ... First format is domain\userid format. ... This is the standard LDAP bind format. ... (microsoft.public.windows.server.active_directory) Re: HELP! Really strange problem w/AD and LDAP/LDIFDE ... One of the things that we were theorizing about was that AD might be doing different processing, depending on the format of the username, when it receives the simple bind. ... This 2nd standalone AD is the one that my web app is accessing using LDAP, and I *think* that the domain name for this 2nd AD is the same as the original domain, i.e., also "foo.foo1". ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2007-01