- Remove From My Forums
-
Question
-
I am writing an LDAP client.
When I do an ldap_bind_s with LDAP_AUTH_SIMPLE as follows it succeeds.
ldapRetCd = ldap_bind_s(ldapSession, TEXT("Administrator"), TEXT("password"), LDAP_AUTH_SIMPLE);However, I would prefer to use LDAP_AUTH_DIGEST for the obvious sorts of reasons. However when I run the following code it fails with a 0x31:
TCHAR identUserid[] = TEXT("Administrator"); TCHAR identDomain[] = TEXT("mydomain.com"); TCHAR identPassword[] = TEXT("password"); SEC_WINNT_AUTH_IDENTITY winIdent = {(unsigned short __RPC_FAR*)identUserid, // user elementsof(identUserid)-1, // user id length (unsigned short __RPC_FAR*)identDomain, // domain or workgroup elementsof(identDomain)-1, // domain name length (unsigned short __RPC_FAR*)identPassword, // password elementsof(identPassword)-1, // password length SEC_WINNT_AUTH_IDENTITY_UNICODE}; // flags ldapRetCd = ldap_bind_s(ldapSession, NULL, (TCHAR *)&winIdent, LDAP_AUTH_DIGEST);
Notes:
UNICODE is in effect.
elementsof(a) is defined as sizeof(a) / sizeof(a[0])
The winIdent struct «looks right» in the debugger.
myDomain.com is what the LDAP server shows as its domain in My ComputerProperties. (The client is on Workgroup MSHOME if that matters.)
Client is XP Pro; LDAP Server is Windows 2003 Server.
Everything else is the same between the LDAP_AUTH_SIMPLE that works and the LDAP_AUTH_DIGEST that fails.
I don’t really know what to look for. Help is appreciated.
Charles
Answers
-
Well, I just read that Digest-MD5 is like the must-have for an LDAP server v3 be considered v3. So I guess Active Directory supports it. The question would be: Is it enabled? Because by default, Active Directory uses the much better
Kerberos authentication. It would not surprise me one bit if AD did not accept any other form of authentication out of the box. Check with a MCSE or the network administrator to find out if Digest-MD5 is enabled/supported.And I’m sorry, but I don’t know much about LDAP or LDAP clients. I cannot recommend one. The LDAP I use allows anonymous access (Critical Path) or if I use AD, I connect using Kerberos.
MCP
-
Marked as answer by
Monday, March 21, 2011 11:50 PM
-
Marked as answer by
-
Hi. Just read a bit more. Found this: http://www.seapine.com/kb/questions/1626/Seapine+License+Server+Cannot+Query+Active+Directory+Servers+Using+DIGEST-MD5+Password+Encryption.
It seems that the Digest-MD5 protocol requires that the password of the user account being used be stored in reversible encryption. I know for a fact that by default, Active Directory user accounts do NOT store the password in a reversible manner.
So yes, you are most likely getting error 0x31 because the user account’s password is not stored in reversible encryption mode.
MCP
-
Marked as answer by
tsrCharles
Monday, March 21, 2011 11:50 PM
-
Marked as answer by
I’m trying to connect to AD in Windows Server 2008 according to these instructions from MSDN. Until calling ldap_bind_s all is ok, but then I got error with 0x31 code(The supplied credential is invalid).
Username and password are correct, I’ve checked for several times.
Using C++ MSVS 2015. Here is my code sample.
PWSTR host_name = L"ad.server.ip.address";
LDAP* pLdapConnection = NULL;
pLdapConnection = ldap_init(host_name, LDAP_PORT);
if (pLdapConnection == NULL)
{
printf("ldap_init failed with 0x%x.n", LdapGetLastError());
ldap_unbind(pLdapConnection);
return -1;
}
else
printf("ldap_init succeeded n");
ULONG version = LDAP_VERSION3;
ULONG lRtn = 0;
lRtn = ldap_set_option(
pLdapConnection,
LDAP_OPT_PROTOCOL_VERSION,
(void*)&version);
if (lRtn == LDAP_SUCCESS)
printf("ldap version set to 3.0 n");
else
{
printf("SetOption Error:%0lXn", lRtn);
ldap_unbind(pLdapConnection);
return hr;
}
lRtn = ldap_connect(pLdapConnection, NULL);
if (lRtn == LDAP_SUCCESS)
printf("ldap_connect succeeded n");
else
{
printf("ldap_connect failed with 0x%lx.n", lRtn);
ldap_unbind(pLdapConnection);
return -1;
}
PWSTR pMyDN = L"DC=ad,DC=domain,DC=name";
SEC_WINNT_AUTH_IDENTITY secIdent;
//adm@ad.domain.name
unsigned short login[18] = { 'a', 'd', 'm', '@', 'a', 'd', '.', 'd', 'o', 'm', 'a', 'i', 'n', '.', 'n', 'a', 'm', 'e' }; //18
secIdent.User = login;
secIdent.UserLength = 18;
//mypassword
unsigned short password[10] = { 'm', 'y', 'p', 'a', 's', 's', 'w', 'o', 'r', 'd' }; //10
secIdent.Password = password;
secIdent.PasswordLength = 10;
//ad.domain.name
unsigned short domain[14] = { 'a', 'd', '.', 'd', 'o', 'm', 'a', 'i', 'n', '.', 'n', 'a', 'm', 'e' }; //14
secIdent.Domain = dmn;
secIdent.DomainLength = 14;
secIdent.Flags = SEC_WINNT_AUTH_IDENTITY_ANSI;
lRtn = ldap_bind_s(
pLdapConnection, // Session Handle
pMyDN, // Domain DN
(PWCHAR)&secIdent, // Credential structure
LDAP_AUTH_NEGOTIATE); // Auth mode
if (lRtn == LDAP_SUCCESS)
{
printf("ldap_bind_s succeeded n");
secIdent.Password = NULL; // Remove password pointer
pPassword = NULL; // Remove password pointer
}
else
{
printf("ldap_bind_s failed with 0x%lx.n", lRtn);
ldap_unbind(pLdapConnection);
return -1;
}
Console output:
ldap_init succeeded
ldap version set to 3.0
ldap_connect succeeded
ldap_bind_s failed with 0x31.
Cannot execute query. Cannot bind to LDAP
It seems to me that the error can be occured by encoding or domain name. But according to this answer, domain field in SEC_WINNT_AUTH_IDENTITYstructure is ignored. Also I tried to set secIdent.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE; without any result.
UPD.
Below is PHP code snippet that performs successful connection to same AD Server
$this->c = ldap_connect("ad.server.ip.address");
ldap_set_option($this->c, LDAP_OPT_PROTOCOL_VERSION, 3);
$r = ldap_bind($this->c,'adm@ad.domain.name','mypassword');
��������� �������:
1. ������ ������� ������� �����.
2. �������� ��� — ������ ������������ � �������� �������.
3. ������������ ��������, ��������, ������� ����� ��������� ������ ������̣���� ��������, ���� ���� �� ������ ��������.
��������� �������:
1. ��� ���������� ������ — ���� ��� ��������� ��������� � LDIF (��� �������� ����������/������) ��� ������ � �������� ��������� (�����������).
�������������� �����: unable to get TLS Client DN (���������� �������� DN ������� TLS).
��������� �������:
1. �� ������������ ���������� ������� � ������, ���� ��������� TLSVerifyClient ����������� � ‘demand’.
2. �� ������������ ���������� ������� � ������, ���� ��������� TLSVerifyClient ����������� � ‘never’. � ���� ������ ������ ��������� �� ������ �� �������� ��������� � ������������ ������� ������������.
�������������� �����: no global superior knowledge (��� �������� � ���������� ����������� ��������) — ��� ������, ������� ���������� �������� ��� ��������������, �� ��������� �� � ����� �� ���������� ���������� � � ������� ��� ���������� ������� �� ����������� �������.
��������� �������: �� ����� ������� olcSuffix (��������� suffix � slapd.conf) ��� DIT, �� ������� �ģ� ������.
�������������� �����: Shadow context; no update referral (������� �������� (�������); ������� ��� ���������� ���������� �� �������) — DIT, � ������� ���������� ������� ���������, �������� �������� � ������ «������ ��� ������», �, ��-�� ���������� ��������� updateref, ���������� ���������� �������.
��������� �������:
1. ���� ������� ���������� ������ � ������� «������ ��� ������» (� ������������ syncrepl ����������� ������ � ������ «������ ��� ������»).
2. � ������������ syncrepl multi-master � ����� slapd.conf �������� ��������� ��������� mirrormode true.
3. ���� slapd ��� ������� ����������� ���� slapd.conf, � ���������� slapd.d (cn=config) ����� ����������, �� ��� ����������� ������������ DIT ����� ��������� ������ � ������� ����� ���������. � ���������, � FreeBSD ��������� ������� ������ �������� � rc.conf (slapd_cn_config=»YES») ��� ��������������� ������������� slapd.d.
��������� �������:
������� �������� �������� (�������� � cn=config), �������� �������� ���������.
�������������� �����: olcDbDirectory: value #0: invalid path: No such file or directory
��������� �������: ����� �������������� ����� ���� ������ ���������� ��� ţ ���������� ������ ������������.
- LDAP configuration
- Active Directory configuration
- OpenLDAP configuration
- Troubleshooting
LDAP configuration¶
In this guide, we will show how to configure LDAP authorization for EspoCRM. Let’s go.
Go to your LDAP server and create a base DN for the EspoCRM users like:
cn=espo-users,ou=users,dc=espo,dc=local
We have to create a system user that will have access to the users DN (“cn=espo-users,ou=users,dc=espo,dc=local”). So, the full DN for this system user will be:
cn=LDAP User,cn=espo-users,ou=users,dc=espo,dc=local
Now, we can add LDAP user to access EspoCRM. E.g. Espo Tester with the username “tester” inside the “cn=espo-users,ou=users,dc=espo,dc=local” DN. Please note: to be able to use this login format for EspoCRM, you have to specify the “Username Attribute” and “Base DN” options.
Then, go to EspoCRM Authentication settings in the Administrator panel, select the LDAP method and fill in the LDAP details:
- Host – LDAP IP or host name.
- Port – connection port.
- Auth – access credentials for the LDAP server:
- Full User DN – the full system user DN which allows to search other users.
* Password – the password to access the LDAP server.
* Security – SSL or TSL protocol. - Username Attribute – The attribute to identify the user.
E.g. for Active Directory: «userPrincipalName» or «sAMAccountName»,for OpenLDAP: «uid» . - Account Canonical Form – the type of your account canonical form. There are 4 options:
*Dn– the form in the formatCN=tester,CN=Espocrm,DC=company,DC=com.
*Username– the formtester.
*Backslash– the formCOMPANYtester.
*Principal– the formtester@company.com. - User ObjectClass – ObjectClass attribute for searching users. E.g. for Active Directory: «person», for OpenLDAP: «inetOrgPerson».
- Bind Requires Dn – if there is a need to format the username in the DN form.
- Base Dn – the default base DN which is used for searching users.
- User Login Filter – the filter which allows to restrict users who are able to use EspoCRM. E.g.
memberOf=cn=espoGroup,cn=espo-users,ou=users,dc=espo,dc=local. - Try Username Split – the option to split a username with the domain.
- Opt Referrals – if referrals should be followed to the LDAP client.
- Create User in EspoCRM – this option allows EspoCRM to create a user from the LDAP.
* User First Name Attribute – LDAP attribute which is used to determine the user’s first name.
* User Last Name Attribute – LDAP attribute which is used to determine the user’s last name.
* User Title Attribute – LDAP attribute which is used to determine the user title.
* User Email Address Attribute – LDAP attribute which is used to determine the user’s email address.
* User Phone Number Attribute – LDAP attribute which is used to determine the user’s phone number.
* User Teams – Teams for created user. For more, see user profile.
* User Default Team – Default team for created user. For more, see user profile. - Use LDAP Authentication for Portal Users – Allow portal users to use LDAP authentication instead of Espo authentication.
* Default Portals for a Portal User – Default Portals for created Portal User.
* Default Roles for a Portal User – Default Roles for created Portal User.
Note, for the first LDAP user login (both system and portal) the Create User in EspoCRM parameter should be checked. Otherwise it won’t be able to login.
Now, go to the login page and enter user credentials.
User has been authenticated and automatically created in the EspoCRM.
Troubleshooting¶
This error occurs when the wrong Account Canonical Form or Username Attribute are specified.
The correct values are:
— Account Canonical Form: Principal or Username.
— Username Attribute: sAMAccountName
The full Active Directory configuration, see in the documentaion.
I’m trying to set up an openLdap server and after following the instructions I’m stuck at the point where I can’t add any data.
The error I’m getting is
ldap_bind: Invalid credentials (49)
Please help me in this issue. And be patient while reading the debug data and the slapd.conf file because they are quite long.
My system is: Red Hat Enterprise Linux 6.0
Installed openLdap using yum openldap*.
Here is my slapd.conf file:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
# Module syncprov.la is now statically linked with slapd and there
# is no need to load it here
# modulepath /usr/lib/openldap # or /usr/lib64/openldap
# moduleload accesslog.la
# moduleload auditlog.la
## To load this module, you have to install openldap-server-sql first
# moduleload back_sql.la
## Following two modules can't be loaded simultaneously
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload lastmod.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it. Your client software
# may balk at self-signed certificates, however.
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix dc=ttsbroot,dc=teleotele
#checkpoint 1024 15
rootdn cn=shamal,dc=ttsbroot,dc=teleotele
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {crypt}49/WKVk.6oz3o
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
# enable monitoring
database monitor
# allow onlu rootdn to read the monitor
access to * by * write by * read by * search by * auth
I’m adding the debug data returned when I added -d 255 argument.
[root@TTSBROOT Documents]# ldapadd -D "cn=shamal,dc=TTSBROOT,dc=teleotele" -W -x -a -f teleotele.ldif -d 255
ldap_create
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 4 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x18345d0 ptr=0x18345d0 end=0x1834612 len=66
0000: 30 84 00 00 00 3c 02 01 01 60 84 00 00 00 33 02 0....<...`....3.
0010: 01 03 04 22 63 6e 3d 73 68 61 6d 61 6c 2c 64 63 ..."cn=shamal,dc
0020: 3d 54 54 53 42 52 4f 4f 54 2c 64 63 3d 74 65 6c =TTSBROOT,dc=tel
0030: 65 6f 74 65 6c 65 80 0a 73 68 61 6d 61 6c 31 32 eotele..shamal12
0040: 33 34 34
ber_scanf fmt ({i) ber:
ber_dump: buf=0x18345d0 ptr=0x18345d9 end=0x1834612 len=57
0000: 60 84 00 00 00 33 02 01 03 04 22 63 6e 3d 73 68 `....3...."cn=sh
0010: 61 6d 61 6c 2c 64 63 3d 54 54 53 42 52 4f 4f 54 amal,dc=TTSBROOT
0020: 2c 64 63 3d 74 65 6c 65 6f 74 65 6c 65 80 0a 73 ,dc=teleotele..s
0030: 68 61 6d 61 6c 31 32 33 34 hamal1234
ber_flush2: 66 bytes to sd 4
0000: 30 84 00 00 00 3c 02 01 01 60 84 00 00 00 33 02 0....<...`....3.
0010: 01 03 04 22 63 6e 3d 73 68 61 6d 61 6c 2c 64 63 ..."cn=shamal,dc
0020: 3d 54 54 53 42 52 4f 4f 54 2c 64 63 3d 74 65 6c =TTSBROOT,dc=tel
0030: 65 6f 74 65 6c 65 80 0a 73 68 61 6d 61 6c 31 32 eotele..shamal12
0040: 33 34 34
ldap_write: want=66, written=66
0000: 30 84 00 00 00 3c 02 01 01 60 84 00 00 00 33 02 0....<...`....3.
0010: 01 03 04 22 63 6e 3d 73 68 61 6d 61 6c 2c 64 63 ..."cn=shamal,dc
0020: 3d 54 54 53 42 52 4f 4f 54 2c 64 63 3d 74 65 6c =TTSBROOT,dc=tel
0030: 65 6f 74 65 6c 65 80 0a 73 68 61 6d 61 6c 31 32 eotele..shamal12
0040: 33 34 34
ldap_result ld 0x182c3e0 msgid 1
wait4msg ld 0x182c3e0 msgid 1 (infinite timeout)
wait4msg continue ld 0x182c3e0 msgid 1 all 1
** ld 0x182c3e0 Connections:
* host: localhost port: 389 (default)
refcnt: 2 status: Connected
last used: Fri Apr 22 14:24:17 2011
** ld 0x182c3e0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x182c3e0 request count 1 (abandoned 0)
** ld 0x182c3e0 Response Queue:
Empty
ld 0x182c3e0 response count 0
ldap_chkResponseList ld 0x182c3e0 msgid 1 all 1
ldap_chkResponseList returns ld 0x182c3e0 NULL
ldap_int_select
read1msg: ld 0x182c3e0 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=8
0000: 30 84 00 00 00 10 02 01 0.......
ldap_read: want=14, got=14
0000: 01 61 84 00 00 00 07 0a 01 31 04 00 04 00 .a.......1....
ber_get_next: tag 0x30 len 16 contents:
ber_dump: buf=0x1835a50 ptr=0x1835a50 end=0x1835a60 len=16
0000: 02 01 01 61 84 00 00 00 07 0a 01 31 04 00 04 00 ...a.......1....
read1msg: ld 0x182c3e0 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x1835a50 ptr=0x1835a53 end=0x1835a60 len=13
0000: 61 84 00 00 00 07 0a 01 31 04 00 04 00 a.......1....
read1msg: ld 0x182c3e0 0 new referrals
read1msg: mark request completed, ld 0x182c3e0 msgid 1
request done: ld 0x182c3e0 msgid 1
res_errno: 49, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_dump: buf=0x1835a50 ptr=0x1835a53 end=0x1835a60 len=13
0000: 61 84 00 00 00 07 0a 01 31 04 00 04 00 a.......1....
ber_scanf fmt (}) ber:
ber_dump: buf=0x1835a50 ptr=0x1835a60 end=0x1835a60 len=0
ldap_msgfree
ldap_err2string
ldap_bind: Invalid credentials (49)


