Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

z/OS LDAP client to Windows LDAP server

113 views
Skip to first unread message

Mark Hammack

unread,
Apr 6, 2010, 3:19:35 PM4/6/10
to
I searched (maybe don't know what to ask) so if this has been discussed,
please point me in the right direction.

I am attempting to write an LDAP client on z/OS that will bind to AD running
on Windows 2003 Server using the C API. The ldap_init() returns 0 and seems
to connect OK (the only problem I have with this is that I tried an invalid
server name and still got a return code 0). When I issue the
ldap_sasl_bind()/ldap_request(), I get an error back indicating that the
user is not defined (return code 49, data 525 error). For the DN string
("who" parameter), I have tried "cn=user.name,o=company,c=US",
"uid=user.name", etc. (everything I can think of anyway) in both codepage
1047 and 1252 all with the same results. BTW, when I use the invalid LDAP
server name, I get a completely different error so apparently, the
connection is fine.

Has anyone been successful with this and if so, what the heck am I doing wrong?

Thanks in advance,

Mark Hammack

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to list...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Hal Merritt

unread,
Apr 6, 2010, 4:25:03 PM4/6/10
to
What I learned from trying to get a Windows client running with the z/os server:

IIRC, the "cn=xxx" are arbitrary strings that must exactly match those coded in the server.

A 'user not defined' would be expected unless the ID you present is defined on the server as one with LPAD privileges. Actually, I would expect a 'user not defined' kind of error from Windows upon any number of issues, to include syntax errors, password error, expired password, etc etc etc.

I'm not sure, but I think Windows' 'flavor' of LDAP may expect to see a suitably privileged 'bind' ID/password along with the ID/password in question. And, of course, that may also trigger a 'user not defined' response if not done correctly :-)

HTH

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-...@bama.ua.edu] On Behalf Of Mark Hammack
Sent: Tuesday, April 06, 2010 2:07 PM
To: IBM-...@bama.ua.edu
Subject: z/OS LDAP client to Windows LDAP server

I searched (maybe don't know what to ask) so if this has been discussed,
please point me in the right direction.

I am attempting to write an LDAP client on z/OS that will bind to AD running
on Windows 2003 Server using the C API. The ldap_init() returns 0 and seems
to connect OK (the only problem I have with this is that I tried an invalid
server name and still got a return code 0). When I issue the
ldap_sasl_bind()/ldap_request(), I get an error back indicating that the
user is not defined (return code 49, data 525 error). For the DN string
("who" parameter), I have tried "cn=user.name,o=company,c=US",
"uid=user.name", etc. (everything I can think of anyway) in both codepage
1047 and 1252 all with the same results. BTW, when I use the invalid LDAP
server name, I get a completely different error so apparently, the
connection is fine.

Has anyone been successful with this and if so, what the heck am I doing wrong?

Thanks in advance,

Mark Hammack


NOTICE: This electronic mail message and any files transmitted with it are intended
exclusively for the individual or entity to which it is addressed. The message,
together with any attachment, may contain confidential and/or privileged information.
Any unauthorized review, use, printing, saving, copying, disclosure or distribution
is strictly prohibited. If you have received this message in error, please
immediately advise the sender by reply email and delete all copies.

Alan Altmark

unread,
Apr 7, 2010, 3:51:21 PM4/7/10
to
On Tue, 6 Apr 2010 14:07:06 -0500, Mark Hammack <mark.h...@GMAIL.COM> wrote:

>I am attempting to write an LDAP client on z/OS that will bind to AD running
>on Windows 2003 Server using the C API. The ldap_init() returns 0 and seems
>to connect OK (the only problem I have with this is that I tried an invalid
>server name and still got a return code 0). When I issue the
>ldap_sasl_bind()/ldap_request(), I get an error back indicating that the
>user is not defined (return code 49, data 525 error). For the DN string
>("who" parameter), I have tried "cn=user.name,o=company,c=US",
>"uid=user.name", etc. (everything I can think of anyway) in both codepage
>1047 and 1252 all with the same results. BTW, when I use the invalid LDAP
>server name, I get a completely different error so apparently, the
>connection is fine.

In order to bind, you have to have a valid dn ("who"). To get a valid dn,
you search() on something unique like "mail=user...@company.com". Then
you bind using the returned DN. Bind() will not do an implicit search().

The set of attributes that constitute a dn are defined by the schema (I
can't figure out what to search in the schema to find it, though). cn=my
name,ou=place,o=company,c=us is common, but there are others. Talk to the
LDAP owner.

Alan Altmark
z/VM Development
IBM

0 new messages