Invalid DN problem
John Mitchell
I am trying to authenticate to an AD LDAP server and I am getting
the following:
[DEBUG] LdapLoginModule - Authentication failed
<javax.naming.AuthenticationException: Cannot authenticate dn, invalid
dn>javax.naming.AuthenticationException: Cannot authenticate dn,
invalid dn
The credentials work just fine with an openldap ldapsearch command
using the same basedn, binddn, credentials, and what not. So I am
pretty sure the binddn and credentials are right, so I am at a loss as
to whats up. Can you give me some steps to try and debug my config to
see whats up? I tried using jdb for this but I am not a real great
Java hacker. Thanks for the help.
--
John
Daniel Fisher
authentication includes both resolving the user DN and then binding as
that DN. A typical AD config would include:
baseDn="ou=users,dc=example,dc=org"
subtreeSearch="true"
userFilter="sAMAccountName={0}"
bindDn="cn=my-service...."
bindCredential="******"
The baseDn would be searched using the supplied filter to resolve the
user's DN. The bindDn and bindCredential are used if privileged access
is required to search and read the user's DN. If your user data can be
anonymously accessed then the bindDn and bindCredential properties are
not needed. You can customize the DnResolver if this isn't the
workflow you want.
--Daniel Fisher
John Mitchell
On Wed, May 4, 2011 at 5:46 PM, Daniel Fisher <dfi...@gmail.com> wrote:
> That error indicates that DN resolution failed. By default
> authentication includes both resolving the user DN and then binding as
> that DN. A typical AD config would include:
>
> baseDn="ou=users,dc=example,dc=org"
> subtreeSearch="true"
> userFilter="sAMAccountName={0}"
> bindDn="cn=my-service...."
> bindCredential="******"
>
> The baseDn would be searched using the supplied filter to resolve the
> user's DN. The bindDn and bindCredential are used if privileged access
> is required to search and read the user's DN. If your user data can be
> anonymously accessed then the bindDn and bindCredential properties are
> not needed. You can customize the DnResolver if this isn't the
> workflow you want.
Adding subtreeSearch="true" did the job. I guess thats not exactly
clear in how the various LDAP client products I have used do
authentication. I wonder if they are doing some kind of implicit
basedn lookup to do DN resolution. Guess there is always more to learn
about any given topic. Anyway, thanks a bunch that got me going.
Also, thanks for the great test scripts in the vt-ldap distro.
They are great for testing configurations outside of applications for
diagnostics!
>
> --Daniel Fisher
>
> On Wed, May 4, 2011 at 8:51 PM, John Mitchell <jpmit...@alaska.edu> wrote:
>>
>> All,
>>
>> I am trying to authenticate to an AD LDAP server and I am getting
>> the following:
>>
>> [DEBUG] LdapLoginModule - Authentication failed
>> <javax.naming.AuthenticationException: Cannot authenticate dn, invalid
>> dn>javax.naming.AuthenticationException: Cannot authenticate dn,
>> invalid dn
>>
>> The credentials work just fine with an openldap ldapsearch command
>> using the same basedn, binddn, credentials, and what not. So I am
>> pretty sure the binddn and credentials are right, so I am at a loss as
>> to whats up. Can you give me some steps to try and debug my config to
>> see whats up? I tried using jdb for this but I am not a real great
>> Java hacker. Thanks for the help.
>>
>> --
>> John
>
--
John P. Mitchell <jpmit...@alaska.edu>
907.450.8320
http://www.alaska.edu/oit/iam