RE: [ActiveDir] Fw: perl-ldap with ADAM

[Mulnick, Al]

This should help out: http://www.microsoft.com/windowsserver2003/adam/ADAMfaq.mspx

There is also a section that describes what you need to do in order to allow anonymous binding.

 

 

But, for authenticated usage, there is a section that describes the following:

Users

Q.	Why can't I log on to ADAM as a user that I just created?
A.	By default, an ADAM instance running on Windows Server 2003 automatically enforces any local or domain password policies that exist. If you create a new ADAM user and assign a password to that user that does not meet the requirements of the password policy that is in effect, the user will be disabled by default. To enable the user, you must assign a password that meets the password policy requirements and then enable the user. For information about enabling an ADAM user, see “To disable or enable an ADAM user” in the ADAM Administrator’s Guide. To open the ADAM Administrator’s Guide, click Start, point to All Programs, point to ADAM, and then click ADAM Help.
Q.	How do I change a user password in ADAM?
A.	For information about how to change ADAM user passwords, see “To set or modify the password of an ADAM user” in the How To section of the ADAM Administrator’s Guide. To open the ADAM Administrator's Guide, click Start, point to All Programs, point to ADAM, and then click ADAM Help. Note: You cannot change the password of an Active Directory security principal through ADAM. You can only change the password of ADAM security principals.

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, July 19, 2004 4:57 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Fw: perl-ldap with ADAM

Those are very good questions.  I think I have a part of the answer.  I have tried adding a user to cn=Readers,cn=Roles... and have tried binding as that user.  I do not know how to manipulate the password for the user object though and so when I bind without one it acts the same as when I bind anonymously.

"Mulnick, Al" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 07/16/2004 02:22 PM Please respond to [EMAIL PROTECTED]

To "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> cc Subject RE: [ActiveDir] Fw: perl-ldap with ADAM

Casual observation?  Where's the password listed and what are you binding as?
 
How about turning up the logging during the bind and search and ensure that you are binding as an authenticated user and that your search string is being passed the way you think it is?
 
 
Al

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, July 16, 2004 4:16 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Fw: perl-ldap with ADAM


Hello,
I sent this help request to a perl-ldap list and it was indicated that the problem may be ADAM specific.  The detail are:

I have set up a MS ADAM instance named cn=examplename,st=wv,c=us.  On
install, the LostAndFound, Roles, and NTDS Quotas objects were created
with dn's CN=LostAndFound,CN=examplename,ST=wv,C=us, CN=NTDS
Quotas,CN=examplename,ST=wv,C=us, and CN=Roles,CN=examplename,ST=wv,C=us.
This all displays successfully in ADAM ADSI Edit.

I then added via importing an ldif file a couple of object instances with
dn's CN=WVAdmin,CN=examplename,ST=wv,C=us and
CN=WVAdmin2,CN=examplename,ST=wv,C=us.  These both also display
successfully in ADAM ADSI Edit.

So then I attempt to use perl-ldap to perform a search like this:

use Net::LDAP;

$ldap = new Net::LDAP('localhost') or die "$@";
$ldap->bind( version => 3 );

$mesg = $ldap->search ( base => "C=us",
                      filter => "objectClass=*",
                    ) or die ("Failed on search.$!");

foreach $entry ($mesg->all_entries)
{
 $entry->dump;
}

$ldap->unbind;


The result is no entries.  I have also tried narrowing the base to
CN=examplename,ST=wv,C=us with no benefit.  

Additionally, I tried binding
to cn=WVAdmin,cn=examplename,st=wv,c=us which does return a single result
with dn=examplename,st=wv,c=us.

Note that all of the above search attempts resulted in a return code of 0 indicating success.
Any ideas what could be the problem would be greatly appreciated.
Thank you,
Sonya


----- Forwarded by Sonya Lowry/stc on 07/16/2004 01:07 PM -----

Chris Ridd <[EMAIL PROTECTED]> 07/16/2004 10:55 AM

To <[EMAIL PROTECTED]> cc <[EMAIL PROTECTED]> Subject Re: perl-ldap with ADAM

On 16/7/04 6:13 pm, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:

> Chris,
> Thanks for your help.  Currently, I am binding with this line:
>
> $ldap->bind("cn=WVAdmin,cn=examplename,st=wv,c=us");

You need to add the arguments:

  password => 'something'

to the bind, as otherwise you will be binding with a name and no password.
Typically that will succeed, but it'll be considered the same as anonymous.

However you're using MAD, which doesn't really implement LDAP in a very
standard way, so it might be doing things differently.

> and the return code is 0 which I understand indicates success.  However,
> the search result is limited to the single object
> 'cn=examplename,st=wv,c=us' despite the presence of several objects with
> dn's like cn=<name>,cn=examplename,st=wv,c=us.
>
> I've suspected that maybe I simply don't understand the search mechanism.
> I had assumed that the base of cn=examplename,st=wv,c=us would direct the
> search through elements with dn's ending with the string '
> cn=examplename,st=wv,c=us' like
> cn=<name>,cn=examplename,st=wv,c=us.  Is this a correct assumption?

It isn't quite the right way to think about it, as there are ways for the
search to process other entries too (eg by following aliases).

Think of it like directories on a disk, except that DNs are written
little-endian whereas file paths are written big-endian. A subtree search
essentially searches subdirectories. (Unless there's a link inside somewhere
that points to another subdirectory somewhere.)

Cheers,

Chris