Integrator LDAP Authentication

[jyoung]

Anyone have any examples on how to do LDAP authentication with the OpenLDAP service?

I am not well versed in LDAP and I am having some trouble getting it to work as it always comes back with invalid credentials even though I know the credentials are valid.

I think something is wrong with the DN in the bind, but have not been able to take any examples online and convert them to Integrator.

Our sys admin gave me the DC to our AD domain and recommends not using the exact OU for the user accounts.

I am binding to the service (it loads OK)

Code: Select all

#JSMXCMD := 'SERVICE_LOAD SERVICE (OpenLDAPService) TRACE(*YES)'
use builtin(JSMX_COMMAND) with_args(#JSMXHDLE #JSMXCMD) to_get(#JSMXSTS #JSMXMSG)
#COM_OWNER.Check( #JSMXCMD #JSMXSTS #JSMXMSG )

#JSMXCMD := ('BIND HOST(&1) DN(cn=&2) PASSWORD(&3)').Substitute( #LDAPServer #Username #Password )
use builtin(JSMX_COMMAND) with_args(#JSMXHDLE #JSMXCMD) to_get(#JSMXSTS #JSMXMSG)
#COM_OWNER.Check( #JSMXCMD #JSMXSTS #JSMXMSG )

The trace output comes out like

Code: Select all

=================== TRACE OPEN ===================
manager: version : 14.1.0
manager: date    : 2017-06-06 10:49:23 -0500

--------------------------------------------------
Process    : *COMPONENT
Function   : *COMP
Partition  : SYS
Job Name   : JOB002908
Job User   : JRYOUNG
Job Number : 002908
Command    : SERVICE_LOAD SERVICE(OpenLDAPService) TRACE(*YES)
Command    : OK "Service successfully loaded"
--------------------------------------------------

--------------------------------------------------
Process    : *COMPONENT
Function   : *COMP
Partition  : SYS
Job Name   : JOB002908
Job User   : JRYOUNG
Job Number : 002908
Command    : BIND DN(cn=HQ\JRYOUNG) PASSWORD(*****) HOST(********.com)
Use plain socket connection
Connect to : *********.com:389
Create bind constraints
Use simple bind mechanism
Authentication name : cn=HQ\JRYOUNG
Command    : ERROR "Invalid Credentials"
--------------------------------------------------

--------------------------------------------------
Process    : *COMPONENT
Function   : *COMP
Partition  : SYS
Job Name   : JOB002908
Job User   : JRYOUNG
Job Number : 002908
Command    : UNBIND
Command    : OK ""
--------------------------------------------------

--------------------------------------------------
Process    : *COMPONENT
Function   : *COMP
Partition  : SYS
Job Name   : JOB002908
Job User   : JRYOUNG
Job Number : 002908
Command    : SERVICE_UNLOAD
Command    : OK "Service successfully unloaded"
--------------------------------------------------

=================== TRACE CLOSE ==================

I am confident that I am getting connected, if the host name was not correct, I would get a connect error (proved this by trying to connect to a bogus host).

Any ideas on how to format the DN in the bind?

Thanks,
Joe

[alick]

Hi,

Have you tried cn=JRYOUNG

Also what LDAP server are you using.

You could also use a simple tool like http://www.ldapadmin.org/ to test logon.


Command : BIND DN(cn=HQ\JRYOUNG) PASSWORD(*****) HOST(********.com)
Use plain socket connection
Connect to : *********.com:389
Create bind constraints
Use simple bind mechanism
Authentication name : cn=HQ\JRYOUNG
Command : ERROR "Invalid Credentials"

[jyoung]

So I finally got some help from our sysadmin and can get authenticated with a CN but it is not usable.

The CN ends up being something like this CN=Young\, Joseph R.,OU=***********,OU=*********,OU=******,DC=********,DC=com of course no user is going to know all that.

Now I am looking for ways to authentication with the SAMAccountName which leads me to another question(s) that I will post in a new thread.

The good news is at least that I have Integrator talking to ActiveDirectory! lol. Small victories.

[alick]

Out of interest for what reasons are you accessing the Windows active directory.

Q. Is it just for authentication checking of user and password.

Q. Do you plan to read, search or update LDAP entries.

[jyoung]

Only for authentication at the time. Plan to do authorization with AD groups in the future.

More reading and research suggests that I can use a known account DN to "log into" AD and then search for the user via SAM which will give me their DN and then use their supplied password to authenticate.

General consensus from what I have read is that this is considered to be a poor practice and you should be able to use the user directly with a UPN or SAM. As I have not been able to get this to work, the above option may be my only choice.

I will say authenticating on the i was much easier.

[MarkD]

Thats cause the code was supplied

[MarkD]

Do you think that this Windows API will do what you need?

https://msdn.microsoft.com/en-us/librar ... s.85).aspx

If yes, then I have something you could try out to invoke from a RDMLX server module.

[jyoung]

MarkD, agreed. I am glad I did not have to dig into the program that does it.

Not sure on the API. I know it's possible with AD and if I can get this to work, some interesting opportunities become available. Having said that, if I can't get it to work then I am willing to try anything, well almost anything.

[MarkD]

Okay, then let me know if anything changes.

[jyoung]

To follow up and close this out, I have successfully got the authentication to work with ActiveDirectory.

I could not bind to the user directly, I think this is more of an issue how our AD is setup, but I can with an known user.

So how I got to work for anyone else that stumbles into this is the following:

1. Open, load and bind to the host with a known DN and password
2. Search the domain with a filter.

   Code: Select all

   def_list name(#workingList) fields(#DN) counter(#LISTCOUNT) type(*WORKING) entrys(*MAX)
   #JSMXCMD := ("SEARCH DN(DC=**************,DC=com) FILTER(samaccountname=&1) SCOPE(*SUB) SERVICE_LIST(DN)").Substitute( #wk_Username )
   use builtin(JSMX_COMMAND) with_args(#JSMXHDLE #JSMXCMD) to_get(#JSMXSTS #JSMXMSG #workingList)
   

   If the status is ok and your list count is 1 then you got a DN for the user.

   Code: Select all

   if ((#JSMXSTS = OK) *And (#LISTCOUNT = 1))
   get_entry number(1) from_list(#workingList)
   endif

3. Bind to the host with the user's DN and password.

   Code: Select all

   #JSMXCMD := ('BIND HOST(&1) DN(&2) PASSWORD(&3)').Substitute( #LDAPServer #DN #wk_Password )

   If the status is ok, you have authenticated, if not, there is likely an error message of "Invalid Credentials" or something.
4. Unbind, unload and close

Hope this helps.
Joe