Goddess6942
asked on
LDAP: Sizelimit Exceeded Error
I am trying to setup a login that will utilize our network's Active Directory to validate users. We are using Coldfusion MX, Exchange 2003 and Windows 2000 Server. Unfortunately, I can't seem to get my LDAP query to work. The error I keep receiving is:
CFLDAP
Sizelimit Exceeded
Below is the code I'm using:
<CFLDAP
ACTION="query"
NAME="Results"
START="cn=users, dc=serverName1, dc=serverName2, dc=serverDomain"
SCOPE="subtree"
ATTRIBUTES="cn, o, st, c, sn"
SERVER="myServer"
PORT="389"
SORT="asc"
USERNAME="myUsername"
PASSWORD="myPassword"
>
Any ideas as to what the problem could be? I suspect it's not with my code but I don't know what else it could be. Any help would be greatly appreciated.
Thanks,
--Anne
CFLDAP
Sizelimit Exceeded
Below is the code I'm using:
<CFLDAP
ACTION="query"
NAME="Results"
START="cn=users, dc=serverName1, dc=serverName2, dc=serverDomain"
SCOPE="subtree"
ATTRIBUTES="cn, o, st, c, sn"
SERVER="myServer"
PORT="389"
SORT="asc"
USERNAME="myUsername"
PASSWORD="myPassword"
>
Any ideas as to what the problem could be? I suspect it's not with my code but I don't know what else it could be. Any help would be greatly appreciated.
Thanks,
--Anne
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That is of course assuming I only want domain users to access secured portions of the web site which isn't the case. I need to be able to authenticate individuals who may be using their home computers or off site machines as well.
--Anne
--Anne
ASKER
That actually brings up another question; some of the research I have done has led me to believe that if I want to create a login that utilizes our Active Directory I should create an LDAP query and authenticate against it. Is that correct? When I was using version 5, I of course used Advanced Security with Siteminder services to do this and since MX no longer uses Siteminder services this is all completely new to me.
Thanks,
--Anne
Thanks,
--Anne
There is a need to use LDAP to authenticate a user if thier login name doesn't necessarily match their username - or if you have users in mixed operating system environments.
For example, we have users that may log in from home machines, like Anne, and in that case they may all have the same username (Administrator). Also we have another authentication system that authenticates a huge pool of users and we only want to authorize a subset into our application. We cannot control who gets authenticated so we look them up in LDAP to determine whether they should be authorizzed to access our applications.
For example, we have users that may log in from home machines, like Anne, and in that case they may all have the same username (Administrator). Also we have another authentication system that authenticates a huge pool of users and we only want to authorize a subset into our application. We cannot control who gets authenticated so we look them up in LDAP to determine whether they should be authorizzed to access our applications.
ASKER
Thanks, mrichmon. Glad to know I'm on the right track.
--Anne
--Anne
All I'm saying is that CFLDAP is not made to do authentication, but to retrieve information from the directory.
ASKER
Are there any alternatives to performing athentication against Active Directory aside from using LDAP? From what I've seen, this seems to be the only practical way.
--Anne
--Anne
TacoBell's integrated windows login should allow this.
Then you would just have to require that when users connected from home they need to join the domain either through a VPN or by joining the machine to the domain (if you allow that).
Then you would just have to require that when users connected from home they need to join the domain either through a VPN or by joining the machine to the domain (if you allow that).
ASKER
Considering the kinds of users we have, it may be best not to make them think any more than they have to.
--Anne
--Anne
What does that last statement mean?
Using integrated authentication should not make them think at all, unless they are not in the domain...
Using integrated authentication should not make them think at all, unless they are not in the domain...
ASKER
But I do have users that will not be in the doman, those are the ones I speak of.
That is where using VPN or forcing them to join the domain comes in...
ASKER
What is VPN? I don't think I've heard of it and if I have it's been awhile.
VPN is Virtual Private Network. It allows you to create a sort of tunnel so that a machine looks like it is a machine on your network instead of looking like a foriegn machine such as a home machine.
ASKER
That sounds like it would take a lot more effort on the part of the user in the beginning as opposed to just simply entering their username and password.
Well it takes a whole lot more effort to set up, but once you have it set up for them it is just a matter of clicking an icon on their computer to run the VPN.
ASKER
I think for our purposes that may be a bit too impractical.
Possibly - it was just a suggestion :o)
ASKER
I definitely welcome suggestions :) I have a question about the LDAP route, however. You mentioned that you have some applications where you look individuals up in the LDAP to check if they should be authorized. When you do that, I'm assuming you just check their username and make sure there is a match. How do you handle ensuring the password is correct.
I don't use LDAP for that - at least not currently. Remember that I also mentioned that we have a separate system that does the authentication (authentication being username/password is correct vs authorization what you have access to depending on your permissions etc).
So for example, the authentication says that your username and password match so I know you are who you say you are (this right now is not done with LDAP since the password is not stored in LDAP - this is where our separate authentication comes into play).
At this point I know you are who you say you are - but I don't know who that is (does this make sense?)
My authorization takes your username that you provided when you authenticated and then uses LDAP to look up information about that username. So if my username was lkjsfasf3536 I can look that up LDAP and see that you are John Smith of the XXXX department and whatever other info I have stored in the LDAP record.
It is possible that John Smith doesn't have access to the application he is trying to get to (i.e. not authorized), but he is authenticated and may have access (authorization) to a different application.
So the authentication and authorization are two separate things in this case....
In fact the username/password for the authentication is in a completely separate place.
Does that help at all?
So for example, the authentication says that your username and password match so I know you are who you say you are (this right now is not done with LDAP since the password is not stored in LDAP - this is where our separate authentication comes into play).
At this point I know you are who you say you are - but I don't know who that is (does this make sense?)
My authorization takes your username that you provided when you authenticated and then uses LDAP to look up information about that username. So if my username was lkjsfasf3536 I can look that up LDAP and see that you are John Smith of the XXXX department and whatever other info I have stored in the LDAP record.
It is possible that John Smith doesn't have access to the application he is trying to get to (i.e. not authorized), but he is authenticated and may have access (authorization) to a different application.
So the authentication and authorization are two separate things in this case....
In fact the username/password for the authentication is in a completely separate place.
Does that help at all?
ASKER
Yes, that does help. With that being the case, is there anyway to set up a system that checks either Active Directory or the domain to make sure that a submitted network username and password are correct?
That I am not sure of
ASKER
Well tim_cs answered my initial question with the LDAP issue and that is now working great. However, I've decided to not use LDAP to do what I was initially planning because I found a wonderful custom tag called CFX_Users. It does everything and more that I needed. So I'm now totally set. Thank you all for your help.
--Anne
--Anne
No problem. I thought the points should go to tim too since he did answer the question and the rest was us just commenting on a tangent. :o)
ASKER
Yeah, I debated a bit about whether or not to split the points but figured it would only be fair to give them to the person who answered the initial question. Although, now that I think about it, I probably should have given you a few for prompting me to find CFX_users.
--Anne
--Anne
Not a problem - I'm not here for the points, but to help others.
But just so you know if you do ever feel like someone deserves points there is the "Points For" option as described here:
https://www.experts-exchange.com/Web/WebDevSoftware/ColdFusion/help.jsp#hi76
(since some people ARE only helping for the points)
But just so you know if you do ever feel like someone deserves points there is the "Points For" option as described here:
https://www.experts-exchange.com/Web/WebDevSoftware/ColdFusion/help.jsp#hi76
(since some people ARE only helping for the points)
You are saying you are using cfldap to authenticate users, I'm just wondering where you get the username from to authenticate them?
If you get this by disabling anonymous access and have "Integrated Windows Authentication" ticked, then you should read:
http://www.tacofleur.com/index/blog/archive/2004/02/?022043
Basically there is no need to authenticate the user against LDAP, this is already done for you in the background.