kenjpete
asked on
"Inappropriate Authentication" with CFLDAP
I am trying to create a login page using our existing Novell LDAP to authenticate to an index.cfm page. The login.cfm page asks for a username and password. When submitted, that form's action attribute sends the form values to a page called "loginaction.cfm". I get an error message when I try to run that login that reads:
Inappropriate authentication
The error occurred in C:\ldap\loginaction.cfm: line 6
4 : action="query"
5 : name="auth"
6 : attributes="cn,o,title,mai
7 : start="o=CRB"
8 : server="163.xxx.xxx.xxx"
Here is the complete CFLDAP code for that page:
<cfldap
action="query"
name="auth"
attributes="cn,o,title,mai
start="o=CRB"
server="163.xxx.xxx.xxx"
filter = "cn=#form.username#"
scope="SUBTREE"
port="389"
username="cn=#form.usernam
password="#form.password#"
I have searched on this error message, but most answers are very generic. Anyone have any ideas or possible solutions?
Ken
Inappropriate authentication
The error occurred in C:\ldap\loginaction.cfm: line 6
4 : action="query"
5 : name="auth"
6 : attributes="cn,o,title,mai
7 : start="o=CRB"
8 : server="163.xxx.xxx.xxx"
Here is the complete CFLDAP code for that page:
<cfldap
action="query"
name="auth"
attributes="cn,o,title,mai
start="o=CRB"
server="163.xxx.xxx.xxx"
filter = "cn=#form.username#"
scope="SUBTREE"
port="389"
username="cn=#form.usernam
password="#form.password#"
I have searched on this error message, but most answers are very generic. Anyone have any ideas or possible solutions?
Ken
ASKER
The user ID and password I am using is a valid Novell account on our network and has permissions on the Novell LDAP server.
I always seem to have afterthoughts AFTER hitting submit.
Again, it's been ages since I set this up, but I remember there being an advanced security tab or link in CF administrator. You would then set up a "security sandbox" which is a named context. Within this sandbox, you would setup the LDAP particulars, IE: ldap server address, authorized user/password, and the OU/CN/etc tree you want to query against.
Then in your application on your login form handler, you would use the <cfauthenticate> tag using the above named context
Again, it's been ages since I set this up, but I remember there being an advanced security tab or link in CF administrator. You would then set up a "security sandbox" which is a named context. Within this sandbox, you would setup the LDAP particulars, IE: ldap server address, authorized user/password, and the OU/CN/etc tree you want to query against.
Then in your application on your login form handler, you would use the <cfauthenticate> tag using the above named context
What you are doing above is kind of cheating and saying, "well anyone who is allowed to query the ldap server, is allowed to authenticate to this web app." Which is kind of where your above method is headed. But I think that you would need to remove the CN= from the username field.
Then basically anyone w/ rights to query your ldap server will be just running the above query (it's not really an authentication), and anyone who doesn't have rights would throw the error you are seeing now.
Please take a look at the CF studio tag help for <cfauthenticate> and also hit up a Google search for coldfusion security sandbox.
Then basically anyone w/ rights to query your ldap server will be just running the above query (it's not really an authentication), and anyone who doesn't have rights would throw the error you are seeing now.
Please take a look at the CF studio tag help for <cfauthenticate> and also hit up a Google search for coldfusion security sandbox.
ASKER
You are correct, but for right now with this app I am just trying to get CFLDAP to compare the users login with our Novell LDAP, and if the login name and password are correct, allow the visitor to view a page of links (index.cfm). Later on I will probably want to do a more robust authentication. I will check out <cfauthenticate> and the CF Security Sandbox as you recommend. If you have recommendations about how to better achieve this I would welcome your input.
When I removed the CN= from the username field it produced the error below (which as it turns out I have gotten several times as I tried to troubleshoot this problem);
*********************
An error has occured while trying to execute query :[LDAP: error code 34 - Invalid DN Syntax].
One or more of the required attributes may be missing/incorrect or you do not have permissions to execute this operation on the server
The error occurred in C:\ldap\loginaction.cfm: line 6
4 : action="query"
5 : name="auth"
6 : attributes="cn,o,title,mai
7 : start="o=CRB"
8 : server="163.153.232.5"
**********************
What I have tried to figure out is am I missing a required attribute or I am really facing a permissions issue here as the error message suggests?? As I mentioned, I have permissions, but would I need to be an administrator to carry out this query?
thanks,
Ken
When I removed the CN= from the username field it produced the error below (which as it turns out I have gotten several times as I tried to troubleshoot this problem);
*********************
An error has occured while trying to execute query :[LDAP: error code 34 - Invalid DN Syntax].
One or more of the required attributes may be missing/incorrect or you do not have permissions to execute this operation on the server
The error occurred in C:\ldap\loginaction.cfm: line 6
4 : action="query"
5 : name="auth"
6 : attributes="cn,o,title,mai
7 : start="o=CRB"
8 : server="163.153.232.5"
**********************
What I have tried to figure out is am I missing a required attribute or I am really facing a permissions issue here as the error message suggests?? As I mentioned, I have permissions, but would I need to be an administrator to carry out this query?
thanks,
Ken
Navigating LDAP can be a pain in the butt. To find the true heirarchy of where you want to start, I personally find it easier to use an LDAP viewer to give me the proper tree. I use one called "Softerra LDAP Browser". So when I browse down to the container that has my users, the properties can be viewed as:
OU=Users,OU=xxxxxx,DC=yyyy
I then use that in my CFLDAP tag like so:
<CFLDAP
SERVER="xxx.xxx.xxx.xxx"
ACTION="QUERY"
USERNAME="an admin account"
PASSWORD="an admin password"
NAME="results"
START="OU=Users,OU=xxxxxx,
ATTRIBUTES="sn,givenname,c
SORT="sn ASC">
OU=Users,OU=xxxxxx,DC=yyyy
I then use that in my CFLDAP tag like so:
<CFLDAP
SERVER="xxx.xxx.xxx.xxx"
ACTION="QUERY"
USERNAME="an admin account"
PASSWORD="an admin password"
NAME="results"
START="OU=Users,OU=xxxxxx,
ATTRIBUTES="sn,givenname,c
SORT="sn ASC">
ASKER
I also used a free LDAP browser to check our Novell tree and be sure of the attribute names. When I try and run the query using the code you provided above I get that same error message as before:
************
An error has occured while trying to execute query :[LDAP: error code 34 - Invalid DN Syntax].
One or more of the required attributes may be missing/incorrect or you do not have permissions to execute this operation on the server
The error occurred in C:\ldap\loginaction.cfm: line 8
6 : attributes="cn,o,title,mai
7 : start="o=CRB, ou=SSS"
8 : server="163.153.232.5"
9 : port="389"
10 : username="#form.username#"
************
Not sure what "Invalid DN Syntax" means but no matter how I adjust this code I get either that error, or the one I originally posted? Is there something specific to Novell's implementation of LDAP that could be causing a syntax problem here?
Ken
************
An error has occured while trying to execute query :[LDAP: error code 34 - Invalid DN Syntax].
One or more of the required attributes may be missing/incorrect or you do not have permissions to execute this operation on the server
The error occurred in C:\ldap\loginaction.cfm: line 8
6 : attributes="cn,o,title,mai
7 : start="o=CRB, ou=SSS"
8 : server="163.153.232.5"
9 : port="389"
10 : username="#form.username#"
************
Not sure what "Invalid DN Syntax" means but no matter how I adjust this code I get either that error, or the one I originally posted? Is there something specific to Novell's implementation of LDAP that could be causing a syntax problem here?
Ken
Just for laughs, use a ; to divide your attributes instead of ,
If it still happens, try using ; in the "start" param.
ASKER
Still no luck! Changed the commas to semi-colons in both the attributes and start params and got the exact same error message both times?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Success! Well sort of, at least with this part of the login.....after talking to one of our Novell admins here, the problem wasn't just the username attribute, it was also the start attribute. According to my Novell admin, LDAP cannot walk the Novell tree starting at the top. You have to start at the bottom, so for instance the start attribute would be as follows:
start="ou=SSS, o=CRB"
I had it backwards. Also in the username attribute our tree is set up with multiple ou's the correct DN syntax was:
username="cn=#form.usernam
Here is the correct CFLDAP tag:
<cfldap
action="query"
name="auth"
attributes="sn,givenname,m
start="ou=communications,o
server="163.xxx.xxx.xxx"
port="389"
username="cn=#form.usernam
password="#form.password#"
I added <cfdump var="#auth#"> to the script and it now returns all records in that container object. If I purposefully enter in the wrong password it throws the error "Inappropriate Authentication". The next step is going to be figuring out how to provide a login that evaluates the username and password based only on the user entering their login name (cn) and not entire context.
I appreciate all your help and input!
Ken
start="ou=SSS, o=CRB"
I had it backwards. Also in the username attribute our tree is set up with multiple ou's the correct DN syntax was:
username="cn=#form.usernam
Here is the correct CFLDAP tag:
<cfldap
action="query"
name="auth"
attributes="sn,givenname,m
start="ou=communications,o
server="163.xxx.xxx.xxx"
port="389"
username="cn=#form.usernam
password="#form.password#"
I added <cfdump var="#auth#"> to the script and it now returns all records in that container object. If I purposefully enter in the wrong password it throws the error "Inappropriate Authentication". The next step is going to be figuring out how to provide a login that evaluates the username and password based only on the user entering their login name (cn) and not entire context.
I appreciate all your help and input!
Ken
Glad you finally got it working. And as for "The next step is going to be figuring out how to provide a login that evaluates the username and password based only on the user entering their login name (cn) and not entire context.
", I think the Security Sandbox is what you are looking for. Sorry, I hate to sound like I'm preaching :(
", I think the Security Sandbox is what you are looking for. Sorry, I hate to sound like I'm preaching :(
ASKER
You're not preaching...I am going to look into that next. I appreciate your expertise.
Ken
Ken
That username and password in your <cfldap> params needs to be an admin of sorts (sorry been ages since using Novell). Regardless, it need permissions to query your LDAP structure.