"Inappropriate Authentication" with CFLDAP

I am trying to create a login page using our existing Novell LDAP to authenticate to an index.cfm page. The login.cfm page asks for a username and password. When submitted, that form's action attribute sends the form values to a page called "loginaction.cfm". I get an error message when I try to run that  login that reads:

Inappropriate authentication
 
The error occurred in C:\ldap\loginaction.cfm: line 6

4 : action="query"
5 : name="auth"
6 : attributes="cn,o,title,mail,telephonenumber"
7 : start="o=CRB"
8 : server="163.xxx.xxx.xxx"

Here is the complete CFLDAP code for that page:

<cfldap
action="query"
name="auth"
attributes="cn,o,title,mail,telephonenumber"
start="o=CRB"
server="163.xxx.xxx.xxx"
filter = "cn=#form.username#"
scope="SUBTREE"
port="389"
username="cn=#form.username#"
password="#form.password#">

I have searched on this error message, but most answers are very generic. Anyone have any ideas or possible solutions?

Ken
kenjpeteAsked:
Who is Participating?
 
aseusaincCommented:
OK, next thing we try (go back to commas please)...set up your user name as fully qualified, like so:

username="cn=username,ou=my group,dc=mycomany,dc=com"  <---adjust accordingly of course
0
 
aseusaincCommented:
Looks like you are passing the web application's username and password as credentials for an LDAP query.

That username and password in your <cfldap> params needs to be an admin of sorts (sorry been ages since using Novell).  Regardless, it need permissions to query your LDAP structure.
0
 
kenjpeteAuthor Commented:
The user ID and password I am using is a valid Novell account on our network and has permissions on the Novell LDAP server.
0
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

 
aseusaincCommented:
I always seem to have afterthoughts AFTER hitting submit.

Again, it's been ages since I set this up, but I remember there being an advanced security tab or link in CF administrator.  You would then set up a "security sandbox" which is a named context.  Within this sandbox, you would setup the LDAP particulars, IE: ldap server address, authorized user/password, and the OU/CN/etc tree you want to query against.

Then in your application on your login form handler, you would use the <cfauthenticate> tag using the above named context

0
 
aseusaincCommented:
What you are doing above is kind of cheating and saying, "well anyone who is allowed to query the ldap server, is allowed to authenticate to this web app."  Which is kind of where your above method is headed.  But I think that you would need to remove the CN= from the username field.

Then basically anyone w/ rights to query your ldap server will be just running the above query (it's not really an authentication), and anyone who doesn't have rights would throw the error you are seeing now.

Please take a look at the CF studio tag help for <cfauthenticate> and also hit up a Google search for coldfusion security sandbox.
0
 
kenjpeteAuthor Commented:
You are correct, but for right now with this app I am just trying to get CFLDAP to compare the users login with our Novell LDAP, and if the login name and password are correct, allow the visitor to view a page of links (index.cfm). Later on I will probably want to do a more robust authentication. I will check out <cfauthenticate> and the CF Security Sandbox as you recommend. If you have recommendations about how to better achieve this I would welcome your input.

When I removed the CN= from the username field it produced the error below (which as it turns out I have gotten several times as I tried to troubleshoot this problem);
*********************
An error has occured while trying to execute query :[LDAP: error code 34 - Invalid DN Syntax].  
One or more of the required attributes may be missing/incorrect or you do not have permissions to execute this operation on the server  
 
The error occurred in C:\ldap\loginaction.cfm: line 6
 
4 : action="query"
5 : name="auth"
6 : attributes="cn,o,title,mail,telephonenumber"
7 : start="o=CRB"
8 : server="163.153.232.5"
**********************
What I have tried to figure out is am I missing a required attribute or I am really facing a permissions issue here as the error message suggests?? As I mentioned, I have permissions, but would I need to be an administrator to carry out this query?

thanks,
   Ken
0
 
aseusaincCommented:
Navigating LDAP can be a pain in the butt.  To find the true heirarchy of where you want to start, I personally find it easier to use an LDAP viewer to give me the proper tree.  I use one called "Softerra LDAP Browser".  So when I browse down to the container that has my users, the properties can be viewed as:

OU=Users,OU=xxxxxx,DC=yyyyyy,DC=com

I then use that in my CFLDAP tag like so:

<CFLDAP
 SERVER="xxx.xxx.xxx.xxx"
 ACTION="QUERY"
 USERNAME="an admin account"
 PASSWORD="an admin password"
 NAME="results"
 START="OU=Users,OU=xxxxxx,DC=yyyyyy,DC=com"
 ATTRIBUTES="sn,givenname,cn,o,l,st,mail,telephonenumber,wwwhomepage"
 SORT="sn ASC">
0
 
kenjpeteAuthor Commented:
I also used a free LDAP browser to check our Novell tree and be sure of the attribute names. When I try and run the query using the code you provided above I get that same error message as before:

************
An error has occured while trying to execute query :[LDAP: error code 34 - Invalid DN Syntax].  
One or more of the required attributes may be missing/incorrect or you do not have permissions to execute this operation on the server  
 
The error occurred in C:\ldap\loginaction.cfm: line 8
 
6 : attributes="cn,o,title,mail,telephonenumber"
7 : start="o=CRB, ou=SSS"
8 : server="163.153.232.5"
9 : port="389"
10 : username="#form.username#"
************
Not sure what "Invalid DN Syntax" means but no matter how I adjust this code I get either that error, or the one I originally posted? Is there something specific to Novell's implementation of LDAP that could be causing a syntax problem here?

Ken

0
 
aseusaincCommented:
Just for laughs, use a ; to divide your attributes instead of ,
0
 
aseusaincCommented:
If it still happens, try using ; in the "start" param.
0
 
kenjpeteAuthor Commented:
Still no luck! Changed the commas to semi-colons in both the attributes and start params and got the exact same error message both times?
0
 
kenjpeteAuthor Commented:
Success! Well sort of, at least with this part of the login.....after talking to one of our Novell admins here, the problem wasn't just the username attribute, it was also the start attribute. According to my Novell admin, LDAP cannot walk the Novell tree starting at the top. You have to start at the bottom, so for instance the start attribute would be as follows:

start="ou=SSS, o=CRB"

I had it backwards. Also in the username attribute our tree is set up with multiple ou's the correct DN syntax was:

username="cn=#form.username#,ou=Communications,ou=sss,o=crb"

Here is the correct CFLDAP tag:

<cfldap
action="query"
name="auth"
attributes="sn,givenname,mail"
start="ou=communications,ou=sss,o=CRB"
server="163.xxx.xxx.xxx"
port="389"
username="cn=#form.username#,ou=Communications,ou=sss,o=crb"
password="#form.password#">

I added <cfdump var="#auth#"> to the script and it now returns all records in that container object. If I purposefully enter in the wrong password it throws the error "Inappropriate Authentication". The next step is going to be figuring out how to provide a login that evaluates the username and password based only on the user entering their login name (cn) and not entire context.

I appreciate all your help and input!

Ken
0
 
aseusaincCommented:
Glad you finally got it working.  And as for "The next step is going to be figuring out how to provide a login that evaluates the username and password based only on the user entering their login name (cn) and not entire context.
", I think the Security Sandbox is what you are looking for.  Sorry, I hate to sound like I'm preaching :(
0
 
kenjpeteAuthor Commented:
You're not preaching...I am going to look into that next. I appreciate your expertise.

Ken
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.