?
Solved

"Inappropriate Authentication" with CFLDAP

Posted on 2006-06-08
14
Medium Priority
?
1,625 Views
Last Modified: 2013-12-24
I am trying to create a login page using our existing Novell LDAP to authenticate to an index.cfm page. The login.cfm page asks for a username and password. When submitted, that form's action attribute sends the form values to a page called "loginaction.cfm". I get an error message when I try to run that  login that reads:

Inappropriate authentication
 
The error occurred in C:\ldap\loginaction.cfm: line 6

4 : action="query"
5 : name="auth"
6 : attributes="cn,o,title,mail,telephonenumber"
7 : start="o=CRB"
8 : server="163.xxx.xxx.xxx"

Here is the complete CFLDAP code for that page:

<cfldap
action="query"
name="auth"
attributes="cn,o,title,mail,telephonenumber"
start="o=CRB"
server="163.xxx.xxx.xxx"
filter = "cn=#form.username#"
scope="SUBTREE"
port="389"
username="cn=#form.username#"
password="#form.password#">

I have searched on this error message, but most answers are very generic. Anyone have any ideas or possible solutions?

Ken
0
Comment
Question by:kenjpete
  • 8
  • 6
14 Comments
 
LVL 7

Expert Comment

by:aseusainc
ID: 16864825
Looks like you are passing the web application's username and password as credentials for an LDAP query.

That username and password in your <cfldap> params needs to be an admin of sorts (sorry been ages since using Novell).  Regardless, it need permissions to query your LDAP structure.
0
 

Author Comment

by:kenjpete
ID: 16864903
The user ID and password I am using is a valid Novell account on our network and has permissions on the Novell LDAP server.
0
 
LVL 7

Expert Comment

by:aseusainc
ID: 16864917
I always seem to have afterthoughts AFTER hitting submit.

Again, it's been ages since I set this up, but I remember there being an advanced security tab or link in CF administrator.  You would then set up a "security sandbox" which is a named context.  Within this sandbox, you would setup the LDAP particulars, IE: ldap server address, authorized user/password, and the OU/CN/etc tree you want to query against.

Then in your application on your login form handler, you would use the <cfauthenticate> tag using the above named context

0
How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

 
LVL 7

Expert Comment

by:aseusainc
ID: 16864963
What you are doing above is kind of cheating and saying, "well anyone who is allowed to query the ldap server, is allowed to authenticate to this web app."  Which is kind of where your above method is headed.  But I think that you would need to remove the CN= from the username field.

Then basically anyone w/ rights to query your ldap server will be just running the above query (it's not really an authentication), and anyone who doesn't have rights would throw the error you are seeing now.

Please take a look at the CF studio tag help for <cfauthenticate> and also hit up a Google search for coldfusion security sandbox.
0
 

Author Comment

by:kenjpete
ID: 16870406
You are correct, but for right now with this app I am just trying to get CFLDAP to compare the users login with our Novell LDAP, and if the login name and password are correct, allow the visitor to view a page of links (index.cfm). Later on I will probably want to do a more robust authentication. I will check out <cfauthenticate> and the CF Security Sandbox as you recommend. If you have recommendations about how to better achieve this I would welcome your input.

When I removed the CN= from the username field it produced the error below (which as it turns out I have gotten several times as I tried to troubleshoot this problem);
*********************
An error has occured while trying to execute query :[LDAP: error code 34 - Invalid DN Syntax].  
One or more of the required attributes may be missing/incorrect or you do not have permissions to execute this operation on the server  
 
The error occurred in C:\ldap\loginaction.cfm: line 6
 
4 : action="query"
5 : name="auth"
6 : attributes="cn,o,title,mail,telephonenumber"
7 : start="o=CRB"
8 : server="163.153.232.5"
**********************
What I have tried to figure out is am I missing a required attribute or I am really facing a permissions issue here as the error message suggests?? As I mentioned, I have permissions, but would I need to be an administrator to carry out this query?

thanks,
   Ken
0
 
LVL 7

Expert Comment

by:aseusainc
ID: 16870645
Navigating LDAP can be a pain in the butt.  To find the true heirarchy of where you want to start, I personally find it easier to use an LDAP viewer to give me the proper tree.  I use one called "Softerra LDAP Browser".  So when I browse down to the container that has my users, the properties can be viewed as:

OU=Users,OU=xxxxxx,DC=yyyyyy,DC=com

I then use that in my CFLDAP tag like so:

<CFLDAP
 SERVER="xxx.xxx.xxx.xxx"
 ACTION="QUERY"
 USERNAME="an admin account"
 PASSWORD="an admin password"
 NAME="results"
 START="OU=Users,OU=xxxxxx,DC=yyyyyy,DC=com"
 ATTRIBUTES="sn,givenname,cn,o,l,st,mail,telephonenumber,wwwhomepage"
 SORT="sn ASC">
0
 

Author Comment

by:kenjpete
ID: 16873039
I also used a free LDAP browser to check our Novell tree and be sure of the attribute names. When I try and run the query using the code you provided above I get that same error message as before:

************
An error has occured while trying to execute query :[LDAP: error code 34 - Invalid DN Syntax].  
One or more of the required attributes may be missing/incorrect or you do not have permissions to execute this operation on the server  
 
The error occurred in C:\ldap\loginaction.cfm: line 8
 
6 : attributes="cn,o,title,mail,telephonenumber"
7 : start="o=CRB, ou=SSS"
8 : server="163.153.232.5"
9 : port="389"
10 : username="#form.username#"
************
Not sure what "Invalid DN Syntax" means but no matter how I adjust this code I get either that error, or the one I originally posted? Is there something specific to Novell's implementation of LDAP that could be causing a syntax problem here?

Ken

0
 
LVL 7

Expert Comment

by:aseusainc
ID: 16873468
Just for laughs, use a ; to divide your attributes instead of ,
0
 
LVL 7

Expert Comment

by:aseusainc
ID: 16873476
If it still happens, try using ; in the "start" param.
0
 

Author Comment

by:kenjpete
ID: 16873682
Still no luck! Changed the commas to semi-colons in both the attributes and start params and got the exact same error message both times?
0
 
LVL 7

Accepted Solution

by:
aseusainc earned 375 total points
ID: 16874508
OK, next thing we try (go back to commas please)...set up your user name as fully qualified, like so:

username="cn=username,ou=my group,dc=mycomany,dc=com"  <---adjust accordingly of course
0
 

Author Comment

by:kenjpete
ID: 16888448
Success! Well sort of, at least with this part of the login.....after talking to one of our Novell admins here, the problem wasn't just the username attribute, it was also the start attribute. According to my Novell admin, LDAP cannot walk the Novell tree starting at the top. You have to start at the bottom, so for instance the start attribute would be as follows:

start="ou=SSS, o=CRB"

I had it backwards. Also in the username attribute our tree is set up with multiple ou's the correct DN syntax was:

username="cn=#form.username#,ou=Communications,ou=sss,o=crb"

Here is the correct CFLDAP tag:

<cfldap
action="query"
name="auth"
attributes="sn,givenname,mail"
start="ou=communications,ou=sss,o=CRB"
server="163.xxx.xxx.xxx"
port="389"
username="cn=#form.username#,ou=Communications,ou=sss,o=crb"
password="#form.password#">

I added <cfdump var="#auth#"> to the script and it now returns all records in that container object. If I purposefully enter in the wrong password it throws the error "Inappropriate Authentication". The next step is going to be figuring out how to provide a login that evaluates the username and password based only on the user entering their login name (cn) and not entire context.

I appreciate all your help and input!

Ken
0
 
LVL 7

Expert Comment

by:aseusainc
ID: 16888519
Glad you finally got it working.  And as for "The next step is going to be figuring out how to provide a login that evaluates the username and password based only on the user entering their login name (cn) and not entire context.
", I think the Security Sandbox is what you are looking for.  Sorry, I hate to sound like I'm preaching :(
0
 

Author Comment

by:kenjpete
ID: 16895061
You're not preaching...I am going to look into that next. I appreciate your expertise.

Ken
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A web service (http://en.wikipedia.org/wiki/Web_service) is a software related technology that facilitates machine-to-machine interaction over a network. This article helps beginners in creating and consuming a web service using the ColdFusion Ma…
Article by: kevp75
Hey folks, 'bout time for me to come around with a little tip. Thanks to IIS 7.5 Extensions and Microsoft (well... really Windows 8, and IIS 8 I guess...), we can now prime our Application Pools, when IIS starts. Now, though it would be nice t…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question