[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

LDAP issues

Posted on 2009-04-17
6
Medium Priority
?
613 Views
Last Modified: 2013-12-24
Hi,
Im using some simple VB LDAP code to check list of users in excel, to display their name, location and job etc....

We have 2 DC's where i work and i only seem to be able to LDAP to one of them.
the other DC always returns a null result.

This is odd, as i do have access to view both of the DC's via Active Role Server (the online GUI).

Any reason that this might happen? is it possible to secure a DC against people doing an LDAP query via an AD group for example?
0
Comment
Question by:jamiepryer
  • 3
  • 3
6 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24166075

Can you show us the code?

> is it possible to secure a DC against people doing an LDAP query via an AD group for example?

By default all Authenticated Users have read access to (most of) Active Directory. You can revoke that right, but it must be done with care.

Chris
0
 

Author Comment

by:jamiepryer
ID: 24166118
thanks for the info chris
very interesting to know about the LDAP and it being hard to revoke....

The 2 DC's i have are:

Global.FakeCompany.Com - can query fine....
strdomain = "DC=Global,DC=Lloydstsb,DC=Com"

OUTLET.AD.FakeCompany.COM - wont let me query
strdomain = "DC=OUTLET,DC=AD,DC=FakeCompany,DC=COM"
Dim objConnection As New ADODB.Connection
Dim objCommand As New ADODB.Command
Dim objRecordset As ADODB.Recordset
 
'Set up the criteris for the LDAP searches
Const ADS_SCOPE_SUBTREE = 2
    objConnection.Provider = "ADsDSOObject"
    objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
    objCommand.Properties("Page Size") = 1000
    objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
    
 strDomain = "DC=OUTLET,DC=AD,DC=FakeCompany,DC=COM"
 
    objCommand.CommandText = _
        "SELECT description, userAccountControl, displayname, mail, distinguishedName, physicaldeliveryofficename FROM 'LDAP://" & strDomain & "' WHERE objectCategory='user' " & _
        "AND Name='" & xxUserIDxx & "'"
 
Set objRecordset = objCommand.Execute
 
If objRecordset.RecordCount > 0 Then
        ActiveSheet.Cells(1, 2) = description
        ActiveSheet.Cells(1, 3) = userAccountControl
        ActiveSheet.Cells(1, 4) = displayname
End if
  objRecordset.Close

Open in new window

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24166164

This part:

OUTLET.AD.FakeCompany.COM

Is that the actual AD domain name? Because all you're doing is connecting to the "Domain Component" for a specific domain here.

For example, an AD Domain called ad.FakeCompany.com would be referred to as "DC=ad,DC=fakecompany,DC=com" on all DCs for that domain.

To connect to a different DC you would make it:

DCNameOrIP/DC=ad,DC=fakecompany,DC=com

When combined with your CommandText that gives you this connection string:

LDAP://<Server>/<SearchBase>

Search Base could also extend into the AD structure, e.g.

OU=somewhere,OU=somewhereelse,DC=ad,DC=fakecompany,DC=com

Which can also be prefixed with the server name or IP to force a connection via a specific DC.

Chris
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:jamiepryer
ID: 24166253
Chris,
sorry for being stupid but my AD/LDAP knowledge is not *that* great

how do i establish what the correct name should be for the "OUTLET.AD.FakeCompany.COM " AD domain?

In ARS, when i search on a user that has an ID in the domain "OUTLET.AD.FakeCompany.COM ", their full DN is:
CN=xxUserIDxx,OU=Outlet Users,DC=OUTLET,DC=AD,DC=FakeCompany,DC=com

my ID on the other domain (which i can do LDAP on), is:
CN=xxMexx,OU=Head Office Users,DC=Global,DC=Lloydstsb,DC=Com

apologies if im totally missing your point...
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 1000 total points
ID: 24166469

I think the problem is coming because ADSI is being a bit too helpful.

You see when you do this:

 strdomain = "DC=Global,DC=Domain,DC=Com"

It creates this connection string:

  LDAP://DC=Global,DC=domain,DC=com

You're telling it "what" to connect to, but not "where". Because you're (presumably) running this from a client belonging to the Global domain, or even the server itself it assumes you want a resource on a Domain Controller nearby. In essence it assumes this:

  LDAP://global.domain.com/DC=global,DC=domain,DC=com

Where "global.domain.com" will resolve using a tool like NsLookup to an IP address of a server capable of obtaining the information.

If ADSI didn't make that assumption you would have to tell it where to connect to as well as what.

I think that's where we're getting hung up. If you were to run the script from the server or a client within the Outlet domain it would quite happily go on with the query. But to run it remotely you must specify where to avoid it's assumptions.

That makes strDomain into this:

  strDomain = "outlet.ad.fakecompany.com/DC=OUTLET,DC=AD,DC=FakeCompany,DC=COM"

And the resulting connection string into this:

  LDAP://outlet.ad.fakecompany.com/DC=outlet,DC=ad,DC=fakecompany,DC=com

If you don't specify that value it makes an assumption and tries:

  LDAP://global.domain.com/DC=outlet,DC=ad,DC=fakecompany,DC=com

Which won't work because global.domain.com cannot give you answers about outlet.ad.fakecompany.com[1].

Does that make any sense?

Chris



[1] There's a caveat there. If both are within the same forest, then it can if you instruct it to connect to the Global Catalog (GC://global.domain.com/DC=outlet,DC=ad,DC=fakecompany,DC=com). However, the Global Catalog is read-only and contains a sub-set of attributes so may not necessarily be useful here.
0
 

Author Comment

by:jamiepryer
ID: 24167898
Thanks for you help, altho i cant get the 2nd bit to work, using this:
"  strDomain = "outlet.ad.fakecompany.com/DC=OUTLET,DC=AD,DC=FakeCompany,DC=COM"
i did however manage to ping the domain and then use the IP address i got back as StrDomain, this now works.

Thanks very much for your help and information, ive learnt something today :)
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Your data is at risk. Probably more today that at any other time in history. There are simply more people with more access to the Web with bad intentions.
How much do you know about the future of data centers? If you're like 50% of organizations, then it's probably not enough. Read on to get up to speed on this emerging field.
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question