• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 994
  • Last Modified:

Ldap authentication is working for one user but doesn't work with the %LDAP_USER%

Ldap authentication is working for one user with this string.

cn=Jay Smith,OU=Users,OU=_company,DC=company,DC=com

But not with

cn=%LDAP_USER%,OU=Users,OU=_company,DC=company,DC=com
Is there some thing to setup on the Active Directory side or on the Apex side?

0
meagain0707
Asked:
meagain0707
  • 9
  • 3
  • 2
3 Solutions
 
arnoldCommented:
The real question is what %LDAP_USER% translates to is it really seen as a variable that gets evaluated/replaced first with the correct term prior to submitting the query to AD.  Check the security log on the DC's and see what information it is presented for these queries.
0
 
meagain0707Author Commented:
Thanks, I will check this on Monday, as I don't have access today.
0
 
shudmanCommented:
Also, are you sure it is cn=Jay Smith,OU=Users,OU=_company,DC=company,DC=com
 and not:
cn=Jay Smith,CN=Users,OU=_company,DC=company,DC=com

note the cn instead of ou !

I don't know anything about Apex....but do you even need the %%'s around the variable ? In VBscript, as long as the variable is defined previously, you just place the variable in the path:

myVal = "cn=" & LDAP_USER & ",cn=Users,OU=_company,DC=company,DC=com"
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
meagain0707Author Commented:
Hi shudman,

It is OU, when I change it to OU it does work at all. Thanks though.
0
 
shudmanCommented:
OU or CN does or doesn't work ?
0
 
meagain0707Author Commented:
Hi Arnold,

It tanslates to the full name. So if I enter Joe Smith as the user name with the password it works. I want to authenticate so the user can enter jsmith@email.com. This is called the userPrincipleName. Any ideas on how to do that?  We are using apex 4.
0
 
meagain0707Author Commented:
Hi shudman,

Sorry,  when I change it to CN it does work at all.
0
 
meagain0707Author Commented:
Hi shudman,

Sorry,  when I change it to CN it doesn't -  'does not ' work at all.
0
 
shudmanCommented:
OK.  Can you pipe out/display the value of %LDAP_USER% before you get to the cn= string in you code ?  What is the value ?
0
 
meagain0707Author Commented:
I don't know how to do that.

The documentation states:

Under LDAP Settings, Enter the LDAP configuration parameters. LDAP Host, LDAP Port, and LDAP DN string are required. Obtain the correct values for these from an administrator, if necessary. You must replace the username component of the DN string with the placeholder '%LDAP_USER%'. For example, if an actual DN string for user 'joe' would be:     cn=joe,l=amer,dc=oracle,dc=com
Enter the following for the LDAP DN String parameter:     cn=%LDAP_USER%,l=amer,dc=oracle,dc=com
The engine will take the value of upper(p_username) passed to the login API and replace %LDAP_USER% with it before making the call to DBMS_LDAP.SIMPLE_BIND_S.

The  Systems Administrator gave me this information:

CN=Joe Smith,OU=HO,OU=Users,OU=_Company,DC=company,DC=com

I'm using

cn=%LDAP_USER%,OU=HO,OU=Users,OU=_Company,DC=company,DC=com

 and this works when I use the username  Joe Smith

I would like to user either jsmith or jsmith@company.com. I don't see where I can change the authentication to use - userPrincipleName (jsmith@company.com)

I will keep searching and reading Thanks.


0
 
arnoldCommented:
user@domain will likely need to use a strip mechanism since the domain is part of the string.
i.e. jsmith@domain.com will have the domain.com stripped out of the realm

You can try instead of %LDAP_USER% use %LDAP_USER:@company.com=%
This will strip out the @company.com if included prior to sending the data to the LDAP server as a query and should work.


0
 
meagain0707Author Commented:
Thanks arnold, I tired but it didn't work. The problem is; the %LDAP_USER% must lookup the 'Full name' and then check the password. I tried this too; removed the %LDAP_USER% and put back the Joe Smith. When I tested the login I used 'j9r7q49ty9-garbage' for the user name and the correct password for Joe Smith and it worked.

There must( ? ), rather,  might be a way to change it so it lookups up the userPrincipleName (jsmith@company.com) attribute instead of the common name attribute. So when you enter the user name jsmith@company.com  it authenticates to the column userPrincipleName attribute  instead of common name attribute.
0
 
meagain0707Author Commented:
I'm almost there.... I think. I had to use DBMS_LDAP package.... More on Monday.....
0
 
meagain0707Author Commented:
I know what I have to do now, so I'm closing this question. Thanks
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 9
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now