Solved

Ldap authentication is working for one user but doesn't work with the %LDAP_USER%

Posted on 2010-11-26
14
937 Views
Last Modified: 2012-05-10
Ldap authentication is working for one user with this string.

cn=Jay Smith,OU=Users,OU=_company,DC=company,DC=com

But not with

cn=%LDAP_USER%,OU=Users,OU=_company,DC=company,DC=com
Is there some thing to setup on the Active Directory side or on the Apex side?

0
Comment
Question by:meagain0707
  • 9
  • 3
  • 2
14 Comments
 
LVL 77

Accepted Solution

by:
arnold earned 334 total points
ID: 34218894
The real question is what %LDAP_USER% translates to is it really seen as a variable that gets evaluated/replaced first with the correct term prior to submitting the query to AD.  Check the security log on the DC's and see what information it is presented for these queries.
0
 

Author Comment

by:meagain0707
ID: 34218926
Thanks, I will check this on Monday, as I don't have access today.
0
 
LVL 4

Assisted Solution

by:shudman
shudman earned 166 total points
ID: 34226646
Also, are you sure it is cn=Jay Smith,OU=Users,OU=_company,DC=company,DC=com
 and not:
cn=Jay Smith,CN=Users,OU=_company,DC=company,DC=com

note the cn instead of ou !

I don't know anything about Apex....but do you even need the %%'s around the variable ? In VBscript, as long as the variable is defined previously, you just place the variable in the path:

myVal = "cn=" & LDAP_USER & ",cn=Users,OU=_company,DC=company,DC=com"
0
 

Author Comment

by:meagain0707
ID: 34270895
Hi shudman,

It is OU, when I change it to OU it does work at all. Thanks though.
0
 
LVL 4

Expert Comment

by:shudman
ID: 34270923
OU or CN does or doesn't work ?
0
 

Author Comment

by:meagain0707
ID: 34270944
Hi Arnold,

It tanslates to the full name. So if I enter Joe Smith as the user name with the password it works. I want to authenticate so the user can enter jsmith@email.com. This is called the userPrincipleName. Any ideas on how to do that?  We are using apex 4.
0
 

Author Comment

by:meagain0707
ID: 34270971
Hi shudman,

Sorry,  when I change it to CN it does work at all.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Author Comment

by:meagain0707
ID: 34270976
Hi shudman,

Sorry,  when I change it to CN it doesn't -  'does not ' work at all.
0
 
LVL 4

Expert Comment

by:shudman
ID: 34271000
OK.  Can you pipe out/display the value of %LDAP_USER% before you get to the cn= string in you code ?  What is the value ?
0
 

Author Comment

by:meagain0707
ID: 34271179
I don't know how to do that.

The documentation states:

Under LDAP Settings, Enter the LDAP configuration parameters. LDAP Host, LDAP Port, and LDAP DN string are required. Obtain the correct values for these from an administrator, if necessary. You must replace the username component of the DN string with the placeholder '%LDAP_USER%'. For example, if an actual DN string for user 'joe' would be:     cn=joe,l=amer,dc=oracle,dc=com
Enter the following for the LDAP DN String parameter:     cn=%LDAP_USER%,l=amer,dc=oracle,dc=com
The engine will take the value of upper(p_username) passed to the login API and replace %LDAP_USER% with it before making the call to DBMS_LDAP.SIMPLE_BIND_S.

The  Systems Administrator gave me this information:

CN=Joe Smith,OU=HO,OU=Users,OU=_Company,DC=company,DC=com

I'm using

cn=%LDAP_USER%,OU=HO,OU=Users,OU=_Company,DC=company,DC=com

 and this works when I use the username  Joe Smith

I would like to user either jsmith or jsmith@company.com. I don't see where I can change the authentication to use - userPrincipleName (jsmith@company.com)

I will keep searching and reading Thanks.


0
 
LVL 77

Assisted Solution

by:arnold
arnold earned 334 total points
ID: 34272098
user@domain will likely need to use a strip mechanism since the domain is part of the string.
i.e. jsmith@domain.com will have the domain.com stripped out of the realm

You can try instead of %LDAP_USER% use %LDAP_USER:@company.com=%
This will strip out the @company.com if included prior to sending the data to the LDAP server as a query and should work.


0
 

Author Comment

by:meagain0707
ID: 34272166
Thanks arnold, I tired but it didn't work. The problem is; the %LDAP_USER% must lookup the 'Full name' and then check the password. I tried this too; removed the %LDAP_USER% and put back the Joe Smith. When I tested the login I used 'j9r7q49ty9-garbage' for the user name and the correct password for Joe Smith and it worked.

There must( ? ), rather,  might be a way to change it so it lookups up the userPrincipleName (jsmith@company.com) attribute instead of the common name attribute. So when you enter the user name jsmith@company.com  it authenticates to the column userPrincipleName attribute  instead of common name attribute.
0
 

Author Comment

by:meagain0707
ID: 34272467
I'm almost there.... I think. I had to use DBMS_LDAP package.... More on Monday.....
0
 

Author Closing Comment

by:meagain0707
ID: 34315206
I know what I have to do now, so I'm closing this question. Thanks
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background In several of the companies I have worked for, I noticed that corporate reporting is off loaded from the production database and done mainly on a clone database which needs to be kept up to date daily by various means, be it a logical…
From implementing a password expiration date, to datatype conversions and file export options, these are some useful settings I've found in Jasper Server.
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now