Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Ldap authentication is working for one user but doesn't work with the %LDAP_USER%

Posted on 2010-11-26
14
Medium Priority
?
988 Views
Last Modified: 2012-05-10
Ldap authentication is working for one user with this string.

cn=Jay Smith,OU=Users,OU=_company,DC=company,DC=com

But not with

cn=%LDAP_USER%,OU=Users,OU=_company,DC=company,DC=com
Is there some thing to setup on the Active Directory side or on the Apex side?

0
Comment
Question by:meagain0707
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 3
  • 2
14 Comments
 
LVL 79

Accepted Solution

by:
arnold earned 1002 total points
ID: 34218894
The real question is what %LDAP_USER% translates to is it really seen as a variable that gets evaluated/replaced first with the correct term prior to submitting the query to AD.  Check the security log on the DC's and see what information it is presented for these queries.
0
 

Author Comment

by:meagain0707
ID: 34218926
Thanks, I will check this on Monday, as I don't have access today.
0
 
LVL 4

Assisted Solution

by:shudman
shudman earned 498 total points
ID: 34226646
Also, are you sure it is cn=Jay Smith,OU=Users,OU=_company,DC=company,DC=com
 and not:
cn=Jay Smith,CN=Users,OU=_company,DC=company,DC=com

note the cn instead of ou !

I don't know anything about Apex....but do you even need the %%'s around the variable ? In VBscript, as long as the variable is defined previously, you just place the variable in the path:

myVal = "cn=" & LDAP_USER & ",cn=Users,OU=_company,DC=company,DC=com"
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:meagain0707
ID: 34270895
Hi shudman,

It is OU, when I change it to OU it does work at all. Thanks though.
0
 
LVL 4

Expert Comment

by:shudman
ID: 34270923
OU or CN does or doesn't work ?
0
 

Author Comment

by:meagain0707
ID: 34270944
Hi Arnold,

It tanslates to the full name. So if I enter Joe Smith as the user name with the password it works. I want to authenticate so the user can enter jsmith@email.com. This is called the userPrincipleName. Any ideas on how to do that?  We are using apex 4.
0
 

Author Comment

by:meagain0707
ID: 34270971
Hi shudman,

Sorry,  when I change it to CN it does work at all.
0
 

Author Comment

by:meagain0707
ID: 34270976
Hi shudman,

Sorry,  when I change it to CN it doesn't -  'does not ' work at all.
0
 
LVL 4

Expert Comment

by:shudman
ID: 34271000
OK.  Can you pipe out/display the value of %LDAP_USER% before you get to the cn= string in you code ?  What is the value ?
0
 

Author Comment

by:meagain0707
ID: 34271179
I don't know how to do that.

The documentation states:

Under LDAP Settings, Enter the LDAP configuration parameters. LDAP Host, LDAP Port, and LDAP DN string are required. Obtain the correct values for these from an administrator, if necessary. You must replace the username component of the DN string with the placeholder '%LDAP_USER%'. For example, if an actual DN string for user 'joe' would be:     cn=joe,l=amer,dc=oracle,dc=com
Enter the following for the LDAP DN String parameter:     cn=%LDAP_USER%,l=amer,dc=oracle,dc=com
The engine will take the value of upper(p_username) passed to the login API and replace %LDAP_USER% with it before making the call to DBMS_LDAP.SIMPLE_BIND_S.

The  Systems Administrator gave me this information:

CN=Joe Smith,OU=HO,OU=Users,OU=_Company,DC=company,DC=com

I'm using

cn=%LDAP_USER%,OU=HO,OU=Users,OU=_Company,DC=company,DC=com

 and this works when I use the username  Joe Smith

I would like to user either jsmith or jsmith@company.com. I don't see where I can change the authentication to use - userPrincipleName (jsmith@company.com)

I will keep searching and reading Thanks.


0
 
LVL 79

Assisted Solution

by:arnold
arnold earned 1002 total points
ID: 34272098
user@domain will likely need to use a strip mechanism since the domain is part of the string.
i.e. jsmith@domain.com will have the domain.com stripped out of the realm

You can try instead of %LDAP_USER% use %LDAP_USER:@company.com=%
This will strip out the @company.com if included prior to sending the data to the LDAP server as a query and should work.


0
 

Author Comment

by:meagain0707
ID: 34272166
Thanks arnold, I tired but it didn't work. The problem is; the %LDAP_USER% must lookup the 'Full name' and then check the password. I tried this too; removed the %LDAP_USER% and put back the Joe Smith. When I tested the login I used 'j9r7q49ty9-garbage' for the user name and the correct password for Joe Smith and it worked.

There must( ? ), rather,  might be a way to change it so it lookups up the userPrincipleName (jsmith@company.com) attribute instead of the common name attribute. So when you enter the user name jsmith@company.com  it authenticates to the column userPrincipleName attribute  instead of common name attribute.
0
 

Author Comment

by:meagain0707
ID: 34272467
I'm almost there.... I think. I had to use DBMS_LDAP package.... More on Monday.....
0
 

Author Closing Comment

by:meagain0707
ID: 34315206
I know what I have to do now, so I'm closing this question. Thanks
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This video shows how to copy an entire tablespace from one database to another database using Transportable Tablespace functionality.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question