[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2622
  • Last Modified:

Problem with Active Directory authentication using CFLDAP

I am trying to implement active directory login using cfldap but for some reason it's keep giving me login fail error while i enter correct login.


I am not familiar with LDAP that much, but this is my first time, please HELP!!!!

see codes below. i have my form on index.cfm and action is login.cfm. I have also wrote some comments. please read them and tell me if i am doing anything wrong there.
<!---login.cfm ####### --->

<cfparam type="string" name="LoginMessage" default="">

     <cfldap action="Query"
      	 name="GetUserInfo"
      	 attributes="dn"
      	 start="dc=test,dc=test,dc=edu"
      	 Scope="subtree"
      	 filter="(&(objectclass=user)(samaccountname=#form.cfUserName#))"
      	 server="test.test.edu"
      	 Port="389"
      	 username="testUser"
      	 password="********">

<!--- 
i am using a service account on username and correct password. when i do cfdump to make sure i can connect with the ldap server it looks fines. i do get a dump using --->

<cfdump var="#getuserinfo#"> 

<!--- here i am checking if i have a record --->

<cfif getuserinfo.recordcount gt 0>

<!--- Here i m outputting the number --->
  <cfoutput>#getuserinfo.recordcount#</cfoutput>

<!--- here i m passing the username and password to match against ldap but keep getting error, saying Authentication Failed. I know that i am entering right password. I think i may need something else in here. it keeps complaining about the line with 'filter' --->

 	<cftry>
      <cfldap action="Query"
      	 name="AuthenticateUser"
      	 attributes="dn,cn,givenname,SamAccountName,mail"
      	 start="dc=test,dc=test,dc=edu"
      	 maxrows="1"
      	 Scope="subtree"
      	 filter="(&(objectclass=user)(samAccountName=#form.cfUserName#))"
      	 server="test.test.edu"
      	 Port="389"
      	 username="#form.cfUserName#"
      	 password="#form.cfPassword#">
      	
      	<cfset LoginMessage = "User Authentication Passed">
          	 
        <cfcatch type="any">
          	 <cfset LoginMessage = "User Authentication Failed">
        </cfcatch>
 	 </cftry>  
 <cfelse>
   	 <cfset LoginMessage = "Username not found"> 
</cfif>

Open in new window

0
khan02
Asked:
khan02
  • 5
  • 5
1 Solution
 
dgrafxCommented:
i imagine you are just testing but you will get a failure when trying to login to test.edu - unless there really is such a thing
lets say the domain is:
<cfset thisDomain="mywebsite.com">
the following username & password are from an account that has permission to query ldap - usually just an AD admin of some sort.
<cfset authusername="me">
<cfset authpassword="123">

<cfldap action="QUERY"
name="GetUserInfo"
attributes="*"
start="dc=#listfirst(thisDomain,".")#,dc=#listlast(thisDomain,".")#"
scope="SUBTREE"
server="#thisDomain#"
port="389"
timeout="60"
filter="(&(objectClass=user)(sAMAccountName=#trim(form.cfUserName)#))"
username="#thisDomain#/Users/#authUsername#"
password="#authPassword#"
rebind="Yes">
0
 
khan02Author Commented:
On my source code i am using a real domain with a service account and password. I do get connected to ldap host. But the real problem starts on the following query when i try to authenticate after successfully getting connected to ldap host:I am posting my code again, see beow!!!!!



<cfif getuserinfo.recordcount gt 0>

<!--- Here i m outputting the number --->
  <cfoutput>#getuserinfo.recordcount#</cfoutput>

<!--- here i m passing the username and password to match against ldap but keep getting error, saying Authentication Failed. I know that i am entering right password. I think i may need something else in here. it keeps complaining about the line with 'filter' --->

       <cftry>
      <cfldap action="Query"
             name="AuthenticateUser"
             attributes="dn,cn,givenname,SamAccountName,mail"
             start="dc=test,dc=test,dc=edu"
             maxrows="1"
             Scope="subtree"
             filter="(&(objectclass=user)(samAccountName=#form.cfUserName#))"
             server="test.test.edu"
             Port="389"
             username="#form.cfUserName#"
             password="#form.cfPassword#">
            
            <cfset LoginMessage = "User Authentication Passed">
                
        <cfcatch type="any">
                 <cfset LoginMessage = "User Authentication Failed">
        </cfcatch>
        </cftry>  
 <cfelse>
          <cfset LoginMessage = "Username not found">
</cfif>
0
 
khan02Author Commented:
here is the error message::


Authentication failed:[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db0 ]

6 :              start="dc=campus,dc=nyu,dc=edu"
7 :              Scope="subtree"
8 :              filter="(&(objectclass=user)(samaccountname=#trim(form.cfUserName)#)"
9 :              server="campus.nyu.edu"
10 :              Port="389"

-----------------------------
coldfusion.tagext.net.LdapTag$InvalidCredentialsException: Authentication failed:[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db0 ]
      at coldfusion.tagext.net.LdapTag.do_ActionQuery(LdapTag.java:901)
      at coldfusion.tagext.net.LdapTag.doStartTag(LdapTag.java:616)
      at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:2722)
      at cflogin2ecfm553492490.runPage(C:\ColdFusion9\wwwroot\CFtest\ldap\login.cfm:8)
      at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:231)
      at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:416)
      at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65)
      at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:363)
      at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48)

0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
dgrafxCommented:
use what i posted (except change start line to start="dc=campus,dc=nyu,dc=edu")
0
 
khan02Author Commented:
I am not sure if you are reading my comments, but as i told you, i don't have any problem on the first  query to get UserInfo, all i am having problem is on the second query.
0
 
dgrafxCommented:
not sure if you are reading my comments ...
you said you are a beginner in ldap

you are not using what i told you to use!
you seem to be using a user (not an admin) as username & password
this will fail everytime!

I don't get what you are thinking???

Maybe this is it: all your ldap queries will be the same for the most part - misc may be different like attributes ...
but EVERY TIME you need the username & password to be that of an authorized admin (authorized to query ldap by AD) NOT some user that you're trying to get info on

And besides that - WHY are you querying twice?
Querying once - then again for what reason?
IF you were returning several records from first query then looping to return more info on each - that may be cool - but it doesn't look like you're doing that either so ???

0
 
dgrafxCommented:
i was just cooking dinner and thought of this ...

I'm wondering if this is what you're thinking:
Let's say you want to log on to a remote machine via remote desktop.
You first connect then enter credentials and then you are in
You can now start doing stuff on that machine without continually entering a username / password.
This is NOT what ldap is like!
You do NOT "log on" then you are all set and can then do other stuff!
Each ldap connection must provide authentication via username & password and is NOT persistant for the next ldap connection!
Its like in the above remote desktop ex if you needed to send a username & password for every single thing you did.

Re read my above posts - they are 100% accurate - I am not a beginner with ldap.
The first example I copied from live production code and is all you need.

THEN
Lets say you actually use the code I posted.
Then you dump the query - WHAT are you looking for that isn't there?
That may be where you are mis-thinking this.
0
 
khan02Author Commented:
on my first query, i did use admin and passwd, which works fine (same code as you posted after) and when i dump the query, it does give me output. but as i told you that i am having problem on my second query, i don't understand why should i use admin user and passwd, since my user is gona enter their own username and password.

But guess what i have found the solution from another online blogs?On my second query,  the problem is that you have to provide full DN on 'username' attribute.

<cftry>
      <cfldap action="Query"
             name="AuthenticateUser"
             attributes="dn,mail,givenname,sn,samaccountname,memberof"
             start="dc=mytest,dc=domain,dc=edu"
             Scope="subtree"
             filter="(&(objectclass=user)(samAccountName=#trim(form.cfUserName)#))"
             server="mytest.domain.edu"
             Port="389"
             username="#trim(form.cfUserName)#@mytest.domain.edu"
       password="#trim(form.cfPassword)#">
            
            <cfset LoginMessage = "User Authentication Passed">
                
        <cfcatch type="any">
                 <cfset LoginMessage = "User Authentication Failed">
        </cfcatch>
        </cftry>

Thank you anyway, for trying to resolve this.
        
0
 
khan02Author Commented:
I m giving credits to myself. because,  i found solution by asking my co-workers help and few other blogin site
0
 
dgrafxCommented:
ok - cool - i've never done that

what people usually do is you have a service account that the web app uses for ldap querys
and to authenticate you can query for that as well but its the service account that is used for username / password

just fyi adn good luck ...
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now