Well, at this point essentially we need to just troubleshoot where the breakdown occurs. Here is what I would do to troubleshoot this:
Validate the SSL connection using LDP.exe. If you don't have this tool, you can download it from the AdminPak.msi on most servers or from microsoft.
What you will need to do is choose Connection > Connect and type the name of the server (just the server name) and choose SSL. You might have to set the port to 636 or whatever port the SSL is listening on.
Next, choose Connection > Bind and the 'Simple Bind' option. Use your username and password. Make sure you don't get an error - (remember your username should look like "CN=My Account,OU=blah..."). If you get an error, we know that the connection to
the server is not correct yet.
Now, try a search by typing CTRL-S and enter your filter. Check what the error is, if any. If no error occurs, we should be able to search as well.
Since you are using .NET 2.0 we also have the option of skipping ADSI completely and using the native LDAP protocol via System.DirectoryServices.Protocols. This is a more complicated model than S.DS, but it should work with any LDAP directory. What do you
get with the troubleshooting steps. LDP will give you much better error messages to troubleshoot this one.
Note, that if you do not choose "Bind" (i.e. skip #3), you will be using an Anonymous connection.
Class login
Inherits System.Web.UI.Page
Public Sub LDAP1()
Dim ldapPath
As String =
"LDAP://dbm.i2a2.purdue.edu:636/uid=sreiche,ou=authorize,dc=purdue,dc=edu"
Dim qry As
String = "(uid=sreiche)"
Dim de As DirectoryEntry =
New DirectoryEntry(ldapPath,
"uid=sreiche,ou=authorize,dc=purdue,dc=edu",
"mypass", AuthenticationTypes.SecureSocketsLayer)
Dim ds As DirectorySearcher =
New DirectorySearcher(de, qry,
New String() {"puid"})
Dim sr As SearchResult = ds.FindOne()
lblPost.Text = sr.Properties(
"puid")(0).ToString
End Sub
Protected Sub Page_Load(ByVal sender
As Object,
ByVal e As System.EventArgs)
Handles Me.Load
LDAP1()
End Sub
End
Class
OK, so I found out the major reason this whole thing wasn't working. For some reason, my account was corrupt. Anyway, now that we have that fixed, I have made this work in ldp.exe.
In connection i put in "dbm.i2a2.purdue.edu" port 636. I bind with "uid=sreiche,ou=authorize,dc=purdue,dc=edu" and my pass. I then can do a search using "uid=sreiche,ou=authorize,dc=purdue,dc=edu" as my RDN and (uid=sreiche) as my filter. I thought that's
what my code is doing. I know I need to bind before I can search, but I'm not sure my code is doing that I guess. I'm not sure how to do that. Anyway, hopefully this can be resolved soon. I feel so close.
That doesn't seem to work either. I also used the DN as my username in ldp.exe, so I believe that is right. I think I'm just missing something on the bind.
Yes, you have it pretty close. So, when you set the binding path to be your user account, the search filter starts searching there. In this case, you would expect only one result since you have bound to the object that you are trying to find. Also, can you
search using Anonymous (no user or pass) over SSL using LDP.exe?
I have seen where only Anonymous searching works with ADSI and 3rd party LDAP directories.
Ok, so from a code standpoint, the following should work:
DirectoryEntry searchRoot = new DirectoryEntry(
"LDAP://yourserver/OU=People,DC=....",
"UID=YourAccount,OU=People,...",
"Secret",
AuthenticationTypes.SecureSocketsLayer
);
try
{
object tmp = searchRoot.NativeObject; //force the bind
//now try a search if no error
using (searchRoot)
{
DirectorySearcher ds = new DirectorySearcher(
searchRoot,
"(uid=foo)" //the user name you are looking for
);
try
{
SearchResult sr = ds.FindOne();
if (sr != null)
{
//we succeeded
}
}
catch (Exception ex)
{
//this is our searching exception
}
}
}
catch (Exception ex)
{
//check the exception here
}
If you run this code and you are erroring out on the searching exception, then we only have two choices:
1. You need to find out if your LDAP server supports Anonymous searching over SSL (use LDP.exe to test this by not choosing Bind). It seems to be a bug or a fluke, but most times anonymous users can search with 3rd party LDAP.
- or -
2. You will need to write using LdapConnection objects in System.DirectoryServices.Protocols using pure LDAP calls. I guarantee this will work, but it is a little more complicated to use.
Class login
Inherits System.Web.UI.Page
Public Sub LDAP1()
Dim ldapPath
As String =
"LDAP://dbm.i2a2.purdue.edu:636/uid=sreiche,ou=identify,dc=purdue,dc=edu"
Dim filter
As String =
"(uid=sreiche)"
Dim username
As String =
"" '"uid=sreiche,ou=identify,dc=purdue,dc=edu"
Dim passwrd
As String =
""
Try
Dim de As DirectoryEntry =
New DirectoryEntry(ldapPath, username, passwrd, AuthenticationTypes.SecureSocketsLayer)
Dim temp As
Object = de.NativeObject
Dim ds
As DirectorySearcher =
New DirectorySearcher(de, filter)
Try
Dim sr As SearchResult = ds.FindOne()
If Not sr
Is Nothing
Then
lblPost.Text = sr.Properties(
"puid")(0).ToString
End If
Catch ex2 As Exception
lblPost.Text = ex2.ToString
End Try
Catch ex As Exception
lblPost.Text = ex.ToString
End Try
End Sub
Protected Sub Page_Load(ByVal sender
As Object,
ByVal e As System.EventArgs)
Handles Me.Load
LDAP1()
End Sub
End
Class
I tried to convert that to C#. I'm pretty sure that's right. So I have two problems. First, I get an error on the de.nativeobject. "The server is not operational". If I comment that out, I get the same error on the .findone line.
Nothing seems to have changed.
Also, I tried in ldp.exe to just connect (using ssl) and then search without binding. It worked, kind of. I was able to search and get back some properties, but not all and I really need some of those that I didn't get back. Ideally this is going to be used
to validate a user/pass anyway and I thought binding was the way to do that. So I guess from your last post, I'm going to have to go this other route if we can't get this working. Is there any sample code out there that will get me started?
Ok, let's try something here. You want to use a pattern where we first connect to the directory anonymously to find the user account you are looking for. Next, we bind to that account using the username and password (not by searching), and finally access
the attributes we are interested in. I have a post
here somewhere that showed how to do it.
Are you absolutely sure using LDP.exe and the standard 389 port (non-SSL) that you cannot search? Also, when you say you did not get all the attributes you were looking for using LDP.exe before, you did remember to ask for them using the Options button and
the Attributes field, right?
Note: when you see 'using (DirectoryEntry)' in C#, you should equate that to a Try/Finally where in the Finally block we call DirectoryEntry.Dispose().
I'll write that code out. Just wanted to let you know that if I do not use SSL (389), I can search, but I do not get those properties just like when I use SSL and do not bind. When I am not using SSL though, I cannot bind. I assume they will not authorize
credentials that aren't sent over SSL.
dunnry
Star
9098 Points
1806 Posts
Re: Unknown Error - talking to LDAP not AD
Oct 17, 2005 09:28 PM|LINK
- Validate the SSL connection using LDP.exe. If you don't have this tool, you can download it from the AdminPak.msi on most servers or from microsoft.
- What you will need to do is choose Connection > Connect and type the name of the server (just the server name) and choose SSL. You might have to set the port to 636 or whatever port the SSL is listening on.
- Next, choose Connection > Bind and the 'Simple Bind' option. Use your username and password. Make sure you don't get an error - (remember your username should look like "CN=My Account,OU=blah..."). If you get an error, we know that the connection to
the server is not correct yet.
- Now, try a search by typing CTRL-S and enter your filter. Check what the error is, if any. If no error occurs, we should be able to search as well.
Since you are using .NET 2.0 we also have the option of skipping ADSI completely and using the native LDAP protocol via System.DirectoryServices.Protocols. This is a more complicated model than S.DS, but it should work with any LDAP directory. What do you get with the troubleshooting steps. LDP will give you much better error messages to troubleshoot this one.Note, that if you do not choose "Bind" (i.e. skip #3), you will be using an Anonymous connection.
Weblog
The Book
LDAP Programming Help
PurdueGuy
Member
140 Points
28 Posts
Re: Unknown Error - talking to LDAP not AD
Oct 19, 2005 01:17 PM|LINK
Imports
SystemImports
System.DirectoryServicesPartial
Class login Inherits System.Web.UI.Page Public Sub LDAP1() Dim ldapPath As String = "LDAP://dbm.i2a2.purdue.edu:636/uid=sreiche,ou=authorize,dc=purdue,dc=edu" Dim qry As String = "(uid=sreiche)" Dim de As DirectoryEntry = New DirectoryEntry(ldapPath, "uid=sreiche,ou=authorize,dc=purdue,dc=edu", "mypass", AuthenticationTypes.SecureSocketsLayer) Dim ds As DirectorySearcher = New DirectorySearcher(de, qry, New String() {"puid"}) Dim sr As SearchResult = ds.FindOne()lblPost.Text = sr.Properties(
"puid")(0).ToString End Sub Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.LoadLDAP1()
End SubEnd
ClassOK, so I found out the major reason this whole thing wasn't working. For some reason, my account was corrupt. Anyway, now that we have that fixed, I have made this work in ldp.exe.
In connection i put in "dbm.i2a2.purdue.edu" port 636. I bind with "uid=sreiche,ou=authorize,dc=purdue,dc=edu" and my pass. I then can do a search using "uid=sreiche,ou=authorize,dc=purdue,dc=edu" as my RDN and (uid=sreiche) as my filter. I thought that's what my code is doing. I know I need to bind before I can search, but I'm not sure my code is doing that I guess. I'm not sure how to do that. Anyway, hopefully this can be resolved soon. I feel so close.
Thanks for all your help!!!
leefranke
Member
430 Points
90 Posts
Re: Unknown Error - talking to LDAP not AD
Oct 19, 2005 02:26 PM|LINK
I think should be
Dim de As DirectoryEntry = New DirectoryEntry(ldapPath, "sreiche", "mypass", AuthenticationTypes.SecureSocketsLayer)
The second parameter is just your username, not your Distinguished Name.
HTH,
lee
PurdueGuy
Member
140 Points
28 Posts
Re: Unknown Error - talking to LDAP not AD
Oct 19, 2005 04:49 PM|LINK
leefranke
Member
430 Points
90 Posts
Re: Unknown Error - talking to LDAP not AD
Oct 19, 2005 06:52 PM|LINK
Have you tried putting the domain in front of the username? Like "domain\username"
Have you tried different AutenticationTypes?
dunnry
Star
9098 Points
1806 Posts
Re: Unknown Error - talking to LDAP not AD
Oct 19, 2005 07:34 PM|LINK
I have seen where only Anonymous searching works with ADSI and 3rd party LDAP directories.
Ok, so from a code standpoint, the following should work:
DirectoryEntry searchRoot = new DirectoryEntry(
"LDAP://yourserver/OU=People,DC=....",
"UID=YourAccount,OU=People,...",
"Secret",
AuthenticationTypes.SecureSocketsLayer
);
try
{
object tmp = searchRoot.NativeObject; //force the bind
//now try a search if no error
using (searchRoot)
{
DirectorySearcher ds = new DirectorySearcher(
searchRoot,
"(uid=foo)" //the user name you are looking for
);
try
{
SearchResult sr = ds.FindOne();
if (sr != null)
{
//we succeeded
}
}
catch (Exception ex)
{
//this is our searching exception
}
}
}
catch (Exception ex)
{
//check the exception here
}
If you run this code and you are erroring out on the searching exception, then we only have two choices:
1. You need to find out if your LDAP server supports Anonymous searching over SSL (use LDP.exe to test this by not choosing Bind). It seems to be a bug or a fluke, but most times anonymous users can search with 3rd party LDAP.
- or -
2. You will need to write using LdapConnection objects in System.DirectoryServices.Protocols using pure LDAP calls. I guarantee this will work, but it is a little more complicated to use.
Weblog
The Book
LDAP Programming Help
PurdueGuy
Member
140 Points
28 Posts
Re: Unknown Error - talking to LDAP not AD
Oct 19, 2005 08:07 PM|LINK
Imports
SystemImports
System.DirectoryServicesPartial
Class login Inherits System.Web.UI.Page Public Sub LDAP1() Dim ldapPath As String = "LDAP://dbm.i2a2.purdue.edu:636/uid=sreiche,ou=identify,dc=purdue,dc=edu" Dim filter As String = "(uid=sreiche)" Dim username As String = "" '"uid=sreiche,ou=identify,dc=purdue,dc=edu" Dim passwrd As String = "" Try Dim de As DirectoryEntry = New DirectoryEntry(ldapPath, username, passwrd, AuthenticationTypes.SecureSocketsLayer) Dim temp As Object = de.NativeObject Dim ds As DirectorySearcher = New DirectorySearcher(de, filter) Try Dim sr As SearchResult = ds.FindOne() If Not sr Is Nothing ThenlblPost.Text = sr.Properties(
"puid")(0).ToString End If Catch ex2 As ExceptionlblPost.Text = ex2.ToString
End Try Catch ex As ExceptionlblPost.Text = ex.ToString
End Try End Sub Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.LoadLDAP1()
End SubEnd
ClassI tried to convert that to C#. I'm pretty sure that's right. So I have two problems. First, I get an error on the de.nativeobject. "The server is not operational". If I comment that out, I get the same error on the .findone line. Nothing seems to have changed.
Also, I tried in ldp.exe to just connect (using ssl) and then search without binding. It worked, kind of. I was able to search and get back some properties, but not all and I really need some of those that I didn't get back. Ideally this is going to be used to validate a user/pass anyway and I thought binding was the way to do that. So I guess from your last post, I'm going to have to go this other route if we can't get this working. Is there any sample code out there that will get me started?
Thanks again!
dunnry
Star
9098 Points
1806 Posts
Re: Unknown Error - talking to LDAP not AD
Oct 19, 2005 08:10 PM|LINK
This is not an AD directory, so the username will be a DN and the only valid auth types will be .None or .SecureSocketsLayer
Weblog
The Book
LDAP Programming Help
dunnry
Star
9098 Points
1806 Posts
Re: Unknown Error - talking to LDAP not AD
Oct 19, 2005 08:55 PM|LINK
Are you absolutely sure using LDP.exe and the standard 389 port (non-SSL) that you cannot search? Also, when you say you did not get all the attributes you were looking for using LDP.exe before, you did remember to ask for them using the Options button and the Attributes field, right?
Note: when you see 'using (DirectoryEntry)' in C#, you should equate that to a Try/Finally where in the Finally block we call DirectoryEntry.Dispose().
Weblog
The Book
LDAP Programming Help
PurdueGuy
Member
140 Points
28 Posts
Re: Unknown Error - talking to LDAP not AD
Oct 19, 2005 09:08 PM|LINK
I'll get back to you when I have the vb done.