[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: What is needed for a valid LDAP bind?



On Tue, 27 Mar 2001, Dave Brodin wrote:

> I've been having an argument with a vendor for many months over their
> supposed LDAP support.  They claim they are following the RFC
> standards.  However, I can't get it to work with OpenLDAP or Netscape
> Directory Server.  When I type in a username (test) and a password for
> that entry, I get the following line in the access log for Netscape
> Directory Server (or a similar line when running OpenLDAP in a verbose
> mode).
>
> [27/Mar/2001:15:40:50 -0500] conn=48 op=0 BIND dn="uid=test" method=128
> version=2
>
> The DN of the entry is uid=test,o=city.bloomington.in.us.

- That's a kind of odd DN, but you are correct. You need to specify
the full DN for a bind. Most software will allow you to define a
"default" container so at the UI level you only specify "uid=test",
but you have to send the server the full DN.

>
> Now it seems to me that this will always be doomed to failure on any
> LDAP server because it is not the full DN.  The company has only tested
> it with Microsoft Exchange, which I'm not familiar with.
>

- As far as I know Exchange is only an ldap client, not a server and
only in the latest version does it speak ldap. However, I suspect that
they really mean they tested against Windows 2000. From my experiences
with W2k, MS has made some progress in that you can use standards
compliant clients against their servers, but it's clear that their
market stragety is to force you to use w2k servers to support w2k
clients. There's "helpful" little tweaks all over the place that
pretty much force you to run w2k servers to support w2k clients. It
sounds like this company has taken advantage of those tweaks.

> The authentication screen only asks for the following:
>   LDAP Server: I gave the IP
>   Port Number: 389
>   Search Base: o=city.bloomington.in.us
>   Name Field: cn
>   E-Mail Field: mail
>   User ID Field: uid
>
> I'm ready to get rid of the product, but as I'm not terribly familiar
> with all the details of the RFC, I thought I'd ask here.  Any help or
> suggestions would be very appreciated.  The support staff of the vendor
> are idiots and don't seem to know much of anything about LDAP.
>

- Well, I'd guess you don't have an ldap product but a W2k one.
I'd run far far away if I were you.

- Booker C. Bense