LDAP authentication in Windows 2003 AD


#1

I am trying to authenticate user against Windows 2003 AD. This is what I
have found so far, but what ever I do I get error:
#<LDAP::ResultError: Invalid credentials>

This is my source code, which I picked sowhere on net:

require “ldap”

Provides access to authenticate user from LDAP using the user provided

user name and password

class MyLDAP < LDAP::Conn
BASE_DN = “dc=mydomain,dc=com”
PEOPLE_DN = “ou=users,dc=mydomain,dc=com”
LDAP_HOST = “mydc”
LDAP_PORT = 389
PROTOCOL_VERSION = 3

sets up connection to LDAP server

def initialize (host = LDAP_HOST, version = PROTOCOL_VERSION)
super( host, LDAP_PORT )
set_option( LDAP::LDAP_OPT_PROTOCOL_VERSION, version )
return self
end

Bind with the user supplied information

def bind(mydn, pass)
dn = “uid=” + mydn + “,” + PEOPLE_DN
super( dn, pass )
end
end

#** user.rb **

Takes user login name and password and connects to LDAP

def login(login, password)
if password == ‘’
return false
end
begin
conn = MyLDAP.new.bind(login, password)
rescue => e
puts e.inspect
return false
end
return conn.bound?
conn.unbind
end

puts login(‘myusr’,‘mypwd’)

Is there anything that needs to bo be set on Windows server?

Help please.

by
TheR


#2

Suggestion: first eliminate Ruby from the equation, by getting an
“ldapsearch” command line to bind successfully to your Windows LDAP
server.

If you have problems here, you will be able to go to a
Windows/AD-specific forum, who will know about LDAP but not about Ruby.

Once you have this working, it should be straightforward to port the
ldapsearch command line to the corresponding Ruby API calls.


#3

Brian C. wrote:

Suggestion: first eliminate Ruby from the equation, by getting an
“ldapsearch” command line to bind successfully to your Windows LDAP
server.

Could you post some simple quick query how to do it. Net is full of very
complicated examples.

by
TheR


#4

Le 24 octobre à 13:53, Damjan R. a écrit :

Brian C. wrote:

Suggestion: first eliminate Ruby from the equation, by getting an
“ldapsearch” command line to bind successfully to your Windows LDAP
server.

Could you post some simple quick query how to do it. Net is full of very
complicated examples.

Well, it’s not always simple. With an OpenLDAP setup :

ldapsearch -x # simple bind
-W # ask for pwd
-P3 # LDAPv3
-H’ldap://vodka/’ # ldap url
-b’dc=mims,dc=be’ # root
-D’cn=fred,ou=users,ou=liege,dc=mims,dc=be’ # bind user
-s’subtree’ # scope
cn=fred # search string
cn # attributes

You may have to tweak the authentification options, though.

(I believe you can install OpenLDAP ldapsearch on windows boxen,
probably with cygwin.)

Fred


#5

On Fri, Oct 24, 2008 at 6:15 AM, F. Senault removed_email_address@domain.invalid wrote:

Well, it’s not always simple. With an OpenLDAP setup :

                                (Shmuel (Seymour J.) Metz in NANAE)

I was having trouble authenticating against 2003 in the past. I fixed
it by
submitting the full email address for the account as the login. I
believe
it has to be in the form of removed_email_address@domain.invalid


“Hey brother Christian with your high and mighty errand, Your actions
speak
so loud, I can’t hear a word you’re saying.”

-Greg Graffin (Bad Religion)


#6

And then in a desperate attempt (when I was searching for something
completly different) I stumbelt upon this:


gem install ruby-net-ldap

require ‘rubygems’
require ‘net/ldap’

ldap = Net::LDAP.new
ldap.host = ‘mydc’
ldap.port = 389
ldap.auth “removed_email_address@domain.invalid”, “pwd”
if ldap.bind
p ‘authentication succeeded’
else
p ’ authentication failed’
end

and it works.

by
TheR


#7

On Fri, Oct 24, 2008 at 9:26 AM, Glen H. removed_email_address@domain.invalid
wrote:

I was having trouble authenticating against 2003 in the past. I fixed it by
submitting the full email address for the account as the login. I believe
it has to be in the form of removed_email_address@domain.invalid

(Technically not email address, but UPN; which is generally what I use
instead of DN when working in AD-land.) I don’t have the net-ldap
code I am currently using handy, but here was an older example with
ruby-ldap:

http://www.nabble.com/Re:-Rails-and-Windows-Active-Directory-Authentication--p3055490.html

In that code, it was expected that the username was the user’s AD UPN.


#8

Sorry Damjan, I didn’t read your first message closely enough. Had I
noticed you weren’t using net-ldap I would have suggested you do so. It
works great for me with all things AD and LDAP (all things I’ve done
anyway).

On Tue, Oct 28, 2008 at 7:43 AM, Damjan R. removed_email_address@domain.invalid wrote:

and it works.

by
TheR

Posted via http://www.ruby-forum.com/.


“Hey brother Christian with your high and mighty errand, Your actions
speak
so loud, I can’t hear a word you’re saying.”

-Greg Graffin (Bad Religion)