> Yes I can connect to that port (via telnet anyway). How do I make an anonymous request like that (sorry for n00b question)
Depends on the tools available to you. If you have a Windows machine, you can go to my website (www.joeware.net) and look for adfind.exe which is a command line ldap query tool designed with AD in mind. You would want to use a command like adfind -hh hostname -rootdseanon Also, if the LDAP port is open, you can try connecting via that with your ID and get the LDAPS stuff out of the way of the testing to validate you have a good ID. adfind -hh hostname -rootdse -u credential -up password -simple > Would that be cn=username, dc=au,dc=com,dc=xyz ? Probably not. The user ids usually aren't stored in the root of the ldap directory and there is no telling what they used for the RDN of the user object. Most companies, unfortunately, don't use username as the RDN value, they are usually using a display name of some sort (yes I know, stupid but is influenced by the default MSFT provisioning tools and Exchange). Overall I really think you need to contact the admins of the directory and ask them for some help. At least the bind info. :) joe -- O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm Blog: http://blog.joeware.net -----Original Message----- From: Peter Hawkins [mailto:[email protected]] Sent: Monday, March 05, 2012 8:12 PM To: joe Cc: 'Linus van Geuns'; [email protected] Subject: Re: [ldap] Re: *****SPAM***** LDAPS Connection difficulties Hi Joe and thanks >Yes Active Directory supports TLS. You can check for the OID in supportedExtension of the RootDSE to validate that the specific server you are querying supports it. It is available anonymously assuming you can get to port 389. Look for 1.3.6.1.4.1.1466.20037 (LDAP_SERVER_START_TLS_OID). This goes back to at least Windows Server 2003 TMK. Yes I can connect to that port (via telnet anyway). How do I make an anonymous request like that (sorry for n00b question) > The user principal name default is indeed loginname@dnsdomain... > However, that can be overridden, I would verify with the admins that > the userPrincipalName attribute hasn’t been set to something else. Thanks for that tip I'll ask them about their UPN > You should also be able to use the full DN if you know that or domain > \userid as well. Would that be cn=username, dc=au,dc=com,dc=xyz ? (I have tried that but I got "implementation specific error".)- I don't really have any experience with LDAP DNs. > I am uncertain of what you are working with, but if you have the > ability to ignore the server cert you can see if doing that gets you > your connection, I can access ldap.conf and can tell it to ignire the cert. If I do, I get the "invalid credentials" error. if not I get the "Implementation specific error". I'm guessing there is an issue with both the cert AND the DN as well but I'm lost as to how to resolve it and am using guesswork :( >
