[prev in list] [next in list] [prev in thread] [next in thread]
List: forgerock-openam
Subject: [OpenAM] Missing bind from OpenAM when using AD authentication module
From: "Bernie Jones" <bernie () securityconsulting ! ltd ! uk>
Date: 2016-08-16 12:55:15
Message-ID: 00cd01d1f7bd$6f5e84c0$4e1b8e40$ () ltd ! uk
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
I've configured an Active Directory authentication module and am now trying
to test user authentication against it.
This has been configured as per the relevant doc'n.
However, when I try a login I get an authentication error reported.
Using Wireshark to trace packets between OpenAM and AD I see the following
in response to the ldapsearch from OpenAM:
LDAPMessage searchResDone(133) operationsError (000004DC: LdapErr:
DSID-0C0906E8, comment: In order to perform this operation a successful bind
must be completed on the connection., data 0, v1db1) [0 results]
If I look at the details of the ldapsearch itself there appears to be no
bind DN and credentials supplied even though these are configured in the AD
module definition.
The search parameters and filter are correct - but it seems no bind DN or
password is sent.
Any ideas please?
Thanks,
Bernie
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
[Attachment #5 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-GB link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal>I’ve configured an Active Directory authentication module
and am now trying to test user authentication against it.<o:p></o:p></p>
<p class=MsoNormal>This has been configured as per the relevant \
doc’n.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>However, when I try a login I get an authentication error
reported.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Using Wireshark to trace packets between OpenAM and AD I see
the following in response to the ldapsearch from OpenAM:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-family:"Courier New"'>LDAPMessage
searchResDone(133) operationsError (000004DC: LdapErr: DSID-0C0906E8, comment:
In order to perform this operation a successful bind must be completed on the
connection., data 0, v1db1) [0 results]<o:p></o:p></span></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>If I look at the details of the ldapsearch itself there
appears to be no bind DN and credentials supplied even though these are
configured in the AD module definition.<o:p></o:p></p>
<p class=MsoNormal>The search parameters and filter are correct – but it seems
no bind DN or password is sent.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Any ideas please?<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Thanks,<o:p></o:p></p>
<p class=MsoNormal>Bernie<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<br /><br />
<hr style='border:none; color:#909090; background-color:#B0B0B0; height: 1px; width: \
99%;' /> <table style='border-collapse:collapse;border:none;'>
<tr>
<td style='border:none;padding:0px 15px 0px 8px'>
<a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient">
<img border=0 src="http://static.avast.com/emails/avast-mail-stamp.png" alt="Avast \
logo" /> </a>
</td>
<td>
<p style='color:#3d4d5a; font-family:"Calibri","Verdana","Arial","Helvetica"; \
font-size:12pt;'> This email has been checked for viruses by Avast antivirus \
software. <br><a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient">www.avast.com</a>
</p>
</td>
</tr>
</table>
<br />
</body>
</html>
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
OpenAM@forgerock.org
https://lists.forgerock.org/mailman/listinfo/openam
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic