Active Directory anonymous login

Having problems with IHMC CmapServer? Think you have found a bug? Let us know!
Forum rules
Before you post a problem or bug, please be sure you have included the version number of IHMC CmapServer, the operating system and version, the amount of RAM, and any other information that allows us to be able to replicate the problem you are having. (i.e. what were you doing when the problem occur? were you running another program (application) by the time you have the problem?)
Post Reply
DSA
Posts: 1
Joined: Tue Sep 13, 2016 2:20 am

Active Directory anonymous login

Post by DSA »

Good morning;

I've configured the LDAP authentication, but the CMAP Server (v. 6.04.01) seems pass the login as anonymous to AD.
Any advise?


LDAPUserDirectory: unable to lookup user DN with anonymous access, lookup is now disabled
(CLASS: nlk.acl.directory.ldap.LDAPUserDirectory METHOD: getUserDN LINE: 938)
javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C09072B, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580 ]; remaining name xxxx
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
at nlk.acl.directory.ldap.LDAPUserDirectory.getUserDN(LDAPUserDirectory.java:906)
at nlk.acl.directory.ldap.LDAPUserDirectory.bind(LDAPUserDirectory.java:822)
at nlk.acl.directory.ldap.LDAPUserDirectory.authenticateUser(LDAPUserDirectory.java:338)
at nlk.base.Authentication.authenticateUser(Authentication.java:596)
at nlk.resio.ResourceService.authenticateUser(ResourceService.java:2686)
at nlk.resio.ResourceService.handleHashtable(ResourceService.java:249)
at nlk.resio.ResourceService.requestToService(ResourceService.java:96)
at edu.uwf.server.ServiceManager.requestToService(ServiceManager.java:317)
at edu.uwf.server.ConnManager.handleConnection(ConnManager.java:244)
at edu.uwf.net.socket.ConnHandlerThreadCache$HandlerThread.run(ConnHandlerThreadCache.java:142)
[13/Sep/2016:09:17:13] [ConnHandlerCache-1-Thread-0] (10.254.100.26:62661)::Resource::authenticateUser::Send reply::CLOSED: (94 ms.)
[13/Sep/2016:09:17:14] [ConnHandlerCache-1-Thread-0] (10.254.100.26:62662) RS::handleHashtable: function == getPrincipals
[13/Sep/2016:09:17:14] [ConnHandlerCache-1-Thread-0] (10.254.100.26:62662)::Resource::getPrincipals::Send reply::CLOSED: (62 ms.)
cmapadmin
Site Admin
Posts: 793
Joined: Sat Dec 13, 2008 2:22 pm

Re: Active Directory anonymous login

Post by cmapadmin »

To authenticate a user, the CmapServer first tries to lookup the full Distinguished Name (DN) of the user, based on the userId. For this lookup operation, it uses anonymous access. If the lookup operation fails, it tries to authenticate in two ways:
1) by making a "best guess" at the DN: "<userAttribute>=userId,<baseDN>"
2) by using the plain userId

So it's not necessarily a problem that the anonymous lookup operation is failing, as long as you support authenticating by one of the fallback cases. For some ActiveDirectory configurations, users have found that attribute "userPrincipalName" along with userIds of the format "userId@DOMAIN" has worked well.
Post Reply