Page 1 of 1

Active Directory anonymous login

Posted: Tue Sep 13, 2016 2:24 am
by DSA
Good morning;

I've configured the LDAP authentication, but the CMAP Server (v. 6.04.01) seems pass the login as anonymous to AD.
Any advise?

LDAPUserDirectory: unable to lookup user DN with anonymous access, lookup is now disabled
(CLASS: METHOD: getUserDN LINE: 938)
javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C09072B, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580 ]; remaining name xxxx
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source)
at Source)
at Source)
at nlk.base.Authentication.authenticateUser(
at nlk.resio.ResourceService.authenticateUser(
at nlk.resio.ResourceService.handleHashtable(
at nlk.resio.ResourceService.requestToService(
at edu.uwf.server.ServiceManager.requestToService(
at edu.uwf.server.ConnManager.handleConnection(
[13/Sep/2016:09:17:13] [ConnHandlerCache-1-Thread-0] ( reply::CLOSED: (94 ms.)
[13/Sep/2016:09:17:14] [ConnHandlerCache-1-Thread-0] ( RS::handleHashtable: function == getPrincipals
[13/Sep/2016:09:17:14] [ConnHandlerCache-1-Thread-0] ( reply::CLOSED: (62 ms.)

Re: Active Directory anonymous login

Posted: Tue Sep 13, 2016 11:57 am
by cmapadmin
To authenticate a user, the CmapServer first tries to lookup the full Distinguished Name (DN) of the user, based on the userId. For this lookup operation, it uses anonymous access. If the lookup operation fails, it tries to authenticate in two ways:
1) by making a "best guess" at the DN: "<userAttribute>=userId,<baseDN>"
2) by using the plain userId

So it's not necessarily a problem that the anonymous lookup operation is failing, as long as you support authenticating by one of the fallback cases. For some ActiveDirectory configurations, users have found that attribute "userPrincipalName" along with userIds of the format "userId@DOMAIN" has worked well.