I have the task to integrate LDAP into our application for the purpose of user authentication. I have downloaded the "LDAP User Authentication in an ABL environment" whitepaper by Michael Jacobs. For some reason however I cannot get this to work. Whenever I try to do an LDAP search the function returns error 1 (Operations Error). Binding the the LDAP Server appears to work (the bind for the search user returns 0), but the actual search keeps giving me the error (and a mean head ache I must say).
We are running LDAP on Active Directory with an extremely basic setup (I need the proof of concept working on a test box before I am allowed to touch the real world). Ultimately the implementation should of course work with non AD implementations as well (the most first site where LDAP queries have to be implemented will probably be using a Linux box and Novell eDirectory).
Any help / info with getting my "proof of concept" to work is appreciated.
On a linux box you can use the openldap and ldapsearch over OS-COMMAND.
DEF STREAM ls.
FUNCTION ldapSearch RETURNS CHARACTER
(INPUT cID AS CHARACTER):
0 - Ok
1 - error
2 - LDAP disabled
DEF VAR lc_command AS CHAR NO-UNDO.
DEF VAR lc_result AS CHAR NO-UNDO.
DEF VAR lc_ret AS CHAR NO-UNDO.
IF NOT ldapIsEnabled THEN RETURN "2".
lc_command = "ldapsearch -x -b" + " '" + cID + "," +
ldapBaseDN + "' '(objectClass=sn)' -h " + ldapHost +
" -p " + ldapPort.
lc_ret = "1".
INPUT-OUTPUT STREAM ls THROUGH VALUE (lc_command) NO-ECHO UNBUFFERED.
IMPORT STREAM ls UNFORMATTED lc_result.
IF lc_result = "result: 0" THEN DO:
lc_ret = "0".
INPUT-OUTPUT STREAM ls CLOSE.
If you get a successful initial bind, it sounds like you are running into one of the classic cases of either the bind user not having enough privileges to perform the search, the search filter is incorrect, or you get an ambiguous search return. The LDAP api is often not always intuitive in its error information.
Most of your information for binding and searching will come from the directory's administrator. The sample will construct a "typical" search filter for Active Directory (AD) if you pass the "-AD" option, but that will not cover every way an admin may setup and use AD. I've not found a single search DN and filter that covers every AD configuration, so you may have to specify a specific search filter in the p_cUserSearchFilter parameter.
When I run into issues with search root DNs or filters I'll use a GUI directory explorer such as the Windows "ldp.exe" or Sysinternals "ADExplorer.exe". There are many other GUI LDAP browsers out there there that will give you AD access through the LDAP V3 api. These allow me to visualize the directory's object tree and object attributes. It also makes quick work of testing search filter strings to eliminate ambiguous user search results.
Once you've got the right user search DN and filter, the next step of actually binding to the directory as the user you are authenticating generally works accurately.