LDAP DN String ?

Similar Messages

• Server 2012 errors for timeout -- LDAP error number: 55 -- LDAP error string: Timeout Failed to get server error string from LDAP connection

  Hello, currently getting below error msg's utilizing software thru which LDAP is queried for discovering AD objects/path and resource enumeration and tracking.
  Have ensured firewalls and port (389 ) relational to LDAP are not closed, thus causing hanging.
  I see there was a write up on Svr 2003 ( https://support.microsoft.com/en-us/kb/315071 ) not sure if this is applicable, of if the "Ntdsutil.exe" arcitecture has changed much from Svr 03. Please advise. 
  -----------error msg  ----------------
  -- LDAP error number: 55
  -- LDAP error string: Timeout Failed to get server error string from LDAP connection

  The link you shared is still applicable. You can adjust your LDAP policy depending on your software requirements.
  I would also recommend that you in touch with your software vendor to get more details about the software requirements.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Apex 4 ldap configuration string syntax for multiple ou

  I created a working string cn=%LDAP_USER%, ou=employee, o=Toronto.
  I have another organization unit called non-employee.
  I have checked the Oracle Forums and google for syntax that would be compatible to authentication schemes in shared components of APEX.
  "(&(uid=%LDAP_USER%)(|(ou:dn:=employee)(ou:dn:=non-employee)))" and every variation that I could think of for an OR operation between ou. I even tried ou=* without success.
  What worked for one organization unit was uid=%LDAP_USER%, ou=employee, o=Toronto.
  uid=%LDAP_USER%, ((ou=employee) | (ou=non-employee)), o=Toronto and every variation there of did not work. I would like to union the two groups.
  Otherwise, it means copying the same application so that each would have a connection string. This is inefficient.
  I do not control the LDAP server so I cannot create an ou=everyone group.
  In summary, looking for a LDAP connection string syntax to union more than one ou.

  Hi, I've solved my problem. Seems that the pair of quotes around the DN is unnecessary and causing me the agony.
  Thanks!

• LDAP DN-String with samid?

  Hey again!
  For testing Reasons, I'm working with the LDAP-Testtool.
  Everything works fine with a DN-String like this:
  CN=%LDAP_USER%, OU=XXX, OU=User,OU=YYY,DC=QQQ, DC=ZZZ
  but I need to Login with the samid - value like this:
  samid=%LDAP_USER%, OU=XXX, OU=User,OU=YYY,DC=QQQ, DC=ZZZ
  I cant get it to work. Does anybody has experience with that?
  Thanks for your great help in this forum!

  Hi,
  See my post here Re: LDAP Post-Authentication Process Failed .. its based on samAccountNumber
  REgards,
  Shijeshy

• Remove +1 or add 9 in LDAP return string

  The information LDAPSearchCOM may not return appropriately formatted dial strings.
  i.e. 4085551212 will need to have a 9 or 91 prepended before it can be dialed.
  In another case LDAP will return +1 4085551212. It is preferred to remove the +1 before dialing.
  A user can manually edit the dial string, but is there an easy way to modify the string that is returned from the LDAP server?

  Have you already found a solution?
  Please reply me
  ASAP!!!
  thanks in advance
  Koos Duppen ([email protected]

• Can Cisco ASA work with spaces in LDAP DN string to authenticate and assign group policies?

  I am having the hardest time getting a definitive answer to this;  basically, I have a Cisco ASA firewall that is using AD via LDAP to authenticate  users and assign them a group policy based on certain AD group memberships.
  The problem I think I have is that due to how our AD forest is structured, I have spaces in the DN string, as shown below...  I have tried enclosing the entire string in quotes, etc.  - nothing seems to work.  Basically, the string is not matched, and the users are assigned a non-matching default policy.  Cisco TAC thinks it is due to the spaces (highlighted) but I am not sure sure.
  Can some one please advise?
  CN=VPN_SSL_SPLIT,OU=Grps - ACS,OU=Res - Groups,OU=BU - Vesna.Resources,DC=DOM1,DC=US,DC=LOCAL

  We can troubleshoot this issue. Please provide me the following outputs:
  show run aaa-server
  show run ldap
  Turn on "debug ldap 255" and reproduce the issue. Paste the output here.
  Regards,
  Jatin Katyal
  *Do rate helpful posts*

• Authenticate via LDAP - 2 diffrent "LDAP DN Strings"

  Hello!
  My Application gives access to users via LDAP.
  I want to give access to users located in 2 diffrent LDAP - Objects.
  Can anyone help me to solve the problem?
  Regards
  Michael

  My idea was to create a function that calls 2 times function authenticate (http://www.oracle.com/technology/products/database/application_express/howtos/how_to_ldap_authenticate.html)
  like this:
  create or replace function "AUTHENTICATE_AD"
  (p_uname in VARCHAR2, p_password in VARCHAR2)
  return BOOLEAN
  is
  begin
  RETURN(authenticate(LDAP_DN_STRING1, P_PASSWORD,LDAP HOST,LDAP PORT))
  OR
  (authenticate(LDAP_DN_STRING1, P_PASSWORD,LDAP HOST,LDAP PORT))
  end;
  Help of Fiel "Authentication Function" says:
  "[...]The Application Express engine expects this function to have the signature (p_username in varchar2, p_password in varchar2) return boolean. The value of the username and password fields passed to the login API, which is called by the login page, will be passed to your function. [...]
  When I insert AUTHENTICATE_AD into "Authentication Function" and try to logon an error message diplayed :
  ORA-06550: Zeile 2, Spalte 1: PLS-00306: Falsche Anzahl oder Typen von Argumenten in Aufruf von 'AUTHENTICATE_AD' ORA-06550: Zeile 2, Spalte 1: PL/SQL: Statement ignored
  I don't know which arguments are given!

• How to use two different LDAP authentication for my Apex application login

  Hi,
  I have 2 user groups defined in the LDAP directory and I provided the DN string for apex authentication something like the below
  cn=%LDAP_USER%,ou=usergrp1,dc=oracle,dc=com
  cn=%LDAP_USER%,ou=usergrp2,dc=oracle,dc=com
  The problem is I couln't pointout both the groups in DN string, I am trying to allow both usergroups to access the application.
  Does anyone know how to define both the group in LDAP DN String ?.
  Thanx in advance
  Vijay.

  Vijay,
  I don't think you'll be able to use the built-in LDAP authentication scheme. Just create a new authentication scheme that has its own authentication function. In that function code your calls to dbms_ldap however you need. Search the forum for dbms_ldap.simple_bind_s to find examples.
  Scott

• ASA WebVPN. How do you restrict access to users in an AD group using LDAP?

  Hi All,
  I am trying to configure separate WebVPN connection profiles to give different portal bookmark contents to users based on their AD group membership.  This has been very difficult, even though I beleive it should be easy.
  The login page of teh ASA by default has a dropdown to allow default users to access the default portal and the SSL VPN client connection.
  There are two other portals that I would like to restrict access to based on AD group membership.  I have set these up to be selected by URL.
  The biggest problem is, I have no way of knowing how to go about this.  The AAA LDAP options show a group membership search, which I have configured, but I cannot say "Profile X is restricted to AD group CarpetBaggers", so that if soneone that is NOT a carpetbagger tries to log in, it fails.
  I can only do an all or nothing scenario.
  It would be nice to use Dynamic Access Policies to do this, and I have created a few, but they do NOT seem to work when the drop down aliases or URLs are in use.  So how do I go about using them in this scenario?  Turning off the aliases or URLs is not really an option right now.
  Scenario 1 would work the best for me.  Restrict access to profiles/groups based on AD group membership using LDAP.
  Scenario 2 would be an ideal longer term solution.
  Any thoughts, ideas or assitance would be greatly appreciated.
  Cheers

  This is exactly what i was looking for, and Nelson is correct.  When you enter the DAP configuration for a profile click on "Advanced" and there is the option to create a logical expression.  The guide (ther is a button to access this) is really helpful, with a couple of examples.  This is what i used:
  assert(function()
     if ( (type(aaa.ldap.distinguishedName) == "string") and
          (string.find(aaa.ldap.distinguishedName, "OU=Users") ~= nil) )
  then
         return true
     end
     return false
  end)()
  from the debug dap you can see what Users relates to;
  DAP_TRACE: Username: MyUsername, aaa.ldap.distinguishedName = CN=Mr B,OU=Users,OU=Site ******,DC=CH,DC=Mycompany,DC=com
  My admin account fails to get me in to the same profile:
  DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["distinguishedName"]="CN=Admin Mr B,OU=Admin Users,OU=Site *****,DC=CH,DC=Mycompany,DC=com"
  Thanks
  Andrew

• LDAP Authentication - Multiple Domains

  I want to be able to use the built in LDAP Authentication scheme to allow authentication against multiple AD Domains... each with it's own separate Host IP/Server, and LDAP DN String. The User ID is formated the same among all Domains, so that is not a concern. I am currently authenticating against one Domain and it scans the tree successfully.
  Host: xx.xx.xx.xx
  DN String: %LDAP_USER%@amer.globalco.net
  (amer.globalco.net is the domain)
  How can this be accomplished? Is it possible all you guru's out there?
  I saw one forum thread discussing how to add a drop down list to the login page, then use the value of the page item in the DN String to specify Domain... That makes sense - HOWEVER - I also have to use a different Host Server / IP address for each domain as well.... Now that is 2 fields that need updating based on one select list.
  I can build the select list using "IP/Domain" - but how do I separate the two data bits in the ITEM Value into their own field values?
  Can I use the ldap_dnprep function to do text editing to create two field values from one ITEM value that I can use in the standard LDAP authentication form fields?
  As you can tell - I am not a SQL/PLSQL person... and I want to avoid creating my own LDAP scheme.
  Please include example/suggested SQL -
  Thanks in advance...
  Rich
  Apex v3.2.1
  Oracle 10G Express

  Based on prior post I had similar question and the result was to write custom auth scheme to read the values from the login page, perform auth against appropriate ldap, then return a valid session to proceed with login in apex app. In our case, the issue was having users is different branch nodes on the same ldap server but not being able to search from a common higher-level branch for some reason...
  Another option you could try, not recommended as it would mean multiple pages to maintain, would be a separate login page per ldap/domain, maybe would even have to multiple apps with just a login page and then redirect to the main app... been a really long time since i've tried anything like it, just giving some options to try.

• Ldap search in jsp not working

  Hi
  We have users imported from db into oid and they have blank passwords. So for those users , when they first try to login, I am planning to take them to someother page. I have added code to login.jsp where in case of authentication error, I want to redirect users with blank password to a separate page. So I am doing a search for user in LDAP and trying to get user attributes. I am not getting any errors in my jsp , but somehow the search is not successful. Can someone tell me whats wrong with this code??
  try
  DirContext dirctx = null;
  //Build the LDAP url
  String ldapurl = "ldap://" + "stg.test.com" + ":" + "3060";
  Hashtable env = new Hashtable();
  env.put(Context.INITIAL_CONTEXT_FACTORY,
  "com.sun.jndi.ldap.LdapCtxFactory");
  env.put(Context.PROVIDER_URL, ldapurl);
  // if password is specified, set the credentials
  env.put(Context.SECURITY_AUTHENTICATION, "simple");
  env.put(Context.SECURITY_PRINCIPAL,"orcladmin");
  env.put(Context.SECURITY_CREDENTIALS,"welcome");
  // Bind and initialize the Directory context
  dirctx = new InitialDirContext(env);
  Attributes matchAttrs = new BasicAttributes(true); // ignore attribute name case
       matchAttrs.put(new BasicAttribute("uid", str_user));
       // Search for objects with those matching attributes
       NamingEnumeration answer = dirctx.search("cn=Users,dc=oprah,dc=com", matchAttrs);
       //formatResults(answer);
       int count=0;
            while (answer.hasMore()) {
                 SearchResult sr = (SearchResult)answer.next();
            out.println("SEARCH RESULT:" + sr.getName());
                 Attributes attrs=sr.getAttributes();
                 if (attrs == null) {
                      out.println("This result has no attributes");
                      } else {
                           for (NamingEnumeration enum = attrs.getAll(); enum.hasMore();) {
                           Attribute attrib = (Attribute)enum.next();
                           out.println("ATTRIBUTE :" + attrib.getID());
                           for (NamingEnumeration e = attrib.getAll();e.hasMore();)
                                out.println("\t\t = " + e.next());
                 //formatAttributes(sr.getAttributes());
            out.println("====================================================");
                 count++;
            out.println("Search returned "+ count+ " results");
       dirctx.close();
  catch (Exception e)
  e.printStackTrace();
  }

  I figured the problem. I need to give the dn of orcladmin here
  env.put(Context.SECURITY_PRINCIPAL,"cn=orcladmin,cn=users,dc=test,dc=com");
  instead of
  (Context.SECURITY_PRINCIPAL,"orcladmin");

• URGENT! I need help on LDAP - Finding deleted users Attribute "sAMAccount"

  Hi,
  I am trying to get deleted users from Active Directory after a certain interval. Every time only the differences in the result will be shown. Also I need to get the value of the specific attribute called "sAMAccount" every time for each user(in the result).
  I am using polling here.
  *if (localCookie == null) {*
                      // Specify the DirSync Control
                      *Control[] ctls = new Control[] { new DirSyncControl() };*
                      ctx.setRequestControls(ctls);
                 *} else {*
                      // Specify the DirSync Control with cookie
                      *Control[] ctls = { new DirSyncControl(1, Integer.MAX_VALUE, localCookie, true) };*
                      ctx.setRequestControls(ctls);
  rspCtls = ctx.getResponseControls();
  *if (rspCtls != null) {*
                 *for (int i = 0; i < rspCtls.length; i++) {*
                      *if (rspCtls[i] instanceof DirSyncResponseControl) {*
                           *DirSyncResponseControl rspCtl = (DirSyncResponseControl) rspCtls;*
                           localCookie = rspCtl.getCookie();
  The typical problem I am facing here is 2nd iteration onwards the result is not fetching the attribute "sAMAccount".
  Please suggest the possible reason and solution.

  String searchBase = "DC=test,DC=com";
  String searchString = "(&(objectClass=user)(|(givenName=*)(isDeleted=TRUE)))";
  String url = "ldap://jbaitest.test.com:389";
  String initCntxtFact = "com.sun.jndi.ldap.LdapCtxFactory";
  String login= "CN=Administrator,CN=Users,DC=TEST,DC=COM";
  String passwd = "welcome@1";
  byte[] localCookie = AdPolling.getCookie();
  try {
      Hashtable<String, String> env = new Hashtable<String, String>();
      env.put(Context.INITIAL_CONTEXT_FACTORY, initCntxtFact);
      env.put(Context.SECURITY_AUTHENTICATION, AdConstant.SECURITY_AUTH_TYPE_SIMPLE);
      env.put(Context.SECURITY_PRINCIPAL, login);
      env.put(Context.SECURITY_CREDENTIALS, passwd);
      env.put(Context.PROVIDER_URL, url);
      LdapContext ctx = new InitialLdapContext(env, null);
      SearchControls searchCtls = new SearchControls();
      String returnedAtts[] = null;
      searchCtls.setReturningAttributes(returnedAtts);
      searchCtls.setReturningObjFlag(true);
      searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
      if (localCookie == null) {
          Control[] ctls = new Control[] { new DirSyncControl() };
          ctx.setRequestControls(ctls);
      } else {
       // Specify the DirSync Control with cookie
       Control[] ctls = { new DirSyncControl(1, Integer.MAX_VALUE, localCookie, true) };
       ctx.setRequestControls(ctls);
      NamingEnumeration enumSearchResult = ctx.search(searchBase, searchString, searchCtls);
      AdRestClientConnector adRestCon = populateUsers(enumSearchResult); // Method to get the different  attribute values
      rspCtls = ctx.getResponseControls();
      if (rspCtls != null) {
       for (int i = 0; i < rspCtls.length; i++) {
           if (rspCtls[i] instanceof DirSyncResponseControl) {
            DirSyncResponseControl rspCtl = (DirSyncResponseControl) rspCtls;
            localCookie = rspCtl.getCookie();
  AdPolling.setCookie(localCookie);
  } catch (NamingException e) {
       log.error(AdConstant.ERROR_SEARCHING_DIR_PROBLEM + e);
  } catch (Exception e) {
       log.error(AdConstant.ERROR_SEARCHING_DIR_PROBLEM + e);

• LDAP Search returns only 1200 records

  Hi!
  I'm having trouble searching an LDAP registry containing about 20 000 records. If I configure a search that should return about 15000 records I only get 1200 with the following error message when iterating through the NamingEnumeration:
  Unexpected exception occured at record 1200: javax.naming.SizeLimitExceededExcep
  tion: [LDAP: error code 4 - Sizelimit Exceeded]; remaining name 'o=ericsson'
  Code:
  package erildap;
  import javax.naming.*;
  import javax.naming.directory.*;
  import java.util.Hashtable;
  * Title:
  * Description:
  * Copyright: Copyright (c) 2001
  * Company: Numenor Communication AB
  * @author Andreas Gl�ckner
  * @version 1.0
  public class EgdLdap {
  Hashtable props = null;
  DirContext context = null;
  String server = null;
  int port;
  int version;
  public EgdLdap(String ldapServer, int port, int LdapVersion) {
  this.server = ldapServer;
  this.port = port;
  this.version = LdapVersion;
  static public void main(String[] args){
  SearchResult result = null;
  Attribute a = null;
  EgdLdap ldapObj = new EgdLdap("ldap.server.se",389, 3);
  try{
  ldapObj.connect();
  }catch(NamingException ex){
  System.out.println(ex.toString());
  String filter="(&(uid=qandglo)(ou=esg))";
  String[] returnAttrib = {"uid", "ou", "givenName", "departmentNumber", "L", "mail"};
  int scope = SearchControls.SUBTREE_SCOPE;
  NamingEnumeration enum = ldapObj.search("o=ericsson,ou=esg", filter, returnAttrib , scope);
  int i = 1;
  try{
  if (enum != null){
  while (enum.hasMoreElements()){
  result = (SearchResult)enum.nextElement();
  NamingEnumeration attributes = result.getAttributes().getAll();
  while(attributes.hasMore()){
  a = (Attribute)attributes.next();
  System.out.println(i+". "+a.toString());
  i++;
  }catch(Exception e){
  System.out.println(e.toString());
  e.printStackTrace();
  public void connect() throws NamingException{
  try{
  props = new Hashtable();
  props.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
  props.put(Context.PROVIDER_URL, "ldap://" + this.server + ":" + this.port);
  props.put("java.naming.ldap.version",String.valueOf(this.version));
  context = new InitialDirContext(props);
  }catch (NamingException e){
  System.out.println("Failed to connect to: " + this.server);
  props=null;
  throw e;
  System.out.println("Succesfully connected to: " + this.server);
  public void traverse(){
  try{
  Attributes at = context.getAttributes("cn=q*,o=ericsson");
  NamingEnumeration enum = at.getAll();
  while(enum.hasMore()){
  System.out.println(((Object)enum.next()).toString());
  }catch(NamingException e){
  System.out.println(e.toString());
  public NamingEnumeration search(String name, String filter, String[] returnAttribs, int type){
  NamingEnumeration result = null;
  SearchControls ctrl = new SearchControls();
  ctrl.setSearchScope(type);
  ctrl.setReturningAttributes(returnAttribs);
  if(context != null){
  try{
  result = context.search(name, filter, ctrl);
  }catch(NamingException e){
  System.out.println(e.toString());
  return result;
  }

  Hi,
  Two possible reasons:
  1. The size of the search results returned would have been controlled by the directory services administrator (Cross- check with the dir. services administrative options.
  2. Have you set the size limit programatically... using SearchControls.setSizeLimit(...) you should be using
  SearchControls.setSizeLimit(0) which returns all the results.
  Hope this hleps,
  Sathya Sayee.S

• Passing Values to search strings, odd behavior

  Greetings,
  I've encountered an issue in a script of mine while trying to repair a search function that is boggling my mind, I'm hoping for some expert opinion as to why this is happening and what I may be missing here.
  In short, I'm trying to add a function to a script that allows users to search for a user by a custom AD attribute (employee number).At first I tried this:
  If ($SearchTypeComboBox.Text -eq "Employee Number")
  $EESearchResult = Get-QADuser -service <REMOVED> -ldapfilter "(&(objectCategory=person)(objectClass=user)(employeenumber=$Searchinput.text))"
  Write-Host $EESearchResult.samaccountname
  Now, $Searchinput comes from a textbox within a form, this is passed in numerous other areas of the script just fine. However when I use it like I did above, no data is passed to the LDAP search string and it comes up empty.
  HOWEVER, if I add this:
  $WTF = $Searchinput.text
  Then use that in the search string:
  Get-QADuser -service <REMOVED> -ldapfilter "(&(objectCategory=person)(objectClass=user)(employeenumber=$WTF))"
  It works...
  Why?! I don't understand... While I have overcome this issue, the fix really bothers me. Any insight would be awesome!
  Thanks!

  Try changing $Searchinput.text to be $($Searchinput.text). You are trying to access a property of an object, so you must enclose it in parens to tell Powershell, execute this first, and then the results will be expanded via the $ in front of the parens,
  which will result in the data that the property contains.
  If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.
  Don't Retire Technet

• LDAP Connection - users in more than one group

  Hallo.
  I set up an appl. with ldap connection (Novell eDirectory 8 / Novell 6.5).
  Working fine for users in an specified container.
  Using (Based on a pre-configured scheme from the gallery
  ; Show Login Page and Use LDAP Directory Credentials)
  LDAP DN STRING=
  cn=%LDAP_USER%,o=los
  only users in container los can connect,
  Using
  LDAPDN=
  cn=%LDAP_USER%,ou=amt10,o=los
  now menbers of amt10 can connect but no one else
  Is there an hint to get it work recursive ? (like mod_auth_ldap in apache does ?) So all users in any conainer under o=los will able to connect
  I have nearly 1000 Users in ~50 Containers, what sould I do best? What is misconfigured?
  Ralf

  I'm using a nifty little application call iCalPublish. Check it out at http://www.buddy.com/ical/
  sb