LDAP Simple Bind - Authetication?

Hi
We have requirement to authenticate LDAP user id and password in a BSP.
In function module LDAP_SIMPLEBIND we have the parameters Usr_string and pwd_string.
Is these parameters for LDAP user id and password? If user details are incorrect it is supposed to return code LDAPRC as 49.
I need to know whether we can use this method to authenticate LDAP user.
Please provide your views.
Thanks
Rakesh

ok got the point.
to be able to connect to check the uid/pwd
here is how you have to pass the password
CALL FUNCTION 'LDAP_SIMPLEBIND'
      EXPORTING
       serverid     = p_serv
           usr      = wf_base
           pwd      = pwd
      IMPORTING
           ldaprc       = wf_error
where for p_serv you pass the server alias defined in transaction LDAP
and for wf_base (passed to parameter usr)
you have pass it with its path
CONCATENATE 'uid=' user_id ',' 'ou=people,dc=domain,dc=com,o=internet' INTO wf_base.
this syntax will change based on the setup of your LDAP server.
Regards
Raja

Similar Messages

LDAP Error : simple binding failed

I am trying to create an LDAP resource on my IDM.
I cannot get past the "Test Connection" phase, because I keep getting this error :
*"Unable to connect to LDAP on : mydomain.com. Simple binding failed"*
After browsing several forums, including google, I realize that the fault lies in the fact that : I am using an SSL, which has its authentication certificate.
My question is : How and where do I need to insert / refer to this certificate, so that IDM won't have a problem connecting to LDAP?
Thanks

I browsed quite a few APACHE TOMCAT documents, unfortunately there is not enough sensible explanation as to how exactly the import should be done.
I eventually settled for using the following command :
keytool -importcert -alias abc -file ABCCA.cer (where "abc" is the alias)
If I understand correctly, I imported the certificate into the KEYSTORE
The import was successful.
However, I am still getting the same error on my LDAP configuration.
Am I doing something wrong? Is there something ELSE I need to do ?
Or are the KEYSTORE and TRUSTSTORE entirely different things?

Simple bind failed: adserver:636 -- While connecting to AD from OIM

Hi,
I am using OIM 9102 BP 11.
AD Connector version -- MSFT_AD_Base_91150
App Serv -- Weblogic
Database -- oracle 10g.
I am trying to provision passwords form OIM to AD.
The connector is working fine over non-SSL (389).
I have exported the ROOT CA from AD machine and imported the same through keytool IMport command to OIM Cert Keystore,
When i try to provision a user to AD over SSL (636), I am getting thie below exception
ERROR,01 Feb 2011 10:08:43,509,[OIMCP.ADCS],================= Start Stack Trace =======================
ERROR,01 Feb 2011 10:08:43,509,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcUtilADTasks : createUser
ERROR,01 Feb 2011 10:08:43,509,[OIMCP.ADCS],simple bind failed: adserver:636
ERROR,01 Feb 2011 10:08:43,509,[OIMCP.ADCS],Description : simple bind failed: <hostname>:636
ERROR,01 Feb 2011 10:08:43,509,[OIMCP.ADCS],com.thortech.xl.exception.ConnectionException: simple bind failed: adserver:636
at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.connectToAvailableAD(Unknown Source)
at com.thortech.xl.integration.ActiveDirectory.tcUtilADTasks.createUser(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpADCSCREATEUSER.ADCREATEUSER(adpADCSCREATEUSER.java:224)
at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpADCSCREATEUSER.implementation(adpADCSCREATEUSER.java:91)
at com.thortech.xl.client.events.tcBaseEvent.run(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.runEvent(Unknown Source)
at com.thortech.xl.dataobj.tcScheduleItem.runMilestoneEvent(Unknown Source)
at com.thortech.xl.dataobj.tcScheduleItem.eventPostInsert(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.insert(Unknown Source)
Can anybody please help me in this, I am trying the same since 3 days but no luck.
STEPS to generate the Certificate from AD:
1. Installed the Certificate Authority from Add\Remove Windows Components.
2. Generated a Certificate Request in IIS by accessing CertSrv.
3. Issued the same certificate and imported that to the keystore of OIM server.
The AD is not responding over SSL (636). When I try to access the AD machine through expolrer as
https:<adhost>:636
Its not prompting to import the certificate. Also I am not able to connect to AD from LDAP browser.
Request you to kindly help me on this ASAP.

[Start of UME Service Failed |http://help.sap.com/saphelp_nw04/helpdata/en/20/361941edd5ef23e10000000a155106/frameset.htm]check this same exception got resolved..
one more thing, Have you uploaded the LDAP servers certificate in the TrustedCAS of the keystore in Visual Admin in the WAS server? If you are using LDAP ssl the connection to the server will expect a certificate if you dont have the trust enabled you wont be able to connect
Thanks

PCI Vulnerability Reports LDAP NULL BIND ENABLED

I’m Running PCI compliance Report on a windows 2008 R2 and the report fails
The error summary points to LDAP NULL BIND being
Enabled I thought LDAP NULL BIND was disabled by default.
How can I test for LDAP NULL BIND being disabled?
How can I disable LDAP NULL BIND?
Thanks for your help

Please start by reading that: http://support.microsoft.com/kb/837964/en-us
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Get Active Directory User Last Logon
Create an Active Directory test domain similar to the production one
Management of test accounts in an Active Directory production domain - Part I
Management of test accounts in an Active Directory production domain - Part II
Management of test accounts in an Active Directory production domain - Part III
Reset Active Directory user password

LDAP Authenticated Bind

I have been looking for documentation on LDAP authenticated bind, except there is very little and the stuff that is there doesn't go into any detail. I was able to get authenticated binds to work properly but I wanted to ensure that it was all done correctly.
I found that the users that you are authenticating have to be in the same OU as the service account that you are using to perform the authenticated bind. For example you have an OU called Wireless. users1, user2 and a service account called WiSA are all in this OU. You can authenticate users1 and user2, but no users out of any other OU.
Is this really all there is? There appears to be no ability to do memberOf which really limits what you can do with this.
I am running 6.0.182.0. Any thoughts??

You can use users in another location for authenticated binding of LDAP, in that case while writing the the username you should mention entire path instead of username.
for eg: you should specify the username as cn=user,ou=cisco,ou=wireless,dc=com.
If both your client authentication username and bind username in same location then you can just specify the username controller will pick the path from the LDAP config.
I hope i answerd your question.

JNDI LDAP Simple attribute storave via DirContext extended class

I just started looking into JNDI today to manipulate and view LDAP directories. I have been following this tutorial:
http://www.javaworld.com/javaworld/jw-03-2000/jw-0324-ldap.html?page=4
The use an example where they just would like to create a context with simple attributes. This seems to work well with my project - having to interact with LDAP user/user group/host store, where the LDAP objects have already been implemented, and populated for that matter.
I can see how you would create a User DirContext object that would be used to bind, and then actually create that user in the LDAP store. My problem is that when you do the reverse, and get the information from a user that already exists. Is it possible to re-use that User DirContext class? The only way I have seen to do it was is doing a search, or a getAttributes. I could see it working if you have another User class on top of the UserDircontext class, and then some sort of conversion, but it seems like there would be an easier way. Any thoughts? Thanks.

at least you need cn= in front of the name.
Here some more questions you may ask yourself:
How do you know, that the requested object is in the database?
What is its DN?
Can you retrieve it using the ldap command line utilities like ldapsearch?
What does context.list("") return?

LDAP correct binding?

To start, I have successfully bound a new "user" into this leaf that has been created. The problem comes when I try to log in as that user onto that leaf. I can login, with only the username, if I add the password, it gives me a javax.naming.AuthenticationException: [LDAP: error code 32 - No Such Object]. I must not be correctly binding the password to the user. How would I do this?
    env.put(Context.PROVIDER_URL,"url");
    env.put(Context.SECURITY_PROTOCOL, "ssl");
    env.put(Context.SECURITY_AUTHENTICATION, "simple");
    env.put(Context.SECURITY_PRINCIPAL, "uid=admin,ou=company,dc=company,dc=net");
    env.put(Context.SECURITY_CREDENTIALS, "password");
   try{
            DirContext ctx = new InitialDirContext(env);   <-------------connects with my username and password
            // Create attributes to be associated with the object
         BasicAttributes attrs = new BasicAttributes(true);
            attrs.put("cn","username")
            attrs.put("userPassword","No12we3**"
         attrs.put("ou", "people");
         attrs.put("dc", "company");
            attrs.put("dc", "net");
         // Perform bind
            ctx.bind("cn=Name,ou=people,dc=company,dc=net",attrs);
     }....So then when I replace my username and password with the new guys, it doesn't work. And it does work when I don't use a password for him...
Thanks
Edited by: Flavouski on Oct 25, 2007 6:58 PM

It looks like you have a little bit of inconsistency between the user name and the attributes in the entry.
ctx.bind("cn=Name,ou=people,dc=company,dc=net",attrs);
but
attrs.put("cn","username");
Make sure you've changed the Context.SECURITY_PRINCIPAL to "cn=Name,ou=people,dc=company,dc=net"
Beside, i am not sure that the entry was created properly. There is no objectclass attribute, thus it is not sure that you have provided all of the required attributes.
For a Person (or OrganizationalPerson or InetOrgPerson), sn is also mandatory.
Regards,
Ludovic.

LDAP Search/Bind function

I'm trying to create an authentication function that can perform a search/bind.
The algorithm for this is as follows:
1) Bind to the LDAP server as the application (ie: admin username and password)
2) Search the LDAP directory for the sign-in username %userid%
3) Get the DN of that entry
4) Unbind as the application
5) Bind as the sign-in username %userid% with the DN from above
I'm pretty sure that this is possible with the DBMS_LDAP and DBMS_LDAP_UTL packages, but I'm not sure how to put it all together. Does anyone out there know if a function such as this already exists?
Thanks,
Logan

Well, I figured it out.
create or replace FUNCTION F_Authenticate (p_username in varchar2, p_password in varchar2)
      RETURN BOOLEAN
   IS
      CURSOR ldap_param_cur
      IS
         SELECT *
           FROM ldap_parameters;
      ldap_param_rec   ldap_param_cur%ROWTYPE;
      l_session        DBMS_LDAP.SESSION;
      l_srch_attr      DBMS_LDAP.STRING_COLLECTION;
      l_attr_values    DBMS_LDAP.STRING_COLLECTION;
      l_result         DBMS_LDAP.MESSAGE;
      l_entry          DBMS_LDAP.MESSAGE;
      l_dn             VARCHAR2 (200);
      l_retval         PLS_INTEGER;
      multiple_uid     EXCEPTION;
      no_ldap_entry    EXCEPTION;
   BEGIN
      -- get parameters from uvic_ldap_parameters table
      OPEN ldap_param_cur;
      FETCH ldap_param_cur
       INTO ldap_param_rec;
      -- if the cursor returns no records display error message and exit
      IF ldap_param_cur%NOTFOUND
      THEN
         DBMS_OUTPUT.PUT_LINE
             ( 'LDAP Parameters not configured in UVIC_LDAP_PARAMETERS table'
         CLOSE ldap_param_cur;
         RETURN FALSE;
      END IF;
      CLOSE ldap_param_cur;
      DBMS_LDAP.use_exception := TRUE;
      BEGIN
         -- open session to ldap server
         l_session :=
            DBMS_LDAP.init (ldap_param_rec.ldap_host,
                            ldap_param_rec.ldap_port
         -- bind with credentials from cursor
         l_retval :=
            DBMS_LDAP.simple_bind_s (l_session,
                                     ldap_param_rec.search_credential,
                                     ldap_param_rec.search_passwd
         -- run ldap search
         l_retval :=
            DBMS_LDAP.search_s (l_session,
                                ldap_param_rec.search_base,
                                DBMS_LDAP.SCOPE_SUBTREE,
                                ldap_param_rec.search_filter || p_username,
                                l_srch_attr,
                                0,
                                l_result
         -- count the search result records
         l_retval := DBMS_LDAP.count_entries (l_session, l_result);
         -- if multiple search result records raise exception
         -- the userid should be unique and only return 1 search record
         IF l_retval > 1
         THEN
            RAISE multiple_uid;
         ELSIF NVL (l_retval, 0) = 0
         THEN
            RAISE no_ldap_entry;
         END IF;
         -- select first entry from ldap search record
         l_entry := DBMS_LDAP.first_entry (l_session, l_result);
         -- get the distinguished name from the ldap record
         l_dn := DBMS_LDAP.get_dn (l_session, l_entry);
         -- close ldap session used to retrieve search results
         l_retval := DBMS_LDAP.unbind_s (l_session);
         -- open session to ldap server
         l_session :=
            DBMS_LDAP.init (ldap_param_rec.ldap_host,
                            ldap_param_rec.ldap_port);
         -- bind using ldap search results distinguished name and password
         -- if the bind is successful the user can login
         l_retval := DBMS_LDAP.simple_bind_s (l_session, l_dn, p_password);
         -- close ldap session
         l_retval := DBMS_LDAP.unbind_s (l_session);
         RETURN TRUE;
      EXCEPTION
         WHEN multiple_uid
         THEN
            l_retval := DBMS_LDAP.unbind_s (l_session);
            DBMS_OUTPUT.PUT_LINE('Multiple LDAP entries found.'
            RETURN FALSE;
         WHEN no_ldap_entry
         THEN
            l_retval := DBMS_LDAP.unbind_s (l_session);
            DBMS_OUTPUT.PUT_LINE ('No LDAP records found.'
            RETURN FALSE;
         WHEN OTHERS
         THEN
            l_retval := DBMS_LDAP.unbind_s (l_session);
            DBMS_OUTPUT.PUT_LINE ('LDAP Error. Unknown type.');
            RETURN FALSE;
      END;
   EXCEPTION
      WHEN OTHERS
      THEN
         l_retval := DBMS_LDAP.unbind_s (l_session);
         DBMS_OUTPUT.PUT_LINE ('LDAP Error. Unknown type.');
         RETURN FALSE;
   END F_Authenticate;

LDAP client binding failure stops TimerTask thread

Hi There,
I try to schedule a TimerTask once ldap binding fails, but the binding failure prevents the TimerTask thread to start. Any idea? or any work around?
Thanks.
try{
ctx = new InitialLdapContext(envs[ctx_idx], null);
}catch(NamingException ne){
START();
public static void start() {
timer = new Timer();
timer.schedule(new TimerTask() {
public void run(){
System.out.println(".... Visit moniter ....");
}, 10, 1000) ;
} // end of start
...

Problem Fixed. Windows XP client did not have WINS server IP address is TCP/IP properties.

Flash 8 - Re-order an array, simple binding of xml

I am prototyping a data table display. I need to show a data
table inside a grid, using a simple xml file such as the one in the
"DinnerMenu" tutorial whereby a button loads the xml file into the
data grid component.
I want to know how to set the order of the fields to display
from left to right in the table (which I haven't figured out how to
do) either in the component settings or in the xml file, wherever
it works.
Then, I also would like to know how to get the data load
immediately when user reaches the scene, or just have it already
pre-loaded. Right now, al I know is the tutorial method where the
actionscript defines the button and onclick the data is loaded. I
want to show it already there.
Thank you!

set resultFormat="e4x" on your HTTPService tag, then in the
handler do:
var xmlResult:XML = XML(event.result);
trace(xmlResult.toXMLString)
Then use e4x expressions to select the desired list of nodes.
It will return an XMLList, which has many similarities to Array.
If you want to stick with the default nested object
structure, examine the result object (objUtil.toString(), if i
recall correctly) to determine how to craft the correct
navigational path.
Tracy

Help with simple binding

Hello there! I need to bind a request parameter to a inputHidden field. What I've tried so far :
<h:inputHidden value="#{param.amout}" binding="#{bean.customer.amout}"/>
But when rendering the page I get :
Cannot convert javax.faces.component.html.HtmlInputHidden@1015590 of type class javax.faces.component.html.HtmlInputHidden to class java.lang.Double
I tried to use a converter with <f:convertNumber> but did not work as well.
How can I accomplish this?
Regards

The 'binding' attribute should bind the component to a HtmlInputText property in the backing bean, not to Double. Use the 'value' attribute for this which binds the value to the actual value property in the backing bean, which is Double in this case.

Simple binding question

Hello,
I have an inputText bound to a backed bean property in contrast to a an ADF bind attribute, the getter method for the inputText look up the value from a hashMap, while going through the debugger, it looks like the code returning the correct value, however, it does not show up on the page, could someone give me a hint to what is wrong with the below code, thnx
public String getFirstname() {
Long custid =
(Long)ADFUtils.getBoundAttributeValue(getBindings(), "currentCustomer");
if (custid != null && customerLookUp != null) {
Customer cust = (Customer)customerLookUp.get(custid);
if (cust != null)
return cust.getCustFirstName();
return this.firstname;
}

Hi,
did you also provide a setter method before binding it with EL? If no - give it a try as it could solve the issue
Frank

How can I configure iDS 4.12 for secureLDAP? Are there any other ways to avoid sending clear passwords doing a simple bind?

I want password-authentication in a secure way, may be secureLDAP is a good and cheap way to do. Or are there other functions that do a better job? What changes are needed?

If you want to secure LDAP,then SSL connections should be enabled.
If you want all the users of your Directory Server to use SSL or certificate-based authentication when they connect using LDAP client applications, you must make
sure they perform the following tasks:
? Create a certificate database.
? Trust the Certificate Authority (CA) that
issues the server certificate.

ACE 4710 LDAP probe

Folks,
We'll be adding a farm this weekend to do some kind of balance for LDAP and LDAPs servers.
I've been thinking about what would be the best way to probe that servers.
I assume an generic TCP probe has to be created testing 389 and 636, but i honestly don't know what should i expect coming from the real servers.
Does anyone have a LDAP farm in place or something like that.. ? I've found an script on the internet, but it seems a little bit further that what i can understand.. therefore i'm not really confident to use this.
Thanks for any advices.
Andre

Hi Andre,
You can use scripted ldap probe (LDAP_PROBE) available with ACE. It sends an anonymous bind request and check for bind success.
probe tcp LDAPS_Probe
port 636
probe tcp LDAP_Probe
port 389
This is how you can apply the script for LDAP port 389.
script file 1 LDAP_PROBE
probe scripted LDAP_PROBE_389
interval 5
passdetect interval 30
receive 5
script LDAP_PROBE
serverfarm host SF-LDAP-389
description SF LDAP Port 389
predictor leastconns
probe LDAP_PROBE_389
rserver LDAP-RS1-389
inservice
The only supported LDAP probe on the ACE module is the unsecure scripted probe,
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/script.html#wp1111558
The pre-made TCL script probes available from the Software download page also contains an LDAP probe that you can use to verify the health of the LDAP servers.
The ace_scripts.tgz zip file contains these scripts and is located at this URL:
http://www.cisco.com/pcgi-bin/tablebuild.pl/cat6500-ace
To unzip this file, use the gunzip command in Exec mode,
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/slb/guide/script.html#wp1107470
For your convenience, the following sample scripts for the ACE are available to support the TCL feature and are supported by Cisco TAC:
•CHECKPORT_STD_SCRIPT
•ECHO_PROBE_SCRIPT
•FINGER_PROBE_SCRIPT
•FTP_PROBE_SCRIPT
•HTTP_PROBE_SCRIPT
•HTTPCONTENT_PROBE
•HTTPHEADER_PROBE
•HTTPPROXY_PROBE
•IMAP_PROBE
•LDAP_PROBE -----------------> "The LDAP probe you are looking for"
•MAIL_PROBE
•POP3_PROBE
•PROBENOTICE_PROBE
•RTSP_PROBE
•SSL_PROBE_SCRIPT
•TFTP_PROBE
Also remember that the binding request should be send as a binary and not via ASCII. To get a packet capture of a succeessful credential binding request with username and password and then convert this to HEX value and insert it in the script.
The easiest way is to capture a packet with the authentication credentials and then replace the hex bind string in the example.
The alternative is to handcode the BER coded ASN.1 data string - which while more fun is time consuming. The remainder of the script can stay the same.
You can do this on an ACE module. You have to be aware that 300c02010160 in the example script string is a sort of "header" that holds the request id (1). This will be different in your packet capture.
If you look at the decomposition of the example you'll be able to see how it is put together and what you need to change.
0x30 The start of a universal constructed sequence
0x0c The length of the sequence minus the tag and length bytes = 12 bytes
0x02 Next field is an integer
0x01 The length of the next field (1 byte)
0x01 Value (this is the message ID)
0x60 Application, number 0, use RFC2251 to decode. This is a Bind Request
0x07 Length of data to follow.
0x02 Integer
0x01 Length 1
0x03 3 - this is the LDAP version.
0x04 String
0x00 Length 0
0x80 Simple Authentication
0x00 Length 0
Just keep the id the same in the unbind.
The string I use is:
302d02010160280201030418636e3d41636550726f78792c6f3d556e69766572736974798009ffffffffffffffffff
where I've replaced the 9 character password with 9*x'ff'.
The username for binding is AceProxy. If you want to use the same script then create that username and set the password in the string above (in hex). If for example you set the password to Example12 then you need to set the 9*x'ff' to '4578616d706c653132' - which is the hex representation of the ASCII.
Note that if you use fewer or more than 9 characters then you'll need to change other values in the string because they refer to lengths.
You need to create a copy of the standard LDAP probe into your own file and then replace the hex string in the "puts" line which you identified above with the new string.
Then copy the file to the ACE:
ace1/ldap# copy ftp: disk0:
Enter source filename[]? My-LDAP_PROBE
Enter the destination filename[]? [My-LDAP_PROBE]
Enter hostname for the ftp server[]?
1.2.3.4
Enter username[]? anonymous
Enter the file transfer mode[bin/ascii]: [bin]
Password:
Passive mode on.
Hash mark printing on (1024 bytes/hash mark).
In the context create a scripted probe definition:
probe scripted PROBE-LDAP-389
interval 60
receive 20
script My-LDAP_PROBE
Load the script into the context:
script file 10 My-LDAP_PROBE
And then add it to the serverfarm:
serverfarm host FARM-LDAP
probe PROBE-LDAP-389
The manual implies that you can pass arguments to a scripted probe, but you would then have to build the hex string dynamically - taking care that all the length values were correct.
This should be enough to enable you to implement the script.
Find another example on this
URL:http://scuq.abyle.org/?page_id=201
#!name = ADV_LDAP_PROBE
#### > user for linux tclsh !/usr/bin/tclsh8.4
# Stefan Nistelberger
# changes to cisco's original probe
# * username and password with ldap simple bind (dynamically generated packets)
# * unable to connect exception handling
# * debug message for invalidCredentials
# debug procedure
# set the EXIT_MSG environment variable to help debug
# also print the debug message when debug flag is on
proc ace_debug { msg } {
    global debug ip port EXIT_MSG
    set EXIT_MSG $msg
    if { [ info exists ip ] && [ info exists port ] } {
        set EXIT_MSG "[ info script ]:$ip:$port: $EXIT_MSG "
    if { [ info exists debug ] && $debug } {
        puts $EXIT_MSG
# main
# parse cmd line args and initialize variables
## set debug value
set debug 1
if { [ regsub -nocase "DEBUG" $argv "" argv] } {
    set debug 1
ace_debug "initializing variable"
set EXIT_MSG "Error config: script ADV_LDAP_PROBE \[DEBUG\]"
set ip $scriptprobe_env(realIP)
set port "0"
set ldap_start "30"
set ldap_bindheader "02010160"
set ldap_bind "0201"
set ldap_version "02"
set ldap_gap1 "04"
set ldap_gap2 "80"
set ldap_bindheader_len 5
set base_len 0c
set ldap_simple_auth "8007"
proc toASCII { char } {
   scan $char %c value
   return [format %-x $value]
set username [ lindex $argv 0 ]
set hexusername ""
set password [ lindex $argv 1 ]
set hexpassword ""
foreach char [split $username ""] {
     set hexchar [toASCII $char]
     append hexusername $hexchar
foreach char [split $password ""] {
     set hexchar [toASCII $char]
     append hexpassword $hexchar
set username_len [string length $username]
ace_debug $username_len
set password_len [string length $password]
ace_debug $password_len
set base_len [expr 0x$base_len]
set seq_len [expr $username_len + $password_len + $base_len]
set sub_seq_len [expr $seq_len - $ldap_bindheader_len]
set seq_len [format %02x $seq_len]
set sub_seq_len [format %02x $sub_seq_len]
set hexldapbindpckt ""
append hexldapbindpckt $ldap_start
append hexldapbindpckt "$seq_len"
append hexldapbindpckt $ldap_bindheader
append hexldapbindpckt $sub_seq_len
append hexldapbindpckt $ldap_bind
append hexldapbindpckt $ldap_version
append hexldapbindpckt $ldap_gap1
append hexldapbindpckt [format %02x $username_len]
append hexldapbindpckt $hexusername
append hexldapbindpckt $ldap_gap2
append hexldapbindpckt [format %02x $password_len]
append hexldapbindpckt $hexpassword
# if port is zero the use well known ldap port 389
if { $port == 0 } {
    set port 389
#ace_debug $hexldapbindpckt
# PROBE START
set errorcode [catch {
        set sock [ socket $ip $port ]
} msg ]
if {$errorcode != 0} {
        ace_debug $msg
        exit 30002
fconfigure $sock -buffering line -translation binary
# anonymous bind request
#puts -nonewline $sock [ binary format "H*" 300c020101600702010304008000 ]
puts -nonewline $sock [ binary format "H*" $hexldapbindpckt ]
set code "ffffff"
flush $sock
ace_debug "bef"
set line [read $sock 22]
ace_debug "aft"
binary scan $line H* res
binary scan $line @15H6 code
close $sock
# make probe fail by exit with 30002 if ldap reply code != success code 0x0a0100
if { $code != "0a0100" } {
    if { $code == "0a0131" } {
        ace_debug " probe failed : expect response code \'0a0100\' but received
\'$code\' = invalidCredentials"
    } else {
        ace_debug " probe failed : expect response code \'0a0100\' but received
\'$code\'"
    exit 30002
## make probe success by exit with 30001
ace_debug "probe success"
exit 30001
URL for reference:
https://cisco-support.hosted.jivesoftware.com/thread/132800?decorator=print&displayFullThread=true
HTH
Sachin Garg

New DC without netlogon share is not working.

Hello all,
I have a brand new DC (server 2012) that I joined to my domain and it is not behaving. It is a clean install plus the directory services role, the static IP and the promotion, nothing else. The domain has one more DC (server 2012) and it is functioning
properly. The DNS servers of the new DC are the working DC and 127.0.0.1 as secondary. The time is the same, the name is new on a new install of windows (no images, no cloning, no restores). The promotion completed successfully with the initial replication
(it said).
Here is the output of dcdiag:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = IL-DC2
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\IL-DC2
Starting test: Connectivity
......................... IL-DC2 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\IL-DC2
Starting test: Advertising
Warning: DsGetDcName returned information for \\MD-DC.mydomain.com, when we were trying to reach IL-DC2.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... IL-DC2 failed test Advertising
Starting test: FrsEvent
......................... IL-DC2 passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
......................... IL-DC2 passed test DFSREvent
Starting test: SysVolCheck
......................... IL-DC2 passed test SysVolCheck
Starting test: KccEvent
A warning event occurred. EventID: 0x80000481
Time Generated: 03/06/2014 05:07:50
Event String: Internal event: The following schema class has a superclass that is not valid.
A warning event occurred. EventID: 0x80000481
Time Generated: 03/06/2014 05:07:50
Event String: Internal event: The following schema class has a superclass that is not valid.
A warning event occurred. EventID: 0x80000481
Time Generated: 03/06/2014 05:07:50
Event String: Internal event: The following schema class has a superclass that is not valid.
A warning event occurred. EventID: 0x80000B46
Time Generated: 03/06/2014 05:09:43
Event String:
The security of this directory server can be significantly enhanced by configuring the server to reject SASL
(Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple
binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds,
configuring the server to reject them will improve the security of this server.
......................... IL-DC2 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... IL-DC2 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... IL-DC2 passed test MachineAccount
Starting test: NCSecDesc
......................... IL-DC2 passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\IL-DC2\netlogon)
[IL-DC2] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
......................... IL-DC2 failed test NetLogons
Starting test: ObjectsReplicated
......................... IL-DC2 passed test ObjectsReplicated
Starting test: Replications
......................... IL-DC2 passed test Replications
Starting test: RidManager
......................... IL-DC2 passed test RidManager
Starting test: Services
......................... IL-DC2 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x000727A5
Time Generated: 03/06/2014 04:20:58
Event String: The WinRM service is not listening for WS-Management requests.
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/06/2014 04:50:41
Event String:
Name resolution for the name teredo.ipv6.microsoft.com. timed out after none of the configured DNS servers r
esponded.
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/06/2014 04:50:41
Event String:
Name resolution for the name teredo.ipv6.microsoft.com. timed out after none of the configured DNS servers r
esponded.
A warning event occurred. EventID: 0x000727A5
Time Generated: 03/06/2014 04:51:32
Event String: The WinRM service is not listening for WS-Management requests.
An error event occurred. EventID: 0x00001001
Time Generated: 03/06/2014 04:56:46
Event String:
The machine IL-DC2 attempted to join the domain mydomain.com but failed. The error code was 1332.
A warning event occurred. EventID: 0x000727A5
Time Generated: 03/06/2014 04:58:07
Event String: The WinRM service is not listening for WS-Management requests.
An error event occurred. EventID: 0x0000271A
Time Generated: 03/06/2014 04:58:06
Event String:
The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
A warning event occurred. EventID: 0x00001796
Time Generated: 03/06/2014 04:59:21
Event String:
Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and t
his server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 05:00:09
Event String:
Driver HP Universal Printing PCL 6 required for printer HP Universal Printing PCL 6 is unknown. Contact the
administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 05:00:09
Event String:
Driver Send To Microsoft OneNote 2010 Driver required for printer Send To OneNote 2010 is unknown. Contact t
he administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 05:00:12
Event String:
Driver HP Universal Printing PCL 6 required for printer HP Color LaserJet CM1312nfi MFP (192.168.2.20) is un
known. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 05:00:12
Event String:
Driver Microsoft XPS Document Writer required for printer Microsoft XPS Document Writer is unknown. Contact
the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 05:00:13
Event String:
Driver PrimoPDF required for printer PrimoPDF is unknown. Contact the administrator to install the driver be
fore you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 05:00:13
Event String:
Driver Send to Microsoft OneNote 15 Driver required for printer Send To OneNote 2013 is unknown. Contact the
administrator to install the driver before you log in again.
A warning event occurred. EventID: 0x000727A5
Time Generated: 03/06/2014 05:08:51
Event String: The WinRM service is not listening for WS-Management requests.
A warning event occurred. EventID: 0x00001796
Time Generated: 03/06/2014 05:12:17
Event String:
Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and t
his server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 05:13:02
Event String:
Driver HP Universal Printing PCL 6 required for printer HP Universal Printing PCL 6 is unknown. Contact the
administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 05:13:02
Event String:
Driver Microsoft XPS Document Writer required for printer Microsoft XPS Document Writer is unknown. Contact
the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 05:13:03
Event String:
Driver HP Universal Printing PCL 6 required for printer HP Color LaserJet CM1312nfi MFP (192.168.2.20) is un
known. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 05:13:04
Event String:
Driver PrimoPDF required for printer PrimoPDF is unknown. Contact the administrator to install the driver be
fore you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 05:13:04
Event String:
Driver Send To Microsoft OneNote 2010 Driver required for printer Send To OneNote 2010 is unknown. Contact t
he administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 05:13:05
Event String:
Driver Send to Microsoft OneNote 15 Driver required for printer Send To OneNote 2013 is unknown. Contact the
administrator to install the driver before you log in again.
......................... IL-DC2 failed test SystemLog
Starting test: VerifyReferences
......................... IL-DC2 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : mydomain
Starting test: CheckSDRefDom
......................... mydomain passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... mydomain passed test CrossRefValidation
Running enterprise tests on : mydomain.com
Starting test: LocatorCheck
......................... mydomain.com passed test LocatorCheck
Starting test: Intersite
......................... mydomain.com passed test Intersite
I also have the following event:
Log Name: System
Source: NetJoin
Date: 3/6/2014 4:56:46 AM
Event ID: 4097
Task Category: None
Level: Error
Keywords:
User: S-1-5-21-1062633599-3710215183-3313947919-500
Computer: IL-DC2
Description:
The machine IL-DC2 attempted to join the domain mydomain.com but failed. The error code was 1332.
Although the machine joined the domain, it is listed with the appropriate records and promoted.
Can anybody help me get a second DC for this domain running? It is kind of urgent... I tried demoting/promoting, reinstalling, I tried to do a non-authoritative restore, however, I don't have the appropriate registry key... I saw the various different posts
on similar issues, please do not paste them as I read them and I was not able to solve this.
Thank you in advance for any responses!
Best regards,
Irina

Umar,
Thank you big time for your time and help today. After we finished talking I tried the authoritative restore (vs non-authoritative the first time - didn't help) and then I started over (one more time) and created one more DC. Before promoting it I disabled
the firewall and the user control in order to make sure nothing is stopping it. I also triple checked the time. I promoted it without the DNS server and Global Catalog functions. I faced the same wall. After the promotion the SYSVOL and NETLOGON shares were
still not there.
After hours of more reading I finally found this:
http://social.technet.microsoft.com/Forums/en-US/58b8cdc3-a990-46c7-a70e-a51fd6965537/sysvol-and-netlogon-shares-missing-from-new-domain-controllers-using-dfrs?forum=windowsserverpreview
and it saved me. So I followed this guy's steps and my system shares showed up on both new DCs. Then I had to wait one more hour for everything to get in sync and after that I successfully shut down my main DC and the other two took over.
Thank you again for the help!
Best regards,
Irina

LDAP Simple Bind - Authetication?

Similar Messages

Maybe you are looking for