New to LDAP

Similar Messages

• Ideas for features needed in new Conversational LDAP Accept

  Mark, sorry should have given you this list months ago. My guess is you've already thought of all of these and more.
  Everyone else, feel free to add to the list or tell me I'm nuts... or better yet ask what for.
  1) A good DHAP (directory harvest attack prevention) solution. I'm guessing this would be along the same lines as current post-conversation LDAP Accept. - completely obvious
  2) Sender Group specific settings, also like the current DHAP. This allows for different bounce/drop rates based on Sender Group or SRBS. Also the ability to Drop vs. Bounce based on Sender Group, not just a global setting.
  3) The ability to do conversational bounces based on the MAIL FROM: in addition to the RCPT TO:. This allows for conversational bounces for Internet inbound emails where the MAIL FROM: may be your own domain (spoofed).
  4) LDAP Accept still needs to be post HAT, Domain Map and RAT processing.
  5) Rates and counts added to the Mail Flow monitor stats, specifically: Invalid LDAP rates: Total, Bounce and Drop.
  6) LDAP lookup status, very much like DNS with cache hit/miss rates, number of lookups, etc. Also rates along with counts.
  7) Warnings when LDAP lookup timeout is exceeded, vs. server connection failures. Configurable LDAP lookup timeout.
  8) If connection to LDAP server fails or times out, emails are accepted by default.

  Erich,
  This is all very good feedback. The vast majority of it will be included in the conversational LDAPACCEPT feature coming in a maintenance release in the short term.
  There are a couple items that we'll have to get to in a later release:
  - Drop vs. bounce in the sender group. Good idea, beyond what we'll be able to do in this release. But you'll be able to enable/disable and set thresholds per sender group.
  - Conversational bounces on the Envelope Sender. This is coming in the Hard Rock release, planned for Q405.
  - LDAP lookup status will be in the Hard Rock release
  Everything else looks to be in there.
  Peter Schlampp
  Sr. Dir., Product Management
  IronPort Systems

• Ok, new Question: LDAP or NIS

  I was recommended NIS here on these forums (LDAP was not mentioned).
  I have only been reading about how to get NIS working, but finally came across some guy wondering why people were still trying to use NIS.
  So... LDAP or NIS?
  EDIT:
  Ok so whatabout Kerberos? Should I use Ldap AND Kerberos, or is LDAP enough? I want a robust, scalable system.
  EDIT
  Read some more. Conclusion: Screw the security for now. I'm going for LDAP. Input still welcome.
  Last edited by iOfWhy (2014-01-09 00:07:33)

  You can set it to manually update songs and playlists so that the buyer doesnt have to. Like i told you in your other post, when he plugs it in to his computer, a window will pop up. It will ask if he wants to link that ipod to his library. if its manually update, then he should click yes.
  Another thing he could do it select all the songs in his library (a faster way to do this is to click on the top song, then hold shift and click on the bottom songs, selecting the whole library), right click, and press uncheck this solection. Since they are unchecked, they wont update onto his ipod. The same method applies to checking the whole library.
  -Taps-

• Cannot create and add a new entry to LDAP

  Hi,
  I'm pretty new at LDAP and JNDI, i've been trying to create and add a new entry to the directory but somehow it's not working.
  here is my code and I would appreciate it if someone can help.
  import java.util.Hashtable;
  import javax.naming.ldap.*;
  import javax.naming.directory.*;
  import javax.naming.*;
  import javax.net.ssl.*;
  import java.io.*;
  public class Newuser
       public static void main (String[] args)
            //LDAPEntry myEntry = new LDAPEntry();
            Hashtable<String, String> env = new Hashtable<String, String>(11);
            String adminName = "CN=ldap_admin,o=JNDITutorial,dc=img,dc=org";
            String adminPassword = "secret";
            env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
            //set security credentials, note using simple cleartext authentication
            env.put(Context.SECURITY_AUTHENTICATION,"simple");
            env.put(Context.SECURITY_PRINCIPAL,adminName);
            env.put(Context.SECURITY_CREDENTIALS,adminPassword);
            //connect to my domain controller
            env.put(Context.PROVIDER_URL, "ldap://localhost:389/o=JNDITutorial,dc=img,dc=org");
                 // Create the initial directory context
                 //JNDILDAPConnectionManager jndiManager = new JNDILDAPConnectionManagerImpl();
                try{
                     DirContext ctx = new InitialDirContext(env);
                      System.out.println("Connection to LDAP server done" );
                     final String groupDN ="ou=people,o=JNDITutorial,dc=img,dc=org";
                    //DirContext dirCtx = jndiManager.getLDAPDirContext();
                    People people = new People("Thiru","Thiru","Thiru Ganesh","Ramalingam","ou=people","[email protected]");
                    // The Common name must be equal in Attributes common Name
                    ctx.bind("cn=Thiru," + groupDN, people);
                    System.out.println("** Entry added **");
                    //jndiManager.disConnectLDAPConnection(ctx);
                }catch(NamingException exception){
                    System.out.println("**** Error ****");
                    exception.printStackTrace();
                    System.exit(0);
  }here is the Object class People that i'm trying to instantiate
  public class People implements DirContext {
       public People(String uid,String cn,String givenname,String sn,String ou,String mail) {
      BasicAttributes myAttrs = new BasicAttributes(true);  //Basic Attributes
      Attribute objectClass = new BasicAttribute("objectclass"); //Adding Object Classes
      objectClass.add("inetOrgPerson");
      /*objectClass.add("organizationalPerson");
      objectClass.add("person");
      objectClass.add("top");*/
      Attribute ouSet = new BasicAttribute("ou");
      ouSet.add("people");
      ouSet.add(ou);
      myAttrs.put(objectClass);
      myAttrs.put(ouSet);
      myAttrs.put("cn",cn);
      myAttrs.put("sn",sn);
      myAttrs.put("mail",mail);
  ...the message i keep getting is:
  javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - entry has no objectClass attribute]
  the thing is that I can create and add a new entry in openLDAP from the console and it works.
  and here is how I proceed
  I create a text file: new.txt
  dn:cn=Hamido Saddo,ou=People,o=JNDITutorial,dc=img,dc=org
  cn:Hamido Saddo
  mail:[email protected]
  telephonenumber:3838393038703
  sn:hamdio
  objectclass:top
  objectclass:person
  objectclass:organizationalPerson
  objectclass:inetOrgPersonand i use this command to add the entry:
  ldapadd -D "cn=ldap_admin,O=JNDITutorial,dc=img,dc=org" -W -f new.txtand everything works, i get no errors.
  does anyone has a clue maybe???

  You must have an IMAP email account in order to add additional folders on the iPad mail app.
  If you go to your email account in the Mail app and look at the window where your inbox, trash folder and sent folder are - if there is an Edit button at the top of the window - tap that and then tap Add Mailbox at the bottom.
  If the Edit button is not there - you cannot create folders on the iPad. Your email account is not IMAP. Only IMAP email accounts can create folders on the iPad. Any folders that you would already have in an IMAP account would sync to the device as well.

• Trying to add a new entry to SUN LDAP

  Hey im trying the following code to add a new user to a group using VB.NET but no success yet
  Dim de As New DirectoryEntry("LDAP://www.m1steveldap.com:389/ou=people,dc=steveldap,dc=com,o=broker")
          de.Username = "cn=manager"
          de.Password = "password"
          de.AuthenticationType = AuthenticationTypes.None
          Try
              Dim entries As DirectoryEntries = de.Children
              Dim newUser As DirectoryEntry = entries.Add("CN=test man", "user")
              newUser.Properties("givenname").Add("steven")
              newUser.Properties("uid").Add("steven")
              newUser.Properties("sn").Add("steven")
              newUser.CommitChanges()But getting the following error
  The requested operation did not satisfy one or more constraints associated with the class of the object. (Exception from HRESULT: 0x80072014)
  Any ideas ?

  every entry in an ldap directory must have some mandatory attributes, e.g. "objectClass". which objectclass your entry should belong to? add the objectClass-attribute to your entry!
  Regards!
  Rainer

• LDAP failing for iPrint and iFolder after new CA created

  Last week we replaced our Certificate Authority as it was due to expire yesterday (Monday). It was currently running on a fully patches Netware 6.5 server and we took the decision to move it to a SLES 11 SP 2 OES 11 server and re-create all the certificates - following Option 2 for TID 3618399.
  We re-ran PKIDIAG on the Novell server and tckeygen, and restarted and everything seemed fine - Groupwise (8) webaccess and the PO using ldap auth were working. But this morning we've discovered that ldap is failing to do secure binds for iprint secure printers and iFolder. We see this error message in the log screen:
  >11:45:44 11:45:44 ldap *MASTER[xxxx.our-domain.com] connection restored
  >11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][-1] ldap_simple_bind : Can't contact LDAP server(81)
  >11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][0] ldap_simple_bind : Can't contact LDAP server(81)
  >11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][1] ldap_simple_bind : Can't contact LDAP server(81)
  >11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][2] ldap_simple_bind : Can't contact LDAP server(81)
  >11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][3] ldap_simple_bind : Can't contact LDAP server(81)
  >11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][4] ldap_simple_bind : Can't contact LDAP server(81)
  >11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][5] ldap_simple_bind : Can't contact LDAP server(81)
  >11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][6] ldap_simple_bind : Can't contact LDAP server(81)
  >11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][7] ldap_simple_bind : Can't contact LDAP server(81)
  >11:45:44 11:45:44 ldap iFolder_ldap01[xxxx.our-domain.com] connection restored
  >11:46:41 11:46:41 iFolder_ldap01[xxxx.our-domain.com][-1] ldap_simple_bind: Can't contact LDAP server(81)
  >11:46:41 11:46:41 ldap iFolder_ldap01[xxxx.our-domain.com] down
  >11:46:41 11:46:41 ldap *MASTER[xxxx.our-domain.com] down
  and in the apache error log we see:
  [Tue Aug 27 11:30:08 2013] [error] [client 10.0.0.43] no acceptable variant: SYS:/apache2/error/HTTP_UNAUTHORIZED.html.var
  [Tue Aug 27 11:30:08 2013] [warn] [client 10.0.0.43] [10] auth_ldapdn authenticate: user bob authentication failed; URI /ipps/Ricoh [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
  Nothing else was charged other than creating a new CA (on a new server), removing the old one from eDirectory and generating the new certificates. If we use a web browser to the server to check the certificate we see that the CA cannot be validated as it is internal and not a publicly trusted one, but IIRC the old CA did the same.
  PKIDiag and SDIDiag report no issues. The only thing I can imagine that could be causing the issue is the fact the CA is no longer on the same server hosting iFolder and iPrint. Both server host eDirectory and are part of the same replica ring, they can communicate and also time is synchronised.
  Any ideas?
  Mark.

  Thanks for the quick response, I followed your trace settings above arnd here are the results:
  LDAP: [2013/08/27 12:42:12.701] Monitor 0x1ba terminating
  LDAP: [2013/08/27 12:42:12.798] Listener closing cleartext port 389
  LDAP: [2013/08/27 12:42:12.798] Listener closing TLS port 636
  LDAP: [2013/08/27 12:42:12.798] Listener closing connectionless port 389
  LDAP: [2013/08/27 12:42:12.802] Removing TLS module dependencies
  LDAP: [2013/08/27 12:42:12.802] Removing SASL module dependencies
  LDAP: [2013/08/27 12:42:12.907] LDAP Agent for Novell eDirectory 8.8 SP5 (20506.06) stopped
  LDAP: [2013/08/27 12:42:18.17] NDS attribute "staticMember" does not exist, mapping ignored
  LDAP: [2013/08/27 12:42:18.21] Duplicate LDAP class name: "alias" (ignored)
  LDAP: [2013/08/27 12:42:18.98] LDAP Agent for Novell eDirectory 8.8 SP5 (20506.06) started
  LDAP: [2013/08/27 12:42:18.98] Updating server configuration
  LDAP: [2013/08/27 12:42:18.98] Work info status: Total:2 Peak:2 Busy:0
  LDAP: [2013/08/27 12:42:18.98] Thread pool status: Total:2 Peak:2 Busy:2
  LDAP: [2013/08/27 12:42:18.218] Listener applying new configuration
  LDAP: [2013/08/27 12:42:18.218] LDAPURL: ldap://:389
  LDAP: [2013/08/27 12:42:18.218] Listener setting up cleartext port 389
  LDAP: [2013/08/27 12:42:18.218] LDAPURL: ldaps://:636
  LDAP: [2013/08/27 12:42:18.218] Listener setting up TLS port 636
  LDAP: [2013/08/27 12:42:18.218] LDAPURL: cldap://:389
  LDAP: [2013/08/27 12:42:18.218] Listener setting up connectionless port 389
  LDAP: [2013/08/27 12:42:18.218] TLS EXPORT ciphers or higher required for TLS connections
  LDAP: [2013/08/27 12:42:18.219] TLS initialization sucessfully completed
  LDAP: [2013/08/27 12:42:18.315] TLS configured successfully
  LDAP: [2013/08/27 12:42:18.327] Adding SASL module dependencies
  LDAP: [2013/08/27 12:42:18.329] SASL initialized successfully
  LDAP: [2013/08/27 12:42:18.329] SASL configured successfully
  LDAP: [2013/08/27 12:42:22.286] Created new monitor 0x0
  LDAP: [2013/08/27 12:42:22.286] Monitor 0x20b started
  LDAP: [2013/08/27 12:42:22.287] TLS accept failure 1 on connection 0xa284e160, setting err = -5875. Error stack: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
  LDAP: [2013/08/27 12:42:22.287] TLS handshake failed on connection 0xa284e160, err = -5875
  LDAP: [2013/08/27 12:42:22.287] BIO ctrl called with unknown cmd 7
  LDAP: [2013/08/27 12:43:17.861] BIO ctrl called with unknown cmd 7
  LDAP: [2013/08/27 12:43:17.861] DoBind on connection 0xa284e160
  LDAP: [2013/08/27 12:43:17.861] Bind name:cn=admin,o=xxx, version:3, authentication:simple
  LDAP: [2013/08/27 12:43:17.863] Sending operation result 0:"":"" to connection 0xa284e160
  LDAP: [2013/08/27 12:43:18.921] DoUnbind on connection 0xa284e160
  LDAP: [2013/08/27 12:43:18.921] Preempting operation 0x0:0x0 on connection 0xa284e160 before processing because connection is closing
  LDAP: [2013/08/27 12:43:19.904] DoBind on connection 0xa284e160
  LDAP: [2013/08/27 12:43:19.905] Bind name:cn=iFolder_ServerAgent,O=xxx, version:3, authentication:simple
  LDAP: [2013/08/27 12:43:19.905] Sending operation result 0:"":"" to connection 0xa284e160
  LDAP: [2013/08/27 12:43:19.906] DoUnbind on connection 0xa284e160
  LDAP: [2013/08/27 12:43:19.906] DoBind on connection 0xa284e160
  LDAP: [2013/08/27 12:43:19.906] Bind name:cn=iFolder_ServerAgent,O=xxx, version:3, authentication:simple
  LDAP: [2013/08/27 12:43:19.907] Sending operation result 0:"":"" to connection 0xa284e160
  LDAP: [2013/08/27 12:43:19.907] DoBind on connection 0xa284e2c0
  LDAP: [2013/08/27 12:43:19.907] Bind name:cn=iFolder_ServerAgent,O=xxx, version:3, authentication:simple
  LDAP: [2013/08/27 12:43:19.908] Sending operation result 0:"":"" to connection 0xa284e2c0
  LDAP: [2013/08/27 12:43:19.908] DoBind on connection 0xa284e420
  LDAP: [2013/08/27 12:43:19.908] Bind name:cn=iFolder_ServerAgent,O=xxx, version:3, authentication:simple
  LDAP: [2013/08/27 12:43:19.909] Sending operation result 0:"":"" to connection 0xa284e420
  LDAP: [2013/08/27 12:43:19.909] DoBind on connection 0xa284e580
  LDAP: [2013/08/27 12:43:19.909] Bind name:cn=iFolder_ServerAgent,O=xxx, version:3, authentication:simple
  LDAP: [2013/08/27 12:43:19.910] Sending operation result 0:"":"" to connection 0xa284e580
  LDAP: [2013/08/27 12:43:19.910] DoBind on connection 0xa284e6e0
  LDAP: [2013/08/27 12:43:19.910] Bind name:cn=iFolder_ServerAgent,O=xxx, version:3, authentication:simple
  LDAP: [2013/08/27 12:43:19.910] Sending operation result 0:"":"" to connection 0xa284e6e0
  LDAP: [2013/08/27 12:43:19.911] DoBind on connection 0xa284e840
  LDAP: [2013/08/27 12:43:19.911] Bind name:cn=iFolder_ServerAgent,O=xxx, version:3, authentication:simple
  LDAP: [2013/08/27 12:43:19.911] Sending operation result 0:"":"" to connection 0xa284e840
  LDAP: [2013/08/27 12:43:19.912] DoBind on connection 0xa284e9a0
  LDAP: [2013/08/27 12:43:19.912] Bind name:cn=iFolder_ServerAgent,O=xxx, version:3, authentication:simple
  LDAP: [2013/08/27 12:43:19.912] Sending operation result 0:"":"" to connection 0xa284e9a0
  LDAP: [2013/08/27 12:43:19.913] DoBind on connection 0xa284eb00
  LDAP: [2013/08/27 12:43:19.913] Bind name:cn=iFolder_ServerAgent,O=xxx, version:3, authentication:simple
  LDAP: [2013/08/27 12:43:19.913] Sending operation result 0:"":"" to connection 0xa284eb00
  LDAP: [2013/08/27 12:43:19.923] TLS accept failure 1 on connection 0xa284ec60, setting err = -5875. Error stack: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
  LDAP: [2013/08/27 12:43:19.923] TLS handshake failed on connection 0xa284ec60, err = -5875
  LDAP: [2013/08/27 12:43:19.923] BIO ctrl called with unknown cmd 7
  LDAP: [2013/08/27 12:43:19.925] TLS accept failure 1 on connection 0xa284ec60, setting err = -5875. Error stack: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
  LDAP: [2013/08/27 12:43:19.925] TLS handshake failed on connection 0xa284ec60, err = -5875
  LDAP: [2013/08/27 12:43:19.925] BIO ctrl called with unknown cmd 7
  LDAP: [2013/08/27 12:43:19.926] TLS accept failure 1 on connection 0xa284ec60, setting err = -5875. Error stack: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
  LDAP: [2013/08/27 12:43:19.926] TLS handshake failed on connection 0xa284ec60, err = -5875
  LDAP: [2013/08/27 12:43:19.926] BIO ctrl called with unknown cmd 7
  LDAP: [2013/08/27 12:43:19.927] TLS accept failure 1 on connection 0xa284ec60, setting err = -5875. Error stack: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
  LDAP: [2013/08/27 12:43:19.927] TLS handshake failed on connection 0xa284ec60, err = -5875
  LDAP: [2013/08/27 12:43:19.927] BIO ctrl called with unknown cmd 7
  LDAP: [2013/08/27 12:43:19.929] TLS accept failure 1 on connection 0xa284ec60, setting err = -5875. Error stack: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
  LDAP: [2013/08/27 12:43:19.929] TLS handshake failed on connection 0xa284ec60, err = -5875
  LDAP: [2013/08/27 12:43:19.929] BIO ctrl called with unknown cmd 7
  LDAP: [2013/08/27 12:43:19.930] TLS accept failure 1 on connection 0xa284ec60, setting err = -5875. Error stack: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
  LDAP: [2013/08/27 12:43:19.930] TLS handshake failed on connection 0xa284ec60, err = -5875
  LDAP: [2013/08/27 12:43:19.930] BIO ctrl called with unknown cmd 7
  LDAP: [2013/08/27 12:43:19.932] TLS accept failure 1 on connection 0xa284ec60, setting err = -5875. Error stack: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
  LDAP: [2013/08/27 12:43:19.932] TLS handshake failed on connection 0xa284ec60, err = -5875
  LDAP: [2013/08/27 12:43:19.932] BIO ctrl called with unknown cmd 7
  LDAP: [2013/08/27 12:43:19.933] TLS accept failure 1 on connection 0xa284ec60, setting err = -5875. Error stack: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
  LDAP: [2013/08/27 12:43:19.933] TLS handshake failed on connection 0xa284ec60, err = -5875
  LDAP: [2013/08/27 12:43:19.933] BIO ctrl called with unknown cmd 7
  LDAP: [2013/08/27 12:43:19.934] TLS accept failure 1 on connection 0xa284ec60, setting err = -5875. Error stack: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
  LDAP: [2013/08/27 12:43:19.934] TLS handshake failed on connection 0xa284ec60, err = -5875
  LDAP: [2013/08/27 12:43:19.934] BIO ctrl called with unknown cmd 7
  I'm now pretty sure that the cert is being invalidated because the new CA is not trusted by the old server. Strange that PKIDiag has no problems with it. So really looking for a way to authorise a CA for ldap secure I think.
  I can connect to the server over ldaps (port 636) using Softerra Ldap browser from my PC, again I get the certificate not valid as we have the internal CA authorising it, but you can accept the certificate and authenticate fine and use LDAP.
  BR,
  Mark.

• Java ftp server which can use LDAP, how to integrate with WLS' implementation of LDAP?

  Howdy.
  I'm setting up a java ftp server
  (http://www.mycgiserver.com/~ranab/ftp/index.html) which is capable of using
  LDAP for it's user security. I would like to integrate this ftp server with
  wls' implementation of LDAP so I only have to admin one user list.
  Does wls put it's user list in the LDAP or in it's own proprietary setup? I
  tried playing around with it, but the users don't seem to appear in the JNDI
  tree. Is this where the LDAP stuff is located? I thought it was in there?
  If it's in it's own setup, is there a way to propagate the users to LDAP?
  If these look like newbie Q&A, I guess they kind of are, I'm new to LDAP.
  Thanks for any input you might have.

  Peter,
  If you are talking about using the embedded LDAP server in WLS 7.0 for this purpose
  I think you are going done the wrong path.
  Look at the following URL on how to use an external LDAP server for your custom
  application
  http://e-docs.bea.com/wls/docs70/secmanage/realm.html#1172008
  Chuck Nelson
  DRE
  BEA Technical Support

• Authentication getting failed in sun one Ldap

  HI,
  Any one please can assist me for sun one ldap.
  My application developed(ldap related) based on lotus domino ldap server and webspere.
  now we are trying to deploy the same code with Websphere and sun one ldap server at our local environment.
  Iam getting the prblem of authentication fail.
  please follow the logs as.
  My question is what ever the code written for lotus domino is compatible with sun one ldap.Iam new to LDAP .
  pls any one give the suggestions.
  LDAP Interface: Performing LDAP authentication for user [NYilmaz]
  17 Dec 2007 18:43:13,359 [WARN ] NABLDAP: Transmission will be over an unencrypted connection. The username and password are transmitted in clear text form which is very insecure. Consider replacing the LDAP protocol with LDAPS (SSL).
  17 Dec 2007 18:43:13,359 [DEBUG] NABLDAP: Establishing a new authenticating connection to [ldap://gpat.bsdev.com]
  17 Dec 2007 18:43:13,375 [INFO ] NABLDAP: Failed to authenticate with the remote server on [ldap://gpat.bsdev.com] because of error '[LDAP: error code 34 - Invalid DN]'
  17 Dec 2007 18:43:13,375 [WARN ] LDAP Interface: Unsuccessful authentication attempt for user [NYilmaz]
  17 Dec 2007 18:43:13,375 [DEBUG] LDAP Interface: Writing the value {javax.naming.InvalidNameException:[LDAP: error code 34 - Invalid DN]} to General[1].OnionErrorMessage
  17 Dec 2007 18:43:13,390 [WARN ] NABLDAP: Transmission will be over an unencrypted connection. Consider replacing the LDAP protocol with LDAPS (SSL).
  17 Dec 2007 18:43:13,390 [DEBUG] NABLDAP: Establishing a new anonymous connection to [ldap://gpat.bsdev.com]
  17 Dec 2007 18:43:13,390 [DEBUG] NABLDAP: Connection established.
  17 Dec 2007 18:43:13,390 [DEBUG] NABLDAP: Searching remote LDAP directory using the filter of [(&(objectclass=person)(&(cn=NYilmaz)))]

  Hello Vinay,
  when configuring multiple Ldap directories, There are a number of prerequisities that you need to
  consider.
  For example, One prerequisite for Multi domains is that logon IDs must be unique across mutliple LDAP datasources. This will cause issue if duplicate IDs exist.
  Please see the following Documentation and notes for more information on this.
  Examples of Data Source Configuration Files - Identity Management - SAP Library
  Example: Configuration of Multiple LDAP Data Sources - Identity Management - SAP Library
  1618342 - Multiple LDAP Datasources - Active Directories where logon IDs
  are not unique
  762419 - Multi-Domain Logon Using Microsoft Active Directory
  Please have a look at the above notes which documet this and also tells
  you what to do in these situations.
  Regards,
  David

• Unable to Retrieve Attributes from LDAP Server

  I have a problem. I was wondering if anyone can assist me. I am new to LDAP servers and JNDI. I cannot retrieve any attributes from the users listed in my data entry. Any assistance would be greatly appreciated! Thanks.
  I created an entry in the LDAP server that looks like this:
  �o=somedn�
  |
  �ou=people, o=somedn�
  The �ou=people, o=somedn� entry contains fictitious users. The LDAP server is connected to a MySQL database. When I write Java code to read the attributes of a given user whose fullname (cn) is �Vinny Luigi�, as listed in the database, I receive an error that starts with the following:
  javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name 'cn=Vinny Luigi,ou=people'
  The code I used is based on the Sun JNDI tutorial. Sun�s code is at http://java.sun.com/products/jndi/tutorial/basics/directory/src/GetattrsAll.java. My version of the code is below:
  * @(#)GetattrsAll.java     1.5 00/04/28
  * Copyright 1997, 1998, 1999 Sun Microsystems, Inc. All Rights
  * Reserved.
  * Sun grants you ("Licensee") a non-exclusive, royalty free,
  * license to use, modify and redistribute this software in source and
  * binary code form, provided that i) this copyright notice and license
  * appear on all copies of the software; and ii) Licensee does not
  * utilize the software in a manner which is disparaging to Sun.
  * This software is provided "AS IS," without a warranty of any
  * kind. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND
  * WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE
  * HEREBY EXCLUDED. SUN AND ITS LICENSORS SHALL NOT BE LIABLE
  * FOR ANY DAMAGES SUFFERED BY LICENSEE AS A RESULT OF USING,
  * MODIFYING OR DISTRIBUTING THE SOFTWARE OR ITS DERIVATIVES. IN
  * NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST
  * REVENUE, PROFIT OR DATA, OR FOR DIRECT, INDIRECT, SPECIAL,
  * CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER
  * CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT
  * OF THE USE OF OR INABILITY TO USE SOFTWARE, EVEN IF SUN HAS
  * BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
  * This software is not designed or intended for use in on-line
  * control of aircraft, air traffic, aircraft navigation or aircraft
  * communications; or in the design, construction, operation or
  * maintenance of any nuclear facility. Licensee represents and warrants
  * that it will not use or redistribute the Software for such purposes.
  import javax.naming.*;
  import javax.naming.directory.*;
  import java.util.Hashtable;
  * Demonstrates how to retrieve all attributes of a named object.
  * usage: java GetattrsAll
  class GetattrsAll
       static void printAttrs(Attributes attrs)
            if (attrs == null)
                 System.out.println("No attributes");
            else
                 /* Print each attribute */
                 try
                      for (NamingEnumeration ae = attrs.getAll(); ae.hasMore();)
                           Attribute attr = (Attribute) ae.next();
                           System.out.println("attribute: " + attr.getID());
                           /* print each value */
                           for (NamingEnumeration e = attr.getAll(); e.hasMore(); System.out.println("value: " + e.next()) )
                 } catch (NamingException e) {
                      e.printStackTrace();
       public static void main(String[] args) {
            // Set up the environment for creating the initial context
            Hashtable env = new Hashtable(100);
            env.put(Context.INITIAL_CONTEXT_FACTORY,
                      "com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.PROVIDER_URL, "ldap://localhost:10389/o=somedn");
            try {
                 // Create the initial context
                 DirContext ctx = new InitialDirContext(env);
                 // Get all the attributes of named object
                 System.out.println("About to use ctx.getAttributes()");
                 Attributes answer = ctx.getAttributes("cn=Vinny Luigi,ou=people");
                 // Print the answer
                 printAttrs(answer);
                 // Close the context when we're done
                 ctx.close();
            } catch (Exception e) {
                 e.printStackTrace();
  The primary key of the database is id_pk. Below is a copy of the mapping.xml file which maps the LDAP server entry to the database:
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE mapping PUBLIC "-//Penrose/DTD Mapping 1.2//EN" "http://penrose.safehaus.org/dtd/mapping.dtd">
  <mapping>
  <entry dn="o=somedn">
  <oc>organization</oc>
  <oc>top</oc>
  <at name="o" rdn="true">
  <constant>somedn</constant>
  </at>
  <aci>
  <permission>rs</permission>
  </aci>
  </entry>
  <entry dn="ou=people,o=somedn">
  <oc>inetOrgPerson</oc>
  <oc>organizationalPerson</oc>
  <oc>organizationalUnit</oc>
  <oc>person</oc>
  <oc>top</oc>
  <at name="cn">
  <constant>"fullname"</constant>
  </at>
  <at name="ou" rdn="true">
  <constant>people</constant>
  </at>
  <at name="sn">
  <constant>"lastname"</constant>
  </at>
  </entry>
  <entry dn="id_pk=...,ou=people,o=somedn">
  <oc>inetOrgPerson</oc>
  <oc>organizationalPerson</oc>
  <oc>person</oc>
  <oc>top</oc>
  <at name="Position_">
  <variable>usertable9.Position_</variable>
  </at>
  <at name="id_pk" rdn="true">
  <variable>usertable9.id_pk</variable>
  </at>
  <at name="fullname">
  <variable>usertable9.fullname</variable>
  </at>
  <at name="lastname">
  <variable>usertable9.lastname</variable>
  </at>
  <at name="cn">
  <variable>usertable9.fullname</variable>
  </at>
  <at name="sn">
  <variable>usertable9.lastname</variable>
  </at>
  <source name="usertable9">
  <source-name>usertable9</source-name>
  <field name="Position_">
  <variable>Position_</variable>
  </field>
  <field name="id_pk">
  <variable>id_pk</variable>
  </field>
  <field name="fullname">
  <variable>cn</variable>
  </field>
  <field name="lastname">
  <variable>sn</variable>
  </field>
  </source>
  </entry>
  </mapping>
  Thanks.

  The complete name (Distinguished Name) of the user you're searching is 'cn=Vinny Luigi,ou=people,o=somedn'.
  Regards,
  Ludovic.

• OD, LDAP and DNS

  I am new to LDAP and I believe I have everything setup correctly on the server (everything under Open Directory in SA says "Running", logs don't show any errors). However, I can not access the LDAP server from a client machine using Directory Access. I suspect that client machines still can not "see" my LDAP server.
  I believe the issue may be with DNS and I am trying to understand the interaction between DNS and OD, etc. First off, I do not have DNS turned on for my Mac OS X Server since my ISP has always hosted our DNS. Is this a problem? Do I need DNS activated on the same server that I am running this LDAP server? I have tried entering the IP and DNS name on the client server using Directory Access and neither worked.

  The requirement is that references using your server's Fully Qualified Domain Name look up to its IP Address and its IP Address looks up to its Fully Qualified Domain Name. If your ISP does that for you, and does it correctly, Merry Christmas!
  All others must set up their own tiny DNS service to do the lookups. If you are behind an NAT firewall, you can Make Up whatever names you like and look them up locally, because they are invisible from the Internet.
  Remember that each workstation must have the address of the DNS available to it. It needs to be configured in the TCP/IP setup or dispensed via DHCP. If you use your own DNS (highly recommended) you must also dispense or configure the next upstream DNS (your ISP's DNS Address).
  "An Open Directory master requires properly configured DNS so it can provide single sign-on Kerberos authentication.
  Make sure DNS service is configured to resolve fully qualified DNS names and provide corresponding reverse lookups.
  DNS must resolve the fully qualified DNS name and provide reverse lookups for the Open Directory master server, all replica servers, and other servers that are members of the Kerberos realm.
  You can use the Lookup pane of Network Utility (in /Applications/Utilities/) to do a DNS lookup of a server's DNS name and a reverse lookup of the server's IP address.
  For instructions on setting up DNS service, browse Network Services Overview."
  -- from Server Admin 10.4 Help: Kerberos is Stopped on an Open Directory Master or Replica
  Message was edited by: Grant Bennet-Alder

• Securing LDAP username and password in Websphere

  Hi all,
  I am new to LDAP and WAS. I want to secure the username and password for my LDAP server. Right now i have two choices for using the username and password for the LDAP
  1. i can put the username and password in a properties file.( but then it makes my application insecure....anybody can read it )
  2. I can put them in a .java file and after compilation it would be converted to the class file.( but in this approach anyone who knows in which file it is residing can use a decompiler to read it)
  I have seen one implementation for DB2 in which they make a datastore in the application server that holds the username and password for the DB2 server. I want to use same kind of facility for my application.
  Can anyone help me with this...?

  The error description is:
  =================================
  TNS-12560 TNS:protocol adapter error
  Cause: A generic protocol adapter error occurred.
  Action: Check addresses used for proper protocol specification. Before
  reporting this error, look at the error stack and check for lower level transport
  errors.For further details, turn on tracing and re-execute the operation. Turn off
  tracing when the operation is complete.
  ===================================
  Did you start your Oracle service before trying to connect?
  Are you able to run your listener successfully?
  did you setup a TNSNAMES entry for your database?
  did you try connecting to the database by using scott/tiger@<tnsnames entry>

• Retrieve LDAP data in Chunks using DBMS_LDAP

  Need help in getting the LDAP data in Chunks using the DBMS_LDAP. The reason being i have over 8000 records in the AD and it is configured that i cannot retrieve more than 1000 at a stretch.
  The AD administrator had given me an option of fetching it based on the pagesize which they use on AD.
  Dim DirSearcher As New DirectorySearcher()
  DirSearcher.SearchRoot = New DirectoryEntry("LDAP://" & System.Environment.UserDomainName)
  DirSearcher.Filter = "(&(objectclass=user)(objectcategory=person))"
  DirSearcher.PageSize = 1000
  Can we have something like this done in the DBMS_LDAP package to fetch the records in AD in chunks of 1000 records?
  version details
  Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - Prod
  PL/SQL Release 10.2.0.4.0 - Production

  if there are more than 1000 entries which starts with a character, how will this solution work?You would have to incorporate one more loop (and so on, in case it still errors out):
    for c in ascii ('a') .. ascii ('z')
    loop
      for d in ascii ('a') .. ascii ('z')
      loop
        l_retval :=
          dbms_ldap.search_s (ld         => ld
                              base       => base,
                              scope      => dbms_ldap.scope_subtree,
                              filter     => '(&(objectCategory=person)(objectClass=user)(sAMAccountName=' || chr (c) || chr(d) || '*))',
                              attrs      => attrs,
                              attronly   => 0,
                              res        => res
      end loop; 
    end loop; 
  ...Not nice I know, but it seems to be the only way to avoid »ORA-31202: DBMS_LDAP: LDAP client/server error: Sizelimit exceeded«.

• LDAP Search returns only 1200 records

  Hi!
  I'm having trouble searching an LDAP registry containing about 20 000 records. If I configure a search that should return about 15000 records I only get 1200 with the following error message when iterating through the NamingEnumeration:
  Unexpected exception occured at record 1200: javax.naming.SizeLimitExceededExcep
  tion: [LDAP: error code 4 - Sizelimit Exceeded]; remaining name 'o=ericsson'
  Code:
  package erildap;
  import javax.naming.*;
  import javax.naming.directory.*;
  import java.util.Hashtable;
  * Title:
  * Description:
  * Copyright: Copyright (c) 2001
  * Company: Numenor Communication AB
  * @author Andreas Gl�ckner
  * @version 1.0
  public class EgdLdap {
  Hashtable props = null;
  DirContext context = null;
  String server = null;
  int port;
  int version;
  public EgdLdap(String ldapServer, int port, int LdapVersion) {
  this.server = ldapServer;
  this.port = port;
  this.version = LdapVersion;
  static public void main(String[] args){
  SearchResult result = null;
  Attribute a = null;
  EgdLdap ldapObj = new EgdLdap("ldap.server.se",389, 3);
  try{
  ldapObj.connect();
  }catch(NamingException ex){
  System.out.println(ex.toString());
  String filter="(&(uid=qandglo)(ou=esg))";
  String[] returnAttrib = {"uid", "ou", "givenName", "departmentNumber", "L", "mail"};
  int scope = SearchControls.SUBTREE_SCOPE;
  NamingEnumeration enum = ldapObj.search("o=ericsson,ou=esg", filter, returnAttrib , scope);
  int i = 1;
  try{
  if (enum != null){
  while (enum.hasMoreElements()){
  result = (SearchResult)enum.nextElement();
  NamingEnumeration attributes = result.getAttributes().getAll();
  while(attributes.hasMore()){
  a = (Attribute)attributes.next();
  System.out.println(i+". "+a.toString());
  i++;
  }catch(Exception e){
  System.out.println(e.toString());
  e.printStackTrace();
  public void connect() throws NamingException{
  try{
  props = new Hashtable();
  props.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
  props.put(Context.PROVIDER_URL, "ldap://" + this.server + ":" + this.port);
  props.put("java.naming.ldap.version",String.valueOf(this.version));
  context = new InitialDirContext(props);
  }catch (NamingException e){
  System.out.println("Failed to connect to: " + this.server);
  props=null;
  throw e;
  System.out.println("Succesfully connected to: " + this.server);
  public void traverse(){
  try{
  Attributes at = context.getAttributes("cn=q*,o=ericsson");
  NamingEnumeration enum = at.getAll();
  while(enum.hasMore()){
  System.out.println(((Object)enum.next()).toString());
  }catch(NamingException e){
  System.out.println(e.toString());
  public NamingEnumeration search(String name, String filter, String[] returnAttribs, int type){
  NamingEnumeration result = null;
  SearchControls ctrl = new SearchControls();
  ctrl.setSearchScope(type);
  ctrl.setReturningAttributes(returnAttribs);
  if(context != null){
  try{
  result = context.search(name, filter, ctrl);
  }catch(NamingException e){
  System.out.println(e.toString());
  return result;
  }

  Hi,
  Two possible reasons:
  1. The size of the search results returned would have been controlled by the directory services administrator (Cross- check with the dir. services administrative options.
  2. Have you set the size limit programatically... using SearchControls.setSizeLimit(...) you should be using
  SearchControls.setSizeLimit(0) which returns all the results.
  Hope this hleps,
  Sathya Sayee.S

• LDAP not returning correct number of results through Java?

  Hello all,
  I've written a little testing application for my new shiny LDAP server and have the following method in it, which performs a search based on department number:
  public Vector searchLDAP(String depNumber) throws NamingException          
            String uid;
            String mobile;
            String givenName;
            String sn;
            String telephoneNumber;
            String departmentNumber;
            String employeeType;
            String employeeNumber;
            String reportsTo;
            Vector people = new Vector();
            Attributes matchAttributes = new BasicAttributes(false);
            matchAttributes.put(new BasicAttribute("departmentnumber", depNumber));
            NamingEnumeration results = ctx.search(base, matchAttributes);
            SearchResult tempSR;
            Attributes tempAtt;
            LDAPPerson tmp;
            while(results.hasMore())
                 uid = "";
                 mobile = "";
                 givenName = "";
                 sn = "";
                 telephoneNumber = "";
                 departmentNumber = "";
                 employeeType = "";
                 employeeNumber = "";
                 reportsTo = "";
                 tempSR = (SearchResult) results.next();
                 tempAtt = tempSR.getAttributes();
                 if(atts.get("uid")!=null)
                       uid = (String)atts.get("uid").get();
                 if(atts.get("mobile")!=null)
                        mobile = (String)atts.get("mobile").get();
                 if(atts.get("givenname")!=null)
                        givenName = (String)atts.get("givenname").get();
                 if(atts.get("sn")!=null)
                        sn = (String)atts.get("sn").get();
                 System.out.println("Working with " + sn);
                 if(atts.get("telephonenumber")!=null)
                        telephoneNumber = (String)atts.get("telephonenumber").get();
                 if(atts.get("departmentNumber")!=null)
                        departmentNumber = (String)atts.get("departmentNumber").get();
                 if(atts.get("employeeType")!=null)
                        employeeType = (String)atts.get("employeeType").get();
                 if(atts.get("employeenumber")!=null)
                        employeeNumber = (String)atts.get("employeeNumber").get();
                 if(atts.get("reportsTo")!=null)
                        reportsTo = (String)atts.get("reportsTo").get();
                 tmp = new LDAPPerson(uid, mobile, givenName, sn, telephoneNumber, departmentNumber, employeeType, employeeNumber, reportsTo);     
                 people.add(tmp);
            return people;
       }But for some reason (perhaps too much coding and not enough coffee?) I get the same person's details twice, instead of the two users I'm a) expecting and b) have retrieved using ldapsearch on the command line.
  Have I done something really stupid or is there something I'm not aware of?
  Thanks!
  Gemma

  Hello Gemma!
  I think you have used a global class attribute atts and not tempAttr. So you get anything else but not what you wish.
  So i think you should change the code in the following way,
  i thing it should work ...
  (Sorry for the bad code formatting ...)
  Greetings
  public Vector searchLDAP(DirContext ctx, String base, String depNumber) throws NamingException     
  String uid;
  String mobile;
  String givenName;
  String sn;
  String telephoneNumber;
  String departmentNumber;
  String employeeType;
  String employeeNumber;
  String reportsTo;
  Vector people = new Vector();
  Attributes matchAttributes = new BasicAttributes(false);
  matchAttributes.put(new BasicAttribute("departmentnumber", depNumber));
  NamingEnumeration results = ctx.search(base, matchAttributes);
  while(results.hasMore())
  uid = "";
  mobile = "";
  givenName = "";
  sn = "";
  telephoneNumber = "";
  departmentNumber = "";
  employeeType = "";
  employeeNumber = "";
  reportsTo = "";
  SearchResult tempSR = (SearchResult) results.next();
  Attributes atts = tempSR.getAttributes();
       if(atts.get("uid")!=null)
       uid = (String)atts.get("uid").get();
       if(atts.get("mobile")!=null)
            mobile = (String)atts.get("mobile").get();
       if(atts.get("givenname")!=null)
  givenName = (String)atts.get("givenname").get();
       if(atts.get("sn")!=null)
       sn = (String)atts.get("sn").get();
       System.out.println("Working with " + sn);
       if(atts.get("telephonenumber")!=null)
  telephoneNumber = (String)atts.get("telephonenumber").get();
       if(atts.get("departmentNumber")!=null)
  departmentNumber = (String)atts.get("departmentNumber").get();
       if(atts.get("employeeType")!=null)
  employeeType = (String)atts.get("employeeType").get();
       if(atts.get("employeenumber")!=null)
  employeeNumber = (String)atts.get("employeeNumber").get();
       if(atts.get("reportsTo")!=null)
  reportsTo = (String)atts.get("reportsTo").get();
  LDAPPerson tmp = new LDAPPerson(uid, mobile, givenName, sn, telephoneNumber, departmentNumber, employeeType, employeeNumber, reportsTo);     
       people.add(tmp);
  return people;

• Anonymous Connection To Active Directory LDAP

  I am trying to connect anonymously to my organization's LDAP server just to read a set of user details. My .NET coworkers use a relatively simple set of code to connect:
      DirectoryEntry entry = new DirectoryEntry("LDAP://organizationdomain");
      DirectorySearcher searcher = new DirectorySearcher(entry);
      searcher.Filter = "(&(!(objectCategory=Computer))(|(objectClass=user)(objectClass=group))(name=" + LDAPDisplayName + "))";
      SearchResult srresult = searcher.FindOne();
      string sAMAccountName = (string)srresult.Properties["sAMAccountName"][0];
      return sAMAccountName;I have attempting to connect with the following Java code, using Spring-LDAP's LDAP Template and an LDAP DAO.
          public List getContactNames() {
              return ldapTemplate.search("","(objectclass=person)", new AttributesMapper() {
                  public Object mapFromAttributes(Attributes attributes) throws NamingException {
                      return attributes.get("cn").get();
          }Unfortunately, the following exception is thrown:
      org.springframework.ldap.ServiceUnavailableException: organization.org:389; socket closed; nested exception is javax.naming.ServiceUnavailableException: organization.org:389; socket closed
      Caused by: javax.naming.ServiceUnavailableException: organization.org:389; socket closed
           at com.sun.jndi.ldap.Connection.readReply(Unknown Source)
           at com.sun.jndi.ldap.LdapClient.ldapBind(Unknown Source)
           at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
           at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
           at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
           at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
           at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
           at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
           at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
           at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
           at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
           at javax.naming.InitialContext.init(Unknown Source)
           at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
              (etc)In the .NET snippet, note that no username/password is provided. As such, I'm trying to avoid providing one in the Java version.

  I don't know what the LDAP template does (for example whether it gobbles up the underlying LDAP error message), but there are a couple of things to note when contrasting the .NET Framework and the System.DirectoryServices namespace with Java & JNDI.
  Firstly S.DS is "clever enough" to use the Domain Controller (DC) locator service, so that when given a ldap url contining just a domain name (for example LDAP://ANTIPODES) it automagically queries DNS for the ldap.tcp RR's and can retrieve the fully qualified dns name of a domain controller in the closest site.
  Secondly if no credentials are explicitly passed to S.DS, then it assumes the identity of the currently logged on user (ie. it is not an anonymous connection).
  On the other hand with Java/JNDI, while it can use a domain name in teh ldap url and retrieve the dns name of a domain controller from DNS, it is not site aware and you may not be connected to your closest DC.Also you either need to explicity provide credentials or enable anonymous access to AD. You could use Kerberos and use a previously issued TGT to authenticate to AD without entering a username/password.