Anonymous_User Absent Member.
Absent Member.
2748 views

LDAP authentication VBA


Hi,

I am a relative newb with LDAP, basically we have edirectory and I am
trying to authenticate user name and password on request form I have
created in excel.

I have a module I have made and have tested this on an active directory
server and it works, however where I work I have been unable to get it
to work at all.

Basically with the way our network works you have to query the cn to
return the dn and then authenticate against that, I think because there
are alot of sites everyones Dn has differeny ou and o against them.

Currently I can return the dn by searching the cn, but when I try to
authenticate with the password I get the follow in my immediate window


Code:
--------------------
1
LDAP://172.19.0.223/cn=AMcInnes,ou=Unknown,ou=Openshaw,o=CCM
cn=AMcInnes,ou=Unknown,ou=Openshaw,o=CCM
**** ERROR: -2147023570
(LDAP_INVALID_CREDENTIALS) ERROR_LOGON_FAILURE - The supplied credential is invalid.
--------------------


Top to bottom, this is: count matches to cn, Adspath, Dn, error number,
error description

So it tells me the user name and password are wrong, when they are not.
I know very little about ldap so can anyone tell me where I am going
wrong, are there some server setting that I am missing or does my code
reference functions that aren't available on edirectory?

Here is my spreadsheet with a sample module, you can enter your server,
username and password and choose how you want to bind dn or user name.

'Excel Help Forum'
(http://www.excelforum.com/attachments/excel-programming/98591d1297444195-ldap-ado-adsi-problem-ldap-vba.xls)

Hope you can help

Andy


--
mcinnes01
------------------------------------------------------------------------
mcinnes01's Profile: http://forums.novell.com/member.php?userid=104516
View this thread: http://forums.novell.com/showthread.php?t=432289

Labels (1)
0 Likes
4 Replies
Anonymous_User Absent Member.
Absent Member.

Re: LDAP authentication VBA

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Probably a better question for the eDirectory forum, but here are some
ideas anyway.

eDirectory, by default, does not allow binding over the LDAP (vs. LDAPS)
port with passwords because it involves sending passwords over the wire
without any encryption (a bad idea in most cases). If this is the problem
you would see an error of LDAP 13 Confidentiality Required. Typically for
testing LDAP services I find Apache Directory Studio to be about the best
there is out there, and it's cross-platform and free so give that a shot
to rule in/out the eDirectory security settings. If that's the case
either bind using port 636 (the default LDAPS port) which is secured via
SSL/TLS or change the eDirectory settings to allow insecure simple binds
with passwords on the LDAP Server object for this server within
eDirectory, then restart eDirectory.

Also, in case your eDirectory machine has another LDAP service on it be
sure that you are hitting eDirectory with your client and not the other
LDAP service.

Good luck.





On 02/11/2011 10:36 AM, mcinnes01 wrote:
>
> Hi,
>
> I am a relative newb with LDAP, basically we have edirectory and I am
> trying to authenticate user name and password on request form I have
> created in excel.
>
> I have a module I have made and have tested this on an active directory
> server and it works, however where I work I have been unable to get it
> to work at all.
>
> Basically with the way our network works you have to query the cn to
> return the dn and then authenticate against that, I think because there
> are alot of sites everyones Dn has differeny ou and o against them.
>
> Currently I can return the dn by searching the cn, but when I try to
> authenticate with the password I get the follow in my immediate window
>
>
> Code:
> --------------------
> 1
> LDAP://172.19.0.223/cn=AMcInnes,ou=Unknown,ou=Openshaw,o=CCM
> cn=AMcInnes,ou=Unknown,ou=Openshaw,o=CCM
> **** ERROR: -2147023570
> (LDAP_INVALID_CREDENTIALS) ERROR_LOGON_FAILURE - The supplied credential is invalid.
> --------------------
>
>
> Top to bottom, this is: count matches to cn, Adspath, Dn, error number,
> error description
>
> So it tells me the user name and password are wrong, when they are not.
> I know very little about ldap so can anyone tell me where I am going
> wrong, are there some server setting that I am missing or does my code
> reference functions that aren't available on edirectory?
>
> Here is my spreadsheet with a sample module, you can enter your server,
> username and password and choose how you want to bind dn or user name.
>
> 'Excel Help Forum'
> (http://www.excelforum.com/attachments/excel-programming/98591d1297444195-ldap-ado-adsi-problem-ldap-vba.xls)
>
> Hope you can help
>
> Andy
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNVXcoAAoJEF+XTK08PnB5cYEP/3OwgQcWhc3FAYBZrxPVRsKS
NKcMpOAHDXDrPw1ochn+KkiNACbWJKHkq/RZDIVv9hf7X7ILNqOCsZyT+Y3ii5rf
1a8e2VXGFNyN/a0WXOPt4/zAZD/ri49brTO1uXf/d6YWzbsszavGM3Fj0n/yZh4T
Aq8nIToMxoAkEnBF8h1BZMJnRujT99TRBuusy6ya2S9V9y0Z40wV4UlX75QkdOhv
1aDoyGFacvzLG+Yv6nyNCNCKQgBOQP+XOhFXTctwCluitpSd9G2XNJov4tYZQeFI
kCSrzsEG0f21FKYnHe4O1a+E1rtceQPP3H/OfTpt9nK2WtxF/wWUK32lDYt3Wyqe
g6kZJ68fP7L3CcelmYdbXGkHTjMsMiL1vHA5SGh2Qv+FpFIOEGQc+1xqAHW1xLV9
NLXVogfmBRUjq6ODPXa5J7eT83dKtG5YZahHeLJ1z5oKflX3Kg0fHKyUJgWUCdhB
Ry6GWlYjwEwBhtJd98TIdaVr3zmw7vdu5Gyi3tQHK4AiuDzy0oyQ2wd+D7eBwqA5
VBZr6YDi5wcAGDS05GxhkLKwbIx9XHF0LECPvCRLFCcwFz/2aa1ClQFhrr4xvUnm
tdJ5NmiIHW4thwvHAD3PTKl9JDUa8uGMA5d7iP1TMeWjJem2OJDbTRpPFLTnUFfr
l+6xtbjqbSiH3FwqUI9v
=fzGs
-----END PGP SIGNATURE-----
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAP authentication VBA


thanks ab I will let you know how I get on.

Andy


--
mcinnes01
------------------------------------------------------------------------
mcinnes01's Profile: http://forums.novell.com/member.php?userid=104516
View this thread: http://forums.novell.com/showthread.php?t=432289

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAP authentication VBA


Hi Ab,

I now understand a little more about our network and its a little more
complex than I originally thought. We have one edirectory that is the
master where all records are set-up. This then creates a record on
another edirectory that is used a repository and has an IDM validating
and distributing the records to the 4 various domains that run active
directory.

I need to query the master edirectory, which I have been doing, however
I now know that we do not allow simple text over the wire password
binds. We also do not use SSL and I doubt very much that IT would
compromise security by allowing simple binds.

Are there any other ways around this?

This is my code below, bare in mind what you have said it won't work,
are there any ways around not being able to send simple bind or having
an SSL that I can use in VBA? How do you bind passwords without SSL or
text over the wire?


Code:
--------------------
Sub ldaptestCC()
Dim DN
Dim y
Dim oUser As IADsContainer
Dim objADsUser As IADsUser
Dim objADsGroup As IADsGroup
Dim strUsername As String
Dim strPassword As String

Const ADS_SECURE_AUTHENTICATION = &H1
Const ADS_SERVER_BIND = &H200

Set ado = CreateObject("ADODB.Connection")
ado.Provider = "ADSDSOObject"
ado.Open "NameSearch"

serverName = UserForm1.TextBox3.Value
filterStr = "(cn=" & UserForm1.TextBox1.Value & ")"


Set Ol = ado.Execute("<LDAP://" & serverName & ">;" & filterStr & ";ADsPath;SubTree")

Debug.Print Ol.RecordCount

If Ol.EOF Then
Debug.Print "No such user found"

ElseIf Ol.RecordCount > 1 Then
Debug.Print "Too many users found"
Else
Debug.Print Ol.Fields(0).Value
Dim passt As String
passt = Ol.Fields("ADsPath").Value
Dim lastPos As Integer
lastPos = InStrRev(passt, "/")
DN = Mid(passt, lastPos + 1, Len(passt) - lastPos)
Debug.Print DN


strUsername = UserForm1.TextBox1.Value
strPassword = UserForm1.TextBox2.Value

Dim dso As IADsOpenDSObject

Set dso = GetObject("LDAP:")

On Error GoTo Cleanup

If UserForm1.OptionButton1.Value = True Then

Set objADsUser = dso.OpenDSObject(passt, DN, strPassword, ADS_SECURE_AUTHENTICATION + ADS_SERVER_BIND)
Debug.Print objADsUser
Else
Set objADsUser = dso.OpenDSObject(passt, strUsername, strPassword, ADS_SECURE_AUTHENTICATION + ADS_SERVER_BIND)
End If

Debug.Print objADsUser.ADsPath
MsgBox (objADsUser.ADsPath)
For Each objADsGroup In objADsUser.Groups
Debug.Print objADsGroup.Name
MsgBox (objADsGroup.Name)
Next
End If


Cleanup:

y = "**** ERROR: " & err.Number & vbLf & DisplayADSIError(err.Number, err.Description)
MsgBox (y)
Debug.Print y
Set dso = Nothing
Set objADsUser = Nothing
ado.Close
Set y = Nothing

End Sub


--------------------



Any help is much appreciated, cheers,

Andy


--
mcinnes01
------------------------------------------------------------------------
mcinnes01's Profile: http://forums.novell.com/member.php?userid=104516
View this thread: http://forums.novell.com/showthread.php?t=432289

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAP authentication VBA

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you cannot bind with passwords using either a secure or an insecure
connection.... there's not much left. eDirectory, by default out of the
box, sets up SSL for connections. Why can you not do that? It's the best
way and, as mentioned, works out of the box. Other directories may not
have that from the start but eDirectory has for as long as I can remember.

Good luck.





On 02/16/2011 03:36 PM, mcinnes01 wrote:
>
> Hi Ab,
>
> I now understand a little more about our network and its a little more
> complex than I originally thought. We have one edirectory that is the
> master where all records are set-up. This then creates a record on
> another edirectory that is used a repository and has an IDM validating
> and distributing the records to the 4 various domains that run active
> directory.
>
> I need to query the master edirectory, which I have been doing, however
> I now know that we do not allow simple text over the wire password
> binds. We also do not use SSL and I doubt very much that IT would
> compromise security by allowing simple binds.
>
> Are there any other ways around this?
>
> This is my code below, bare in mind what you have said it won't work,
> are there any ways around not being able to send simple bind or having
> an SSL that I can use in VBA? How do you bind passwords without SSL or
> text over the wire?
>
>
> Code:
> --------------------
> Sub ldaptestCC()
> Dim DN
> Dim y
> Dim oUser As IADsContainer
> Dim objADsUser As IADsUser
> Dim objADsGroup As IADsGroup
> Dim strUsername As String
> Dim strPassword As String
>
> Const ADS_SECURE_AUTHENTICATION = &H1
> Const ADS_SERVER_BIND = &H200
>
> Set ado = CreateObject("ADODB.Connection")
> ado.Provider = "ADSDSOObject"
> ado.Open "NameSearch"
>
> serverName = UserForm1.TextBox3.Value
> filterStr = "(cn=" & UserForm1.TextBox1.Value & ")"
>
>
> Set Ol = ado.Execute("<LDAP://" & serverName & ">;" & filterStr & ";ADsPath;SubTree")
>
> Debug.Print Ol.RecordCount
>
> If Ol.EOF Then
> Debug.Print "No such user found"
>
> ElseIf Ol.RecordCount > 1 Then
> Debug.Print "Too many users found"
> Else
> Debug.Print Ol.Fields(0).Value
> Dim passt As String
> passt = Ol.Fields("ADsPath").Value
> Dim lastPos As Integer
> lastPos = InStrRev(passt, "/")
> DN = Mid(passt, lastPos + 1, Len(passt) - lastPos)
> Debug.Print DN
>
>
> strUsername = UserForm1.TextBox1.Value
> strPassword = UserForm1.TextBox2.Value
>
> Dim dso As IADsOpenDSObject
>
> Set dso = GetObject("LDAP:")
>
> On Error GoTo Cleanup
>
> If UserForm1.OptionButton1.Value = True Then
>
> Set objADsUser = dso.OpenDSObject(passt, DN, strPassword, ADS_SECURE_AUTHENTICATION + ADS_SERVER_BIND)
> Debug.Print objADsUser
> Else
> Set objADsUser = dso.OpenDSObject(passt, strUsername, strPassword, ADS_SECURE_AUTHENTICATION + ADS_SERVER_BIND)
> End If
>
> Debug.Print objADsUser.ADsPath
> MsgBox (objADsUser.ADsPath)
> For Each objADsGroup In objADsUser.Groups
> Debug.Print objADsGroup.Name
> MsgBox (objADsGroup.Name)
> Next
> End If
>
>
> Cleanup:
>
> y = "**** ERROR: " & err.Number & vbLf & DisplayADSIError(err.Number, err.Description)
> MsgBox (y)
> Debug.Print y
> Set dso = Nothing
> Set objADsUser = Nothing
> ado.Close
> Set y = Nothing
>
> End Sub
>
>
> --------------------
>
>
>
> Any help is much appreciated, cheers,
>
> Andy
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNXJ8HAAoJEF+XTK08PnB5ExIP/1HwMZf/v+mhFHn01qVnvZw+
S9IOqZZbCgSy4Hzt7GHOvcGwuRYTnB3qhNXMychtEnHp4bg315mBTbOvpVWYrkJq
5XftkoC+TsyFxSiGCQPxMYZjFrgLxC2nTqRYWi7HsMaEU+fC/5VPg4jE9/TJ9EaM
zxGRcH4q9QweQsVHUSU/Go0EaTu/EIqtLjCJvKfVgz2LltfF+cu3HjLhVFsg358B
RBL27/9vIYg1mbfx2DvDrZkNXvxTj3TSWTNg9DpBkqx5NCzsTldr7RZbydT0RNxX
mtRGzoNfqoX9XBK2FdhDELR5sWrDPUd4DjBdNEqfOrJajxJR8rI2Q94YY/00BFV7
VnWnA6dzsdOfv8CbjeRGdX2DN6oRUgMJ6w7Zg7UBYithRd6D/1kU+N1DEHkpmS0P
fpqa8gfPiHLDHLEG7WwXkZYf4mSiAYO8ehpqnKdX6Mppy4aMQqvNEhdPAio3gSTS
5SSMlaK+adR8VEsAn6IZL+BKyDwtpuWTOpQrLY9FvFEgTEU/M+Rgty9n7jBNxcRl
+Iy6m2JOf8Y66chGB07afNto2YUmxqX5yaZbOQijhaItATItSDHHHoxphf1NuTE/
n937IAKhYXWx1nijuSHmpCF8FxklFBtPPiMjEA2YzpvgAw/r8p4akFAqAQzOxPc9
wxcnsG1E5YUKGAm4q/r2
=DgHo
-----END PGP SIGNATURE-----
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.