LDAP authentication - invalid credentials.

[Jagadishwer]

Hi friends,
I am new to this LDAP programming. I wrote a small application
which is not working. my requirement is like this:
My application has a login screen. When a user presents the
username and password, my application will send the data to the Active
Directory server for authentication. Once the credentials are
authenticated, I should get the Group to which the user belongs as a
result.
I wrote a small test application which takes hostname, username and
password and try to authenticate. I am getting Invalid credentials
error whenever i try to authenticate. But if I pass username and
password as NULL, authentication is successfull. If i try to connect
to activedirectry through windows logon screen my username and
password is authenticated successfully.
Please someone help me to fix this problem. Thanks in advance for
the help.
Here is the code of my test application.


#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <winldap.h>
#include <string.h>

int main( )
{
LDAP *ld;
int ret;
char *user ="CN=myloginname,CN=Users";
char *passwd = mypassword
// ld = ldap_init("netkey.com", LDAP_PORT);
ld = ldap_open(HostName,LDAP_PORT);
ret = ldap_simple_bind_s(ld, user,passwd); // Authentication using DN
and password
printf("LDAP Error Msg : %s\n", ldap_err2string(ret));
//I am getting invalid credentials (error no: 41 here)

return 0;

}

 

[ajd]

Don't know LDAP programming, but try using Network
Monitor (the free Microsoft one) and trace the attempts.
This will tell you whats being sent back and forth and
maybe be able to point out what's going on.

ajd

 

[Matjaz Ladava [MVP]]

have you tried to supply username in the SAM format domain\username ?

--
Regards

Matjaz Ladava, MCSE, MCSA, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

 

[Robbie Allen]

The problem in your code is that you are not using the complete
distinguished name of the user. It should look something like this:

char *user ="CN=myloginname,CN=Users,dc=netkey,dc=com";

A better way than hard coding dc=netkey,dc=com would be to query the RootDSE
for it.

Alternatively you can use NT-style logon name or a user principal name.

Robbie Allen
http://www.rallenhome.com/

 

[Jagadishwer]

Thanks Robbie for the help.
With NT logon name or principal name my authentication works.
Now I have another problem.
My goal is to get the group name of the user who was authenticated.
Is there any function available in LDAP api? I couldn't find anything.
Please Help me.
Thanks in advance.

 

[Robbie Allen]

Are you talking about the primary group or just the groups the user is a
member of? If it is the latter, you'll want to look at the memberOf
attribute for the user.

Robbie Allen
http://www.rallenhome.com/

 

[Jagadishwer]

I am looking for the primary group.
Can you suggest me some books,articles for LDAP programming in c++.
Thanks.

 

[Robbie Allen]

A good one that covers ADSI and LDAP programming with C++ is "Active
Directory Programming":
http://www.amazon.com/exec/obidos/tg/detail/-/0672315874/103-8892696-9969431
?v=glance

Robbie Allen
http://www.rallenhome.com/

 

[Jason Robarts [MSFT]]

It looks like Robbie's resolved your key issue. I'd like to point out that
using ldap_simple_bind_s over LDAP_PORT will expose your password in clear
text to anyone with a network sniffer (such as Netmon). I'd recommend using
ldap_bind_s with LDAP_AUTH_NEGOTIATE as you are targetting Active Directory
[I'm basing this on your use of UPN or samAccountName]. If you need to use
simple binds I'd suggest using SSL.

Jason