Error message querying the AD using LDAP-test

Wooltown · Post by **Wooltown** » Tue Apr 27, 2004 4:45 am

Hello !

I use the LDAP-test to query the AD, and perform a search op, but it fails

HM: 4.42 running on W2k SP4
Domaincontroller running Windows 2003 server
Base object: OU=Users,DC=global,DC=ad
Res Limit: 3
Search filter: (cn=3)

Result:
LdapErr: DSID-0C0905FF, comment: In order to perform this operation a succesful bind must be completed on the connection, data 0, vece

Any ideas ?

Regards
Sven

KS-Soft · Post by **KS-Soft** » Tue Apr 27, 2004 7:09 pm

I checked code - HostMonitor does not start Search operation until Bind operation is done....
If you disable "Perform search op" option, what status of the test will be set?

Regards
Alex

Wooltown · Post by **Wooltown** » Wed Apr 28, 2004 6:21 am

Then I get the message "Host is alive"

Does HM use the account in Options, Startup, Service when it does the LDAP test ?? - I am running HM as a Service.

KS-Soft · Post by **KS-Soft** » Wed Apr 28, 2004 11:28 pm

Does HM use the account in Options, Startup, Service when it does the LDAP test ?? - I am running HM as a Service.

No, it uses default "local system" account. LDAP test works independently on account.
But.... can you try to start HostMonitor as application? If this help, we add code to impersonate user account.

Regards
Alex

Wooltown · Post by **Wooltown** » Thu Apr 29, 2004 12:19 pm

I startde HM as an aplication, but I get the same error. As I understood your answer, when you run HM as an application it uses the account as I am logged on ?!?!

The password in the LDAP test, what is that for ?

KS-Soft · Post by **KS-Soft** » Thu Apr 29, 2004 2:52 pm

As I understood your answer, when you run HM as an application it uses the account as I am logged on ?!?!

Yes, it cannot use any other.

The password in the LDAP test, what is that for ?

LDAP server may request password.
Quote from RFC

LDAP implementations SHOULD support authentication with the "simple" password choice when the connection is protected against eavesdropping using TLS

HostMonitor sends password when it makes Bind request. If Bind request fails, HM sets "Bad" or "Unknown" status ("Bad" status if server rejected request, "Unknown" status if no response from the server). HostMonitor sends Search request only if Bind requst completted successfully. That's why I am confused by error returned from the server: "In order to perform this operation a succesful bind must be completed..."

Probably If HostMonitor pass in a blank password to the bind and the password for the user is not blank you will be given anonymous credentials instead of being returned an invalid credentials error message. But why server returns "a succesful bind must be completed..." error instead of some "not enough permissions.."...

Regards
Alex

KS-Soft · Post by **KS-Soft** » Thu Apr 29, 2004 2:55 pm

If we assume that server returns wrong error description, there is good explanation why search request fails http://support.microsoft.com/default.as ... -us;326690

Regards
Alex

Wooltown · Post by **Wooltown** » Fri Apr 30, 2004 12:58 am

Hello !

The account I'm using is a Domain Admin Account and have all the necessary rights in the domain.

the DsHeuristics value doesn't exist in my domain.

Perhaps you have to enter a userid/password to make a bind ?

Regards
Sven

KS-Soft · Post by **KS-Soft** » Mon May 03, 2004 2:34 pm

Sorry for delay. I tried to contact with nsoftware.com - developer of component that we are using in HostMonitor for LDAP test (we are using just several 3rd party classes). Unfortunatelly we did not receive any answer

Looks like we need to redesign this module using our own code. I have added this task into "to do" list. Sorry, cannot give any good recommendation

Regards
Alex

Wooltown · Post by **Wooltown** » Tue May 04, 2004 1:14 am

That's OK, I will wait, knowing if you wait for something good, you can't wait too long

/Sven