LDAP server which is my base dn

authentication ldap openca
invader7 picture invader7 · Jun 8, 2013 · Viewed 144.3k times · Source

Hello I'm trying to use my ldap test server in order to authenticate users in openca.

I'm currently connecting through phpldapadmin with :

Login DN : cn=admin,dc=example,dc=com
Password : mypass

but on openca something is going wrong... in datasources.xml I found the settings of the ldap configuration and it asks for

<name>basedn</name>

which is the basedn for me ? I already tried

cn=admin,dc=example,dc=com

and

dc=example,dc=com

I can connect to my ldap with LDAP Admin explorer too.

Thanks !

Answer

ixe013 picture ixe013 · Jun 10, 2013

The base dn is dc=example,dc=com.

I don't know about openca, but I will try this answer since you got very little traffic so far.

A base dn is the point from where a server will search for users. So I would try to simply use admin as a login name.

If openca behaves like most ldap aware applications, this is what is going to happen :

  1. An ldap search for the user admin will be done by the server starting at the base dn (dc=example,dc=com).
  2. When the user is found, the full dn (cn=admin,dc=example,dc=com) will be used to bind with the supplied password.
  3. The ldap server will hash the password and compare with the stored hash value. If it matches, you're in.

Getting step 1 right is the hardest part, but mostly because we don't get to do it often. Things you have to look out for in your configuraiton file are :

  • The dn your application will use to bind to the ldap server. This happens at application startup, before any user comes to authenticate. You will have to supply a full dn, maybe something like cn=admin,dc=example,dc=com.
  • The authentication method. It is usually a "simple bind".
  • The user search filter. Look at the attribute named objectClass for your admin user. It will be either inetOrgPerson or user. There will be others like top, you can ignore them. In your openca configuration, there should be a string like (objectClass=inetOrgPerson). Whatever it is, make sure it matches your admin user's object Class. You can specify two object class with this search filter (|(objectClass=inetOrgPerson)(objectClass=user)).

Download an LDAP Browser, such as Apache's Directory Studio. Connect using your application's credentials, so you will see what your application sees.

Related questions

LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1

LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 I know "52e" code is when username is valid, but password is invalid. I am using the same user name and password in my apache …

Read More
Authenticating in PHP using LDAP through Active Directory

I'm looking for a way to authenticate users through LDAP with PHP (with Active Directory being the provider). Ideally, it should be able to run on IIS 7 (adLDAP does it on Apache). Anyone had done anything similar, with success? Edit: …

Read More
Authenticating against Active Directory with Java on Linux

I have a simple task of authenticating against Active Directory using Java. Just verifying credentials and nothing else. Let's say my domain is "fun.xyz.tld", OU path is unknown, and username/password is testu/testp. I know there's a …

Read More