Using PowerShell to query eDirectory

Question

I have working VBScript that searches eDirectory

Set dso = GetObject("LDAP:")
Dim pwd
pwd = "NotTellingU!"

Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider", "cn=x12345,ou=IDM,ou=System,o=XYZ" , pwd

Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
objCommand.CommandText = "<LDAP://myservq01.myplace.corp/o=XYZ>;" & _
    "(ou=*)" & ";" & "ou;onelevel"

Set objRecordSet = objCommand.Execute
WScript.Echo objRecordSet.RecordCount

Trying to get this working in PowerShell (v2):

[System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.Protocols") | Out-Null
[System.Reflection.Assembly]::LoadWithPartialName("System.Net") | Out-Null

$BaseDN = "o=XYZ"
$attrlist = "ou"
$scope = [System.DirectoryServices.Protocols.SearchScope]::OneLevel
$Filter = "(ou=*)"

$c = New-Object System.DirectoryServices.Protocols.LdapConnection "myservq01.myplace.corp:389"
$c.SessionOptions.SecureSocketLayer = $FALSE;
$c.AuthType = [System.DirectoryServices.Protocols.AuthType]::Basic

$user = "cn=x12345,ou=IDM,ou=System,o=XYZ"
$pwd = "NotTellingU!"
$NovellCredentials = New-Object "System.Net.NetworkCredential" -ArgumentList $user,$pwd
$c.Credential = $NovellCredentials
$c.Bind()
$r = New-Object System.DirectoryServices.Protocols.SearchRequest -ArgumentList  $baseDN,$Filter,$scope,$attrlist
$re = $c.SendRequest($r);
"A Total of $($re.Entries.Count) Entry(s) found in LDAP Search"

On both the lines that do the Bind and SendRequest, I'm getting

Exception calling "Bind" with "0" argument(s): "The supplied credential is invalid."

I've taken NDS traces of both. From the VBScript it is:

LDAP: New cleartext connection 0x2006dc70 from 123.45.211.222:58720, monitor = 0x85f45700, index = 17
LDAP: (123.45.211.222:58720)(0x0001:0x60) DoBind on connection 0x2006dc70
LDAP: (123.45.211.222:58720)(0x0001:0x60) Bind name:cn=x12345,ou=IDM,ou=System,o=XYZ, version:3, authentication:simple

LDAP: (123.45.211.222:58477)(0x0005:0x63) DoSearch on connection 0x2006dc70
LDAP: (123.45.211.222:58477)(0x0005:0x63) Search request:
   base: "o=XYZ"
   scope:1 dereference:0 sizelimit:0 timelimit:0 attrsonly:0
   filter: "(ou=*)"
   attribute: "ou"
LDAP: (123.45.211.222:58477)(0x0005:0x63) Sending search result entry "ou=services,o=XYZ" to connection 0x2006dc70

And from PS:

LDAP: New cleartext connection 0x2006dc70 from 123.45.211.222:59552, monitor = 0x85f45700, index = 17
LDAP: (123.45.211.222:59552)(0x0007:0x60) DoBind on connection 0x2006dc70
LDAP: (123.45.211.222:59552)(0x0007:0x60) Bind name:cn=x12345,ou=IDM,ou=System,o=XYZ, version:2, authentication:simple
LDAP: (123.45.211.222:59552)(0x0007:0x60) Failed to authenticate local on connection 0x2006dc70, err = failed authentication (-669)
LDAP: (123.45.211.222:59552)(0x0007:0x60) Sending operation result 49:"":"NDS error: failed authentication (-669)" to connection 0x2006dc70

The only difference I can see is on the Bind name line. When it's working I see "version:3" and when it's failing "version:2", but I haven't found anything I can do in code to control that.

Answer 1

I don't understand why this would make a difference, but using single quotes around the $user and $pwd variables seemed to make it work:

$user = 'cn=x12345,ou=IDM,ou=System,o=XYZ' $pwd = 'NotTellingU!'

This URL helped https://social.technet.microsoft.com/Forums/scriptcenter/en-US/d1c4fc40-b921-4840-9d98-d95d565672d1/queryenumerate-edirectory-in-powershell-via-systemdirectoryservices?forum=ITCG