0

I'm running Ubuntu on Windows via WSL in a CLI, and I've configured LDAP (OpenLDAP: slapd) on Ubuntu as follows:

BASE    dc=example,dc=com
URI     ldap://localhost

When I run on the following command on Ubuntu, it shows me the structure of the Users and Groups I've set on the LDAP server, which indicates that I'm able to connect with the server using my test user:

ldapsearch -D "cn=test,ou=Department,dc=example,dc=com" -w test -b 'dc=example,dc=com' '(objectclass=*)'

On my Windows host machine, I checked the box for Active Directory Lightweight Directory Services in the Turn Windows features on or off window, which enables usage of LDP.exe. In LDP.exe, I'm also able to connect with the LDAP server, by selecting Connection > Bind > filling in "cn=test,ou=Department,dc=example,dc=com" for the User field and "test" for the Password field > and selecting Simple bind before clicking OK:

enter image description here

After clicking OK, LDP.exe provides the following feedback:

enter image description here

I'm also able to retrieve information from the LDAP server in my C# code—for example:

de = new DirectoryEntry("LDAP://localhost:389/ou=Department,dc=example,dc=com");
de.AuthenticationType = AuthenticationTypes.None;
var childNames = new List<string>();
foreach(DirectoryEntry child in de.Children)
{
    childNames.Add(child.Name.ToString());
}

The above gives me the confidence that the LDAP server is configured correctly and that I'm able to access it in my code, but I'm unable to connect via the aforementioned test user when I modify the code as follows:

var de = new DirectoryEntry("LDAP://localhost/OU=Department,DC=example,DC=com", username, password);
var childNames = new List<string>();
foreach(DirectoryEntry child in de.Children)
{
    childNames.Add(child.Name.ToString());
}

When I run the above code, I get an error at the foreach part that says that "the user name or password is incorrect."

I've tried to set the username & password variables to all the ways I could think of or find online, such as setting the password to "test" or its SSHA hash, and setting username to "test", "cn=test", "example.com\\test", or "test@example.com", but I keep getting the message that "the user name or password is incorrect" when I run the code.

I've also tried the username & password combinations with several forms of authentication, as such:

var de = new DirectoryEntry("LDAP://localhost/OU=Department,DC=example,DC=com", username, password, AuthenticationTypes.Secure);

But I've been unable to find the correct configuration. How do I configure the code so that the username and password combination is accepted?

HasQuestionsAndAnswers
  • 75
  • 8

2 Answers2

0

You said:

I'm running Ubuntu on Windows via WSL in a CLI, and I've configured LDAP (OpenLDAP: slapd) on Ubuntu

And then:

On my Windows host machine, I checked the box for Active Directory Lightweight Directory Services in the Turn Windows features on or off window

That means you now have two LDAP servers running on the same machine. I'm guessing that the AD LDS instance is taking precedence, and that's the instance that's giving you the "user name or password is incorrect" error.

If you want to connect to your OpenLDAP instance, you'll need to disable Active Directory Lightweight Directory Services. If you want to keep LDP, you can copy the ldp.exe file out of the Windows\System32 folder before you uninstall AD LDS, then copy it back after.

Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84
  • Good thinking, but the error message persists after checking off the "Active Directory Lightweight Directory Services" feature. I'm able to connect to the correct LDAP without providing user details (just not with them), I hadn't configured AD LDS at all, and a remark in the link below suggests that server precedence depends on locator services that determine the most appropriate DC anyway. The cause of my problem seems to be something else. https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.authenticationtypes?view=windowsdesktop-7.0#remarks – HasQuestionsAndAnswers May 17 '23 at 15:40
  • Can you provide the entire error message, including any codes that are part of it? – Gabriel Luci May 17 '23 at 15:51
  • The full error is "'System.DirectoryServices.DirectoryServicesCOMException' in System.DirectoryServices.dll: 'The user name or password is incorrect.'" I didn't see an error code. Though, I may have found the solution (see my answer). Adding "AuthenticationTypes.None" to the code resulted in a new error that said that 'an invalid dn syntax has been specified', which pointed to a solution, but I'm unsure whether that solution is recommendable. – HasQuestionsAndAnswers May 17 '23 at 17:11
0

Apparently, the username must contain the full DN. The code below works:

string username = "cn=test,ou=Department,dc=example,dc=com", password = "test";
var de = new DirectoryEntry("LDAP://localhost:389/ou=Department,dc=example,dc=com", username, password, AuthenticationTypes.None);
childNames = new List<string>();
foreach(DirectoryEntry child in de.Children)
{
    childNames.Add(child.Name.ToString());
}

On the Microsoft pages, it's said that AuthenticationTypes.None "equates to zero, which means to use basic authentication (simple bind) in the LDAP provider." I first assumed that AuthenticationTypes.None means that the username and password won't be checked for correctness (as with AuthenticationTypes.Anonymous), but that's not the case.

HasQuestionsAndAnswers
  • 75
  • 8
  • 1
    Microsoft's documentation (as well as the LDP.exe tool) is primarily written with MS AD in mind, which _does_ accept NT-style and AD-style usernames (`DOM\user` and `user@domain`), but that's a non-standard extension – typical LDAP servers require a full DN as the "bind DN". – user1686 May 20 '23 at 11:56