LDAP Authentication

Post here for help with installing or upgrading mojoPortal pre-compiled release packages. When posting in this forum, please provide all relevant details. You may also want to review the installation or upgrading documentation.

If you have questions about using the source code or working with mojoPortal in Visual Studio, please post in the Developer forum.

Post here for help with installation of mojoPortal pre-compiled release packages

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.

You may also want to review the installation or upgrading documentation.

If you have questions about using the source code or working with mojoPortal in Visual Studio, please post in the Developer forum.

This thread is closed to new posts. You must sign in to post in the forums.
6/24/2008 6:20:52 AM
MattPurland
Gravatar
Total Posts 2
View Posts

LDAP Authentication

Hi,

I've spent days on end trying to setup MojoPortal with LDAP. I'm very certain on the information I'm entering is correct as it works within other software. I get the following error on screen:

"Could not bind to the LDAP settings as entered or could not bind your credentials in the LDAP directory. If the site allowed you to make this change you would be locked out after the next time you log out of the site. Please make sure the LDAP server is accessible and edit your user profile so that your UserID matches a record in LDAP and enter your LDAP user password."

I'm using the following:

Hostname: host.domain.co.uk (obviously replace this with actual machine and domain)
Domain: domain.co.uk
Root DN: CN=Users,DC=domain,DC=co,DC=uk
User DN Key: CN

I'm using active directory with a pretty much default setup.

Are there any logs I can view to see why it's not working?

Thanks,
Matt

6/24/2008 8:19:05 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: LDAP Authentication

Hi Matt,

With Active Directory, the root DN part is not so important, it will just try to authenticate users with username@domainname.

The main thing is that the Active Directory machine must be reachable from the web server. So typically the web server would be dual homed with a network card on the public internet facing side and a network card on the local network. It would normally talk to the AD server over the local netwok as I would not think the AD machine is exposed over the internet.

So the host name must be something it can rewsolve to connect to the AD machine. You might also try using the ip address of the AD machine instead of the host name. host.domain.co.uk sounds like a public address, I would not expect that to resolve to a local lan ip address, but it would also surprise me if the AD machine was exposed over the public network so I'm thinking this is not the correct host name to contact your AD machine from the web server.

Hope it helps,

Joe

6/24/2008 8:34:06 AM
MattPurland
Gravatar
Total Posts 2
View Posts

Re: LDAP Authentication

The webserver is on the same switch as the DC. The hostname definately resolves on that machine as other services use it. The problem remains the same with an IP address.

Thanks

6/24/2008 8:52:07 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: LDAP Authentication

When your users login to the network they typically just enter the short user name like jaudette, but you need to make sure the domain part of the LDAP settings matches the more qualified name like jaudette@domain.uk.co. If thats not really how they could login then make the domain part match how they would actually login. I've seen cases where the domain is company.com but users login to the network with some shorter thing like user@company or user @somelocalalias for the network.

The only other thing I can think of that could be a factor (of course its possible there are more that I can't think of) is depending on configuration, it may not allow querying AD if the thread is not executing as a domain user. So if that is the problem then its a matter of switching to using a domain user instead of the default aspnet or IIS_WPG user. Here is a link to a guide about creating a least privelege service account. You would want yours to be a domain account rather than a local machine account. I don't know for sure if that is the problem you are facing, but I have seen evironments where this was the case. Its basically that the executing thread must be running in the context of a domain user to even query AD at all. Basically thats what the code is doing, its querying AD with a username and password and trying to bind to the user. If that succeeds then authentication is achieved else not.

Hope it helps,

Joe

 

You must sign in to post in the forums. This thread is closed to new posts.