Secure Ldap call not working due to IUSR/IWAM permissions?

From: Turner, Keith (Contractor) (Keith.Turner@tea.army.mil)
Date: 01/31/03

  • Next message: Shackleford, Dave: "RE: Unknown Windows 2000 files?" 
    From: "Turner, Keith (Contractor)" <Keith.Turner@tea.army.mil>
To: focus-ms@securityfocus.com
Date: Fri, 31 Jan 2003 13:33:06 -0500

    I am trying to get LDAP working so that I can authenticate web users against
    an iPlanet directory server. There appears to be something on the machine
    which prevents IUSER or IWAM from making the LDAP call. My best guess is
    that something which was done during server "hardening" is preventing this
    from working. When using network monitor, I see that no packets are placed
    on the network. I have enabled auditing for global system objects and it
    does show audit failures when the LDAP call fails. I have used FileMon and
    RegMon (sysinternals) to watch for file or registry failures, but none
    showed up.

     There about 20 fails for each LDAP attempt, but there are only two unique
    events

    1) id 595
    Indirect access to an object has been obtained
    object type: port
    object name: \RPC Control\DNSResolver
    Accesses: Communicate using port

    2) id 560
    Object name: \Device\NetBT_Tcpip_{alphanumeric string}
    Accesses: Synchronize, ReadData, WriteData

    If I replace the hostname in the opendsobject call with the ip address, the
    call makes it to the server (can see it in network monitor), but then fails.
    I assume it is failing because the ip address doesn't match the hostname
    provided in the SSL certificate. If I place the IUSR/IWAM accounts in the
    local admin group, everything works properly (calling the directory server
    by hostname). The error always occurs on this line of the asp file :
    Set oContainer = oLDAP.OpenDSObject(Server & dnUserName, dnUserName,
    sPassWord, 2)

    Anyone have any ideas?
    Thanks, Keith

    Relevant Pages

    • Re: LDAP Client Setup on Solaris 8
      ... LDAP servers etc. ... directory server, and SunONE directory server doesn't need read access for ... The native AIX LDAP client upto and including AIX 5.2 do need ... "<attribute2 you choose>" with the value of the DN of the proxyagent-account ...
      (comp.unix.solaris)
    • RE: LDAP in Unix
      ... Subject: LDAP in Unix ... Solaris and AIX. ... If you want to limit which hosts a user can access, ... I would like to use Sun ONE Directory server and centralise the user ...
      (Focus-SUN)
    • Re: Solaris 9 LDAP
      ... > tryint to set up a Sun ONE Directory Server 5.2 server to provide user ... Doing an LDAP search for the new user versus one ... > with sufficient priveleges to do LDAP passwd changes. ... Check nsswitch.conf for the proper entries on passwd ...
      (comp.sys.sun.admin)
    • Re: Solaris 9 LDAP
      ... > tryint to set up a Sun ONE Directory Server 5.2 server to provide user ... Doing an LDAP search for the new user versus one ... > with sufficient priveleges to do LDAP passwd changes. ... Check nsswitch.conf for the proper entries on passwd ...
      (comp.unix.solaris)
    • Re: LDAP authentication on client - no users
      ... get authentication via LDAP working. ... I've followed the HOWTOs from OpenSUSE.org and the LDAP server VM seems to ... On the client VM, the LDAP client is set up for LDAP authentication Not ...
      (alt.os.linux.suse)