Re: SSL bind to LDAP for password change



I don't know why this would fail. Is there an error reported when the connection attempt occurs? Do you have any idea if the SSL handshake, the LDAP connection or the bind operation is at issue?

You might want to start a new thread on the Active Directory newsgroup for this part. microsoft.public.windows.server.active_directory

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"apex52" <apex52@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:42BB1D37-0C11-4BF4-994C-3D381D8C0B67@xxxxxxxxxxxxxxxx
Unfortunately, PHP is the required way at this time. I was able to issue a
Domain Controller certificate and connect through SSL. The issue I am seeing
now is that I am unable to bind to ldap intermittently. The server is not
logging anything but successfull connections so there is no help there. Is
there an LDAP setting or a reply delay that might cause this. We are not in
production, so the 5000 connection rule cannot be a factor. Thanks.

"Joe Kaplan" wrote:

I'm not sure if there is a way to do it in php, but with normal LDAP and
Windows authentication in the LDAP bind (SPNEGO auth), you can also use
negotiate auth channel encryption to achieve the encryption requirement for
the LDAP password change. This is very easy to do in
System.DirectoryServices.Protocols in .NET or with any other code making
direct use of the Windows LDAP API.

If you are stuck on PHP and PHP doesn't offer this flexibility in its LDAP
stack, then you may need to find a solution to your enrollment problem. You
might want to post this thread with a different subject though as it might
not be read by the people who have more PKI expertise.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"apex52" <apex52@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:337F6FEE-56EB-4DDB-B68A-B3E893E2C5AB@xxxxxxxxxxxxxxxx
> Yes it is. One of our admins uses php to connect in and he requires the
> cert.



.



Relevant Pages

  • Re: LDAPS connnectivity
    ... It depends on what APIs are in use, but with Windows-based LDAP APIs, you ... can still get an LDAPS connection by specifying just the domain. ... LDAP API to do this work implicitly. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.windows.server.active_directory)
  • Re: How do I convert sid retrieved from the AD to SDDL string form
    ... LDAP doesn't support joins. ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... objectSid property to a SecurityIdentifier class. ...
    (microsoft.public.dotnet.security)
  • Re: Urgent: Restrict LDAP Queries of a domain user
    ... The way I read your question was from a strictly LDAP sense. ... query, they can do a one-level or base level query as well. ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.windows.server.active_directory)
  • Re: Tuning LDAP
    ... changing the maxPageSize from the default of 1000. ... single LDAP query and forcing the LDAP client to use paged queries to ... As such, any app, including an innocuous looking script, could begin causing ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.windows.server.active_directory)
  • Re: LDAP authentication security ?
    ... Using an internally rooted CA can be less expensive, but it is less easy to get all of the clients to trust your certs issued by this CA, especially in an environment that includes non-Windows machines that can't take advantage of auto enrollment or GPO for distributing trusted roots. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... If the application supports SASL bind with either GSS-SPNEGO or DIGEST authentication, then you can use that directly with AD without needing to secure the channel as those authentication mechanisms are already secure without channel encryption. ... Simple bind is the authentication mechanism in the LDAP V3 spec and is supported by all LDAP directories. ...
    (microsoft.public.windows.server.security)