How can I successfully bind with CFLDAP?











up vote
0
down vote

favorite












I'm trying to query AD for groups etc associated with a specified username. I have confirmed with my associates that I should have permissions to query AD. Using the following code in my ColdFusion page:



<cfldap server="my.server.com"
action="query"
name="results"
attributes="dn,cn,sn,givenname,uid"
start="CN=Users,DC=my,DC=server,DC=com"
filter="(&(objectclass=user)(sn=*todd*))"
scope="onelevel"
maxrows=100
>


But I'm getting the error:


"An error has occurred while trying to execute query :[LDAP: error code 1 - 000004DC: LdapErr: DSID-0C09079A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v23f0 ]."

Any help/direction is greatly appreciated.










share|improve this question


























    up vote
    0
    down vote

    favorite












    I'm trying to query AD for groups etc associated with a specified username. I have confirmed with my associates that I should have permissions to query AD. Using the following code in my ColdFusion page:



    <cfldap server="my.server.com"
    action="query"
    name="results"
    attributes="dn,cn,sn,givenname,uid"
    start="CN=Users,DC=my,DC=server,DC=com"
    filter="(&(objectclass=user)(sn=*todd*))"
    scope="onelevel"
    maxrows=100
    >


    But I'm getting the error:


    "An error has occurred while trying to execute query :[LDAP: error code 1 - 000004DC: LdapErr: DSID-0C09079A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v23f0 ]."

    Any help/direction is greatly appreciated.










    share|improve this question
























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I'm trying to query AD for groups etc associated with a specified username. I have confirmed with my associates that I should have permissions to query AD. Using the following code in my ColdFusion page:



      <cfldap server="my.server.com"
      action="query"
      name="results"
      attributes="dn,cn,sn,givenname,uid"
      start="CN=Users,DC=my,DC=server,DC=com"
      filter="(&(objectclass=user)(sn=*todd*))"
      scope="onelevel"
      maxrows=100
      >


      But I'm getting the error:


      "An error has occurred while trying to execute query :[LDAP: error code 1 - 000004DC: LdapErr: DSID-0C09079A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v23f0 ]."

      Any help/direction is greatly appreciated.










      share|improve this question













      I'm trying to query AD for groups etc associated with a specified username. I have confirmed with my associates that I should have permissions to query AD. Using the following code in my ColdFusion page:



      <cfldap server="my.server.com"
      action="query"
      name="results"
      attributes="dn,cn,sn,givenname,uid"
      start="CN=Users,DC=my,DC=server,DC=com"
      filter="(&(objectclass=user)(sn=*todd*))"
      scope="onelevel"
      maxrows=100
      >


      But I'm getting the error:


      "An error has occurred while trying to execute query :[LDAP: error code 1 - 000004DC: LdapErr: DSID-0C09079A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v23f0 ]."

      Any help/direction is greatly appreciated.







      coldfusion active-directory






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 19 at 17:07









      Todd K

      338




      338
























          1 Answer
          1






          active

          oldest

          votes

















          up vote
          1
          down vote













          Active Directory rarely has anonymous read enabled, so you need to bind before performing any searches. I use a dedicated "system" account for this (you can use yours, but then the whole thing falls over next time you change your password). Below is what I use for a form that handles user authentication. This is LDAPS, which requires that your java instance trusts the signer of the directory cert -- it's often easier to start with clear text LDAP, get everything working, then switch over to SSL.



          <!--- If the server has been defined, run the query --->
          <CFIF IsDefined("form.server")>
          <!--- check to see that there is a name listed --->
          <CFIF form.name is not "">
          <!--- make the LDAP query --->
          <cfldap action="QUERY"
          server="my.server.com"
          port="636"
          username="cn=YOURSYSTEMIDGOESHERE,ou=systemids,dc=my,dc=server,dc=com"
          password="YOURPASSWORDGOESHERE"
          name="getldap"
          start="CN=Users,DC=my,DC=server,DC=com"
          attributes="dn"
          scope="subtree"
          filter="(&(objectclass=user)(sAMAccountName=#form.uid#))"
          secure="CFSSL_BASIC"
          maxrows="10">
          <CFIF getldap.RecordCount GT 1>
          <!--- Too many accounts exist in LDP, throw message to call the help desk --->
          <CFELSEIF getldap.RecordCount EQ 0>
          <!--- User does not exist in directory, fail auth --->
          <CFELSE>
          <!--- Attempt Authentication using supplied credentials --->
          <cfldap action="QUERY"
          server="my.server.com"
          port="636"
          username="#getldap.dn#"
          password="#form.password#"
          name="attemptauth"
          secure="CFSSL_BASIC"
          start="CN=Users,DC=my,DC=server,DC=com"
          attributes="dn"
          >
          <!--- Do something here to catch errors, on return code 0, auth is successful --->
          <!--- Error code 19, hex 0x13) is a locked out account and fail auth --->
          <!--- Error code 49, hex 0x31) is an invalid password error and fail auth --->
          <!--- Other errors are system-type problems, throw try again / call help desk type error --->
          </CFIF>
          </CFIF>
          </CFIF>


          asdfa






          share|improve this answer





















          • I had a service account created, and they tested it to make sure it works in regular LDAP. I tried using it in my cfldap tag and now I'm getting the error: LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580
            – Todd K
            Nov 29 at 15:04













          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53379523%2fhow-can-i-successfully-bind-with-cfldap%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          1
          down vote













          Active Directory rarely has anonymous read enabled, so you need to bind before performing any searches. I use a dedicated "system" account for this (you can use yours, but then the whole thing falls over next time you change your password). Below is what I use for a form that handles user authentication. This is LDAPS, which requires that your java instance trusts the signer of the directory cert -- it's often easier to start with clear text LDAP, get everything working, then switch over to SSL.



          <!--- If the server has been defined, run the query --->
          <CFIF IsDefined("form.server")>
          <!--- check to see that there is a name listed --->
          <CFIF form.name is not "">
          <!--- make the LDAP query --->
          <cfldap action="QUERY"
          server="my.server.com"
          port="636"
          username="cn=YOURSYSTEMIDGOESHERE,ou=systemids,dc=my,dc=server,dc=com"
          password="YOURPASSWORDGOESHERE"
          name="getldap"
          start="CN=Users,DC=my,DC=server,DC=com"
          attributes="dn"
          scope="subtree"
          filter="(&(objectclass=user)(sAMAccountName=#form.uid#))"
          secure="CFSSL_BASIC"
          maxrows="10">
          <CFIF getldap.RecordCount GT 1>
          <!--- Too many accounts exist in LDP, throw message to call the help desk --->
          <CFELSEIF getldap.RecordCount EQ 0>
          <!--- User does not exist in directory, fail auth --->
          <CFELSE>
          <!--- Attempt Authentication using supplied credentials --->
          <cfldap action="QUERY"
          server="my.server.com"
          port="636"
          username="#getldap.dn#"
          password="#form.password#"
          name="attemptauth"
          secure="CFSSL_BASIC"
          start="CN=Users,DC=my,DC=server,DC=com"
          attributes="dn"
          >
          <!--- Do something here to catch errors, on return code 0, auth is successful --->
          <!--- Error code 19, hex 0x13) is a locked out account and fail auth --->
          <!--- Error code 49, hex 0x31) is an invalid password error and fail auth --->
          <!--- Other errors are system-type problems, throw try again / call help desk type error --->
          </CFIF>
          </CFIF>
          </CFIF>


          asdfa






          share|improve this answer





















          • I had a service account created, and they tested it to make sure it works in regular LDAP. I tried using it in my cfldap tag and now I'm getting the error: LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580
            – Todd K
            Nov 29 at 15:04

















          up vote
          1
          down vote













          Active Directory rarely has anonymous read enabled, so you need to bind before performing any searches. I use a dedicated "system" account for this (you can use yours, but then the whole thing falls over next time you change your password). Below is what I use for a form that handles user authentication. This is LDAPS, which requires that your java instance trusts the signer of the directory cert -- it's often easier to start with clear text LDAP, get everything working, then switch over to SSL.



          <!--- If the server has been defined, run the query --->
          <CFIF IsDefined("form.server")>
          <!--- check to see that there is a name listed --->
          <CFIF form.name is not "">
          <!--- make the LDAP query --->
          <cfldap action="QUERY"
          server="my.server.com"
          port="636"
          username="cn=YOURSYSTEMIDGOESHERE,ou=systemids,dc=my,dc=server,dc=com"
          password="YOURPASSWORDGOESHERE"
          name="getldap"
          start="CN=Users,DC=my,DC=server,DC=com"
          attributes="dn"
          scope="subtree"
          filter="(&(objectclass=user)(sAMAccountName=#form.uid#))"
          secure="CFSSL_BASIC"
          maxrows="10">
          <CFIF getldap.RecordCount GT 1>
          <!--- Too many accounts exist in LDP, throw message to call the help desk --->
          <CFELSEIF getldap.RecordCount EQ 0>
          <!--- User does not exist in directory, fail auth --->
          <CFELSE>
          <!--- Attempt Authentication using supplied credentials --->
          <cfldap action="QUERY"
          server="my.server.com"
          port="636"
          username="#getldap.dn#"
          password="#form.password#"
          name="attemptauth"
          secure="CFSSL_BASIC"
          start="CN=Users,DC=my,DC=server,DC=com"
          attributes="dn"
          >
          <!--- Do something here to catch errors, on return code 0, auth is successful --->
          <!--- Error code 19, hex 0x13) is a locked out account and fail auth --->
          <!--- Error code 49, hex 0x31) is an invalid password error and fail auth --->
          <!--- Other errors are system-type problems, throw try again / call help desk type error --->
          </CFIF>
          </CFIF>
          </CFIF>


          asdfa






          share|improve this answer





















          • I had a service account created, and they tested it to make sure it works in regular LDAP. I tried using it in my cfldap tag and now I'm getting the error: LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580
            – Todd K
            Nov 29 at 15:04















          up vote
          1
          down vote










          up vote
          1
          down vote









          Active Directory rarely has anonymous read enabled, so you need to bind before performing any searches. I use a dedicated "system" account for this (you can use yours, but then the whole thing falls over next time you change your password). Below is what I use for a form that handles user authentication. This is LDAPS, which requires that your java instance trusts the signer of the directory cert -- it's often easier to start with clear text LDAP, get everything working, then switch over to SSL.



          <!--- If the server has been defined, run the query --->
          <CFIF IsDefined("form.server")>
          <!--- check to see that there is a name listed --->
          <CFIF form.name is not "">
          <!--- make the LDAP query --->
          <cfldap action="QUERY"
          server="my.server.com"
          port="636"
          username="cn=YOURSYSTEMIDGOESHERE,ou=systemids,dc=my,dc=server,dc=com"
          password="YOURPASSWORDGOESHERE"
          name="getldap"
          start="CN=Users,DC=my,DC=server,DC=com"
          attributes="dn"
          scope="subtree"
          filter="(&(objectclass=user)(sAMAccountName=#form.uid#))"
          secure="CFSSL_BASIC"
          maxrows="10">
          <CFIF getldap.RecordCount GT 1>
          <!--- Too many accounts exist in LDP, throw message to call the help desk --->
          <CFELSEIF getldap.RecordCount EQ 0>
          <!--- User does not exist in directory, fail auth --->
          <CFELSE>
          <!--- Attempt Authentication using supplied credentials --->
          <cfldap action="QUERY"
          server="my.server.com"
          port="636"
          username="#getldap.dn#"
          password="#form.password#"
          name="attemptauth"
          secure="CFSSL_BASIC"
          start="CN=Users,DC=my,DC=server,DC=com"
          attributes="dn"
          >
          <!--- Do something here to catch errors, on return code 0, auth is successful --->
          <!--- Error code 19, hex 0x13) is a locked out account and fail auth --->
          <!--- Error code 49, hex 0x31) is an invalid password error and fail auth --->
          <!--- Other errors are system-type problems, throw try again / call help desk type error --->
          </CFIF>
          </CFIF>
          </CFIF>


          asdfa






          share|improve this answer












          Active Directory rarely has anonymous read enabled, so you need to bind before performing any searches. I use a dedicated "system" account for this (you can use yours, but then the whole thing falls over next time you change your password). Below is what I use for a form that handles user authentication. This is LDAPS, which requires that your java instance trusts the signer of the directory cert -- it's often easier to start with clear text LDAP, get everything working, then switch over to SSL.



          <!--- If the server has been defined, run the query --->
          <CFIF IsDefined("form.server")>
          <!--- check to see that there is a name listed --->
          <CFIF form.name is not "">
          <!--- make the LDAP query --->
          <cfldap action="QUERY"
          server="my.server.com"
          port="636"
          username="cn=YOURSYSTEMIDGOESHERE,ou=systemids,dc=my,dc=server,dc=com"
          password="YOURPASSWORDGOESHERE"
          name="getldap"
          start="CN=Users,DC=my,DC=server,DC=com"
          attributes="dn"
          scope="subtree"
          filter="(&(objectclass=user)(sAMAccountName=#form.uid#))"
          secure="CFSSL_BASIC"
          maxrows="10">
          <CFIF getldap.RecordCount GT 1>
          <!--- Too many accounts exist in LDP, throw message to call the help desk --->
          <CFELSEIF getldap.RecordCount EQ 0>
          <!--- User does not exist in directory, fail auth --->
          <CFELSE>
          <!--- Attempt Authentication using supplied credentials --->
          <cfldap action="QUERY"
          server="my.server.com"
          port="636"
          username="#getldap.dn#"
          password="#form.password#"
          name="attemptauth"
          secure="CFSSL_BASIC"
          start="CN=Users,DC=my,DC=server,DC=com"
          attributes="dn"
          >
          <!--- Do something here to catch errors, on return code 0, auth is successful --->
          <!--- Error code 19, hex 0x13) is a locked out account and fail auth --->
          <!--- Error code 49, hex 0x31) is an invalid password error and fail auth --->
          <!--- Other errors are system-type problems, throw try again / call help desk type error --->
          </CFIF>
          </CFIF>
          </CFIF>


          asdfa







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 19 at 19:19









          LisaJ

          608111




          608111












          • I had a service account created, and they tested it to make sure it works in regular LDAP. I tried using it in my cfldap tag and now I'm getting the error: LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580
            – Todd K
            Nov 29 at 15:04




















          • I had a service account created, and they tested it to make sure it works in regular LDAP. I tried using it in my cfldap tag and now I'm getting the error: LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580
            – Todd K
            Nov 29 at 15:04


















          I had a service account created, and they tested it to make sure it works in regular LDAP. I tried using it in my cfldap tag and now I'm getting the error: LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580
          – Todd K
          Nov 29 at 15:04






          I had a service account created, and they tested it to make sure it works in regular LDAP. I tried using it in my cfldap tag and now I'm getting the error: LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580
          – Todd K
          Nov 29 at 15:04




















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53379523%2fhow-can-i-successfully-bind-with-cfldap%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

          Alcedinidae

          Origin of the phrase “under your belt”?