Trying to query Active Directory via command line for searching all Please let me know what this error refers to./ldapsearch -h 10.10.10.50 -b "ou=users,DC=SFBAY,DC=tech,DC=com" -s sub "objectclass=*"# extended LDIF## LDAPv3# base <ou=users,DC=SFBAY,DC=keypairtech,DC=com> with scope subtree# filter: objectclass=*# requesting: ALL## search resultsearch: 2result: 1 Operations errortext: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope ration a successful bind must be completed on the connection., data 0, vece# numResponses: 1 i'm looking to extract -b option and -D from AD Please if anyone is aware let me know.ThanksSantosh
Santosh Kumar wrote:
Trying to query Active Directory via command line for searching all Please let me know what this error refers to
./ldapsearch -h 10.10.10.50 -b "ou=users,DC=SFBAY,DC=tech,DC=com" -s sub "objectclass=*"
text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope ration a successful bind must be completed on the connection., data 0, vece
As already said in this thread MS AD does not allow anonymous access (except read access to some configuration data). You have to bind as a domain user. Something like this:
./ldapsearch -h 10.10.10.50 -b "ou=users,DC=SFBAY,DC=tech,DC=com" -D
"cn=myaccount,ou=users,DC=SFBAY,DC=tech,DC=com" -W -s sub "objectclass=*"
Obviously you have to know the bind-DN in advance.
i'm looking to extract -b option and -D from AD
I'm not sure what you mean here.
Ciao, Michael.
Santosh Kumar wrote:
Trying to query Active Directory via command line for searching all Please let me know what this error refers to./ldapsearch -h 10.10.10.50 -b "ou=users,DC=SFBAY,DC=tech,DC=com" -s sub "objectclass=*"# extended LDIF## LDAPv3# base <ou=users,DC=SFBAY,DC=keypairtech,DC=com> with scope subtree# filter: objectclass=*# requesting: ALL## search resultsearch: 2result: 1 Operations errortext: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope ration a successful bind must be completed on the connection., data 0, vece# numResponses: 1 i'm looking to extract -b option and -D from AD Please if anyone is aware let me know.ThanksSantosh
Your mail looks unreadable. In any case, the error looks specific to AD; did you try ant microsoft AD specific or generic forum?
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
Hi santosh,
Your mail is not clear , what is it you are exactly looking for??
But as the error says the objects you are trying to query would require you to bind to the active directory with a set of credentials.
Regards
Bharath
From: openldap-technical-bounces+bharath.kantrapati=gs.com@OpenLDAP.org [mailto:openldap-technical-bounces+bharath.kantrapati=gs.com@OpenLDAP.or g] On Behalf Of Santosh Kumar Sent: Tuesday, March 10, 2009 11:39 AM To: openldap-technical@openldap.org Subject: ldap-client connection to AD - LdapErr: DSID-0C090627,
Trying to query Active Directory via command line for searching all Please let me know what this error refers to
./ldapsearch -h 10.10.10.50 -b "ou=users,DC=SFBAY,DC=tech,DC=com" -s sub "objectclass=*"
# extended LDIF # # LDAPv3 # base <ou=users,DC=SFBAY,DC=keypairtech,DC=com> with scope subtree # filter: objectclass=* # requesting: ALL #
# search result search: 2 result: 1 Operations error text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope ration a successful bind must be completed on the connection., data 0, vece
# numResponses: 1 i'm looking to extract -b option and -D from AD Please if anyone is aware let me know.
Thanks Santosh
Hi Santosh,
If you want to anonymous queries you can easily do that in Microsoft ADS.The link below is an excellent resource for doing that.I have myself achieved success with this knowhow.
http://www.petri.co.il/anonymous_ldap_operations_in_windows_2003_ad.htm
By default, you can query the root node but not any hiererchy but with this you can query anything. Let me know if it works or not.
Thanks,
Sankhadip
Quoting "Kantrapati, Bharath" bharath.kantrapati@gs.com:
Hi santosh,
Your mail is not clear , what is it you are exactly looking for??
But as the error says the objects you are trying to query would require you to bind to the active directory with a set of credentials.
Regards
Bharath
From: openldap-technical-bounces+bharath.kantrapati=gs.com@OpenLDAP.org [mailto:openldap-technical-bounces+bharath.kantrapati=gs.com@OpenLDAP.or g] On Behalf Of Santosh Kumar Sent: Tuesday, March 10, 2009 11:39 AM To: openldap-technical@openldap.org Subject: ldap-client connection to AD - LdapErr: DSID-0C090627,
Trying to query Active Directory via command line for searching all Please let me know what this error refers to
./ldapsearch -h 10.10.10.50 -b "ou=users,DC=SFBAY,DC=tech,DC=com" -s sub "objectclass=*"
# extended LDIF # # LDAPv3 # base <ou=users,DC=SFBAY,DC=keypairtech,DC=com> with scope subtree # filter: objectclass=* # requesting: ALL #
# search result search: 2 result: 1 Operations error text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope ration a successful bind must be completed on the connection., data 0, vece
# numResponses: 1 i'm looking to extract -b option and -D from AD Please if anyone is aware let me know.
Thanks Santosh
Sankhadip Sengupta wrote:
If you want to anonymous queries you can easily do that inMicrosoft ADS.The link below is an excellent resource for doing that.I have myself achieved success with this knowhow.
http://www.petri.co.il/anonymous_ldap_operations_in_windows_2003_ad.htm
As said: This is a massive change in the operational security of MS AD not appreciated by any AD admins I know. It's far more appropriate to get the LDAP bind right in your LDAP client.
Ciao, Michael.
This only allows "read" rights to some or all of a particular user not all.
For certain queries with LDAP protocol this is required specially if the client is not aware of the bind dn,password etc.
It totally depends on the usage of the LDAP client and its requirements.
Also, just a note even if LDAP bind is successful in any ADS,if you do not have permissions to read in other hiererchies other than the bind dn you will face the same issue.
Thank you,
Sankhadip
Quoting Michael Ströder michael@stroeder.com:
Sankhadip Sengupta wrote:
If you want to anonymous queries you can easily do that inMicrosoft ADS.The link below is an excellent resource for doing that.I have myself achieved success with this knowhow.
http://www.petri.co.il/anonymous_ldap_operations_in_windows_2003_ad.htm
As said: This is a massive change in the operational security of MS AD not appreciated by any AD admins I know. It's far more appropriate to get the LDAP bind right in your LDAP client.
Ciao, Michael.
Sankhadip Sengupta wrote:
Quoting Michael Ströder michael@stroeder.com:
Sankhadip Sengupta wrote:
If you want to anonymous queries you can easily do that inMicrosoft ADS.The link below is an excellent resource for doing that.I have myself achieved success with this knowhow.
http://www.petri.co.il/anonymous_ldap_operations_in_windows_2003_ad.htm
As said: This is a massive change in the operational security of MS AD not appreciated by any AD admins I know. It's far more appropriate to get the LDAP bind right in your LDAP client.
This only allows "read" rights to some or all of a particular user not all.
For certain queries with LDAP protocol this is required specially if the client is not aware of the bind dn,password etc.
I don't want to be unpolite. But I don't understand why you keep pointing the original poster in the wrong direction.
The OP seems to be rather a beginner trying to get familiar with connecting to AD via LDAP just for binding and searching. It seems he was successful with the connect in the mean-time but not with the bind. And now you're still telling him to muck around with the domain configuration without you having further knowledge about his environment, administrative responsibilities and security requirements. To make it really clear: That's simply bad advice for a beginner. Period.
It totally depends on the usage of the LDAP client and its requirements.
Also, just a note even if LDAP bind is successful in any ADS,if you do not have permissions to read in other hiererchies other than the bind dn you will face the same issue.
There might be some situation where a LDAP client app cannot properly bind to a LDAP service (e.g. AD). But then I'd rather deploy a LDAP proxy (OpenLDAP with back-ldap) and let the proxy bind to AD and provide anon access to this particular broken client app (e.g. restricted by ACL based on IP address). For this to work one has to first fully understand how binding works on the command-line with ldapsearch. So back to basics...
Ciao, Michael.
I apologize if what I said was bad.I was just trying to help.
----- Original Message ----- From: "Michael Ströder" michael@stroeder.com To: "Sankhadip Sengupta" sdsgupta@cs.utah.edu Cc: openldap-technical@openldap.org Sent: Tuesday, March 10, 2009 5:26 PM Subject: Re: ldap-client connection to AD - LdapErr: DSID-0C090627,
Sankhadip Sengupta wrote:
Quoting Michael Ströder michael@stroeder.com:
Sankhadip Sengupta wrote:
If you want to anonymous queries you can easily do that inMicrosoft ADS.The link below is an excellent resource for doing that.I have myself achieved success with this knowhow.
http://www.petri.co.il/anonymous_ldap_operations_in_windows_2003_ad.htm
As said: This is a massive change in the operational security of MS AD not appreciated by any AD admins I know. It's far more appropriate to get the LDAP bind right in your LDAP client.
This only allows "read" rights to some or all of a particular user not all.
For certain queries with LDAP protocol this is required specially if the client is not aware of the bind dn,password etc.
I don't want to be unpolite. But I don't understand why you keep pointing the original poster in the wrong direction.
The OP seems to be rather a beginner trying to get familiar with connecting to AD via LDAP just for binding and searching. It seems he was successful with the connect in the mean-time but not with the bind. And now you're still telling him to muck around with the domain configuration without you having further knowledge about his environment, administrative responsibilities and security requirements. To make it really clear: That's simply bad advice for a beginner. Period.
It totally depends on the usage of the LDAP client and its requirements.
Also, just a note even if LDAP bind is successful in any ADS,if you do not have permissions to read in other hiererchies other than the bind dn you will face the same issue.
There might be some situation where a LDAP client app cannot properly bind to a LDAP service (e.g. AD). But then I'd rather deploy a LDAP proxy (OpenLDAP with back-ldap) and let the proxy bind to AD and provide anon access to this particular broken client app (e.g. restricted by ACL based on IP address). For this to work one has to first fully understand how binding works on the command-line with ldapsearch. So back to basics...
Ciao, Michael.
openldap-technical@openldap.org
-
Kantrapati, Bharath -
Michael Ströder -
Pierangelo Masarati -
Sankhadip Sengupta -
Santosh Kumar