Connecting using DN fails, have to use email address

Hi, I'm experiencing a problem at a client with the following command:
../ldapsearch -T -h corpntpd01 -p 389 -w <password> -D
"CN=rndtest,OU=Generic User IDS,DC=soft,DC=com" -b
"cn=users,dc=soft,dc=com" "(sAMAccountName=bob)"

However this command works
../ldapsearch -T -h corpntpd01 -p 389 -w <password> -D
"rndtest@soft.com" -b "cn=users,dc=soft,dc=com" "(sAMAccountName=bob)"
(the only change is in the argument to "-D")

Basically, even though the dn specified seems to be correct, it does
not work. This is the error we get:
ldap_simple_bind: Invalid credentials
ldap_simple_bind: additional info: 80090308: LdapErr: DSID-0C090334,
comment: AcceptSecurityContext error, data 525, vec

The client is able to use the email address, but it's my understanding
that DN has to work, and the application is built on that premise.

Please let me know what you think the issue is, such as is it possible
to disable DN access somehow? or is there something else preventing DN
from working.

I do not have access to client machine, the customer support has been
handling the issue, but I'd like to understand it in more detail, and
any pointers are greatly appreciated.

Thank you.
Alex

Usually this means that the DN is not correct. Are you sure that is right?

I also suggest you not deploy an application that uses LDAP simple bind
unless you are doing to deploy SSL on the domain controller as well and
connect via SSL.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
<anywherenotes@gmail.com> wrote in message
news:158e9bf6-6100-4aaf-bc02-b0a39e82b494@d45g2000hsc.googlegroups.com...
> Hi, I'm experiencing a problem at a client with the following command:
> ./ldapsearch -T -h corpntpd01 -p 389 -w <password> -D
> "CN=rndtest,OU=Generic User IDS,DC=soft,DC=com" -b
> "cn=users,dc=soft,dc=com" "(sAMAccountName=bob)"
>
> However this command works
> ./ldapsearch -T -h corpntpd01 -p 389 -w <password> -D
> "rndtest@soft.com" -b "cn=users,dc=soft,dc=com" "(sAMAccountName=bob)"
> (the only change is in the argument to "-D")
>
> Basically, even though the dn specified seems to be correct, it does
> not work. This is the error we get:
> ldap_simple_bind: Invalid credentials
> ldap_simple_bind: additional info: 80090308: LdapErr: DSID-0C090334,
> comment: AcceptSecurityContext error, data 525, vec
>
> The client is able to use the email address, but it's my understanding
> that DN has to work, and the application is built on that premise.
>
> Please let me know what you think the issue is, such as is it possible
> to disable DN access somehow? or is there something else preventing DN
> from working.
>
> I do not have access to client machine, the customer support has been
> handling the issue, but I'd like to understand it in more detail, and
> any pointers are greatly appreciated.
>
> Thank you.
> Alex

Go into ADSIEdit and drill down to the user that you believe you have the
correct dn for. Go to properties and copy the DN from the user object and I
will bet you have a typo.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

<anywherenotes@gmail.com> wrote in message
news:158e9bf6-6100-4aaf-bc02-b0a39e82b494@d45g2000hsc.googlegroups.com...
> Hi, I'm experiencing a problem at a client with the following command:
> ./ldapsearch -T -h corpntpd01 -p 389 -w <password> -D
> "CN=rndtest,OU=Generic User IDS,DC=soft,DC=com" -b
> "cn=users,dc=soft,dc=com" "(sAMAccountName=bob)"
>
> However this command works
> ./ldapsearch -T -h corpntpd01 -p 389 -w <password> -D
> "rndtest@soft.com" -b "cn=users,dc=soft,dc=com" "(sAMAccountName=bob)"
> (the only change is in the argument to "-D")
>
> Basically, even though the dn specified seems to be correct, it does
> not work. This is the error we get:
> ldap_simple_bind: Invalid credentials
> ldap_simple_bind: additional info: 80090308: LdapErr: DSID-0C090334,
> comment: AcceptSecurityContext error, data 525, vec
>
> The client is able to use the email address, but it's my understanding
> that DN has to work, and the application is built on that premise.
>
> Please let me know what you think the issue is, such as is it possible
> to disable DN access somehow? or is there something else preventing DN
> from working.
>
> I do not have access to client machine, the customer support has been
> handling the issue, but I'd like to understand it in more detail, and
> any pointers are greatly appreciated.
>
> Thank you.
> Alex