perl, adsi, ADAM, and AD

jrdepriest has asked for the wisdom of the Perl Monks concerning the following question:

Howdy, gurus.
I am working on a project that requires me to connect to an instance of Active Directory / Application Mode (ADAM) using credentials from an unreleated Active Directory.
I am entirely unfamiliar with using Win32::OLE, so I have been struggling to get Net::LDAP with and without Authen::SASL to work.
I have had no luck.
Sample code?
I'll try.
Let's say I have an ADAM server adam.domain.com and an AD server ad.domain.com.
The application instance on ADAM is OU=BaseLevel,DC=Generic.
My user account in the Active Directory domain could be CN=jrdepriest,CN=Users,DC=domain,DC=com.
First failure

#!/usr/bin/perl -w

use Net::LDAP;

$dn = 'CN=jrdepriest,CN=Users,DC=domain,DC=com';
$password = 'password';
$ldap = Net::LDAP->new( 'adam.domain.com', debug => 2) or die $@;
$result = $ldap->bind( $dn, password => $password );
die $result->error if $result->code;
[download]

result: 80090304: LdapErr: DSID-0C090336, comment: AcceptSecurityContext error, data 20ee, vece

Second failure:

#!/usr/bin/perl -w

use Net::LDAP;
use Authen::SASL;

$dn = 'CN=jrdepriest,CN=Users,DC=domain,DC=com';
$user = 'domain\jrdepriest';
$password = 'password';
$sasl = Authen::SASL->new(
  mechanism => 'DIGEST-MD5',
  callback => {
    user => $user,
    pass => $password
  }
);
$ldap = Net::LDAP->new( 'adam.domain.com', debug => 2) or die $@;
$result = $ldap->bind( $dn, sasl => $sasl );
die $result->error if $result->code;
[download]

result: 8009030C: LdapErr: DSID-0C090441, comment: AcceptSecurityContext error, data 52e, vece

I have tried many different variations (such as connecting to 'adam.domain.com/OU=BaseLevel,DC=Generic' instead of just 'adam.domain.com'), but the errors are always one of the two listed above.
I am sure it is just a simple matter of putting the proper values in the correct locations; I just haven't stumbled across the right approach yet.

Can anyone assist me?

Thanks!
Jason

Comment on perl, adsi, ADAM, and AD Select or Download Code

Replies are listed 'Best First'.
Re: perl, adsi, ADAM, and AD by jhourcle (Prior) on Jul 24, 2006 at 23:51 UTC
`die $result->error if $result->code;` From my experience with LDAP, I'd say to look at the $result->code ... Sure $result->error gives more info, but because every vendor gives slightly different messages, it can be harder to find help online. I think what you're seeing is a code 49, which might be a bad DN or a bad password. (or the account's locked because you've failed too many times)	[reply] [d/l]
Re: perl, adsi, ADAM, and AD by shmem (Chancellor) on Jul 24, 2006 at 23:36 UTC
I have been doing some stuff with Active Directory and LDAP with perl, and ever had problems to get the stuff right. Seems that binding to a global catalog and port 3268 is more reliable than the default LDAP port (389). Then, binding with a full DN sometimes worked, sometimes didn't; surprisingly binding with userPrincipalName (user@example.com) worked as well as binding with sAMAccountName without any further qualifier; the base DN must be right, however (and the password, of course.) The error you get sounds like either wrong base DN / search scope or wrong authentication mechanism. Tried kerberos? On which platform are you working? If you happen to work on some UNIX flavour with OpenLDAP installed, you might do a simple bind with ldapsearch, monitor the traffic with ethereal and compare the chatting to what perl produces. I have to do some updates to my code in an AD/perl environment the next days, I'll update this comment once I got soaked with that stuff again... meanwhile, good luck with my feeble advice ;-) --shmem _($_=" "x(1<<5)."?\n".q·/)Oo. G°\ / /\_¯/(q / ---------------------------- \__(m.====·.(_("always off the crowd"))."· ");sub _{s./.($e="'Itrs `mnsgdq Gdbj O`qkdq")=~y/"-y/#-z/;$e.e && print}	[reply]
Re: perl, adsi, ADAM, and AD by Khen1950fx (Canon) on Jul 25, 2006 at 03:20 UTC
I agree with jhourcle and shmem. As to what causes an error 49(bad credentials)? I think that the problem lies in the registry. From Microsoft's ADAM FAQs: "When the computer running ADAM is joined to a workgroup, you must set the registry key HKEY_LOCAL_MACHINE\SYSTEM\Current\ControlSet\Control\Lsa\forceguest to 0. The default is 1." In other words, if your computer is joined to a workgroup and the registry isn't reset to reflect that then you'll get the errors that you are getting. If you're not part of a workgroup, then it's probably a bad DN or password. See: ADAM FAQs For LDAP Error Codes see: LDAP Binding Error Codes Update: Here's a complete list of LDAP Binding Error Codes: From Microsoft And a clearer chart: LDAP Error Codes	[reply]
Re^2: perl, adsi, ADAM, and AD by jrdepriest (Initiate) on Jul 25, 2006 at 15:43 UTC
The error code is indeed 49. The system is a member of an Active Directory domain and not in a workgroup. The system I am working with is a Windows XP Professional SP1 system with Active State Perl 5.6 build 638. I will certainly dig through the charts listed.	[reply]