3

I'm currently trying to access Active Directory via the dbms_ldap API in Pl/Sql (Oracle). The trouble is that I'm not able to connect with my own username and password or anynoymously.

However, in C# I can connect anonymously with this code :

DirectoryEntry ldap = new DirectoryEntry("LDAP://Hostname");
DirectorySearcher searcher = new DirectorySearcher(ldap);
searcher.Filter = "(SAMAccountName=username)";
SearchResult result = searcher.FindOne();

If I try to connect anonymously in Oracle, I only get the error(ORA-31202 : LDAP client/server error) when I try to search (and the result code for the bind is SUCCESS)...

my_session := dbms_ldap.init('HOST','389');
retval := dbms_ldap.simple_bind_s(my_session, '', '');
retval := dbms_ldap.search_s(my_session, ldap_base,  dbms_ldap.scope_subtree, 'objectclass=*', my_attrs, 0, my_message);

Why is the anonymous connection is C# works but doesn't work in Pl/Sql? Do you have any other idea to connect to Active Directory via Oracle?

Help me reunite them together.
Thanks.

Edit 1
When I bind with anonymous credentials I get :

ORA-31202: DBMS_LDAP: LDAP client/server error
00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the >connection

And if I try to connect with my credentials, which are supposed to be valid since I'm connected to the domain with it... I get :

ORA-31202: DBMS_LDAP: LDAP client/server error Invalid credentials
80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error

Could it be possible that the Active Directory doesn't allow external LDAP actions like these ones?

Edit 2
Taking a look at the 'result' variable, in C#, I get this value for the 'Path' property :
LDAP://SERVER_OR_DOMAIN/CN=LAST_NAME\,FIRST_NAME,OU=OU1,OU=OU2,OU=OU3,OU=OU4,DC=SERVER_NAME,DC=EXT1,DC=EXT2

Maybe with these info you can help me solve the issue, it might be possible that the AD doesn't allow anonymous connection. Knowing the 'Path' propery, what would be the 'ldap_base', 'ldap_user' and 'ldap_passwd'?

ALOToverflow
  • 2,679
  • 5
  • 36
  • 70
  • Is the c# code being run from the same machine? – Matthew Watson Mar 30 '10 at 06:00
  • No. But would that make any difference considering they are on the same domain? – ALOToverflow Mar 30 '10 at 11:33
  • it could well do, it depends what firewall rules are in place. Can you telnet directly to port 389 from the oracle host? – Matthew Watson Mar 30 '10 at 12:02
  • What is the exact error. I get additional info after LDAP client/server error. ORA-31202: DBMS_LDAP: LDAP client/server error: Invalid DN syntax _OR_ ORA-31202: DBMS_LDAP: LDAP client/server error: Invalid credentials. NDS error: _OR_ ORA-31202: DBMS_LDAP: LDAP client/server error: Inappropriate authentication. Anonymous Simple Bind Disabled. – Rob van Laarhoven Mar 30 '10 at 12:19
  • Added details about the errors I get. @Matthew Watson : I'm not familiar with telnet, but looks like I can connect and ping the server correctly. – ALOToverflow Mar 30 '10 at 12:33

1 Answers1

0

Solved the problem after a hard day scratching my head for a few hours.

AD doesn't allow anonymous access by default. Therefore, I had to find the correct ' distinguishedName' in order to get access (which is the long string without the 'LDAP://SERVER_OR_DOMAIN/').

If you ever encounter the '80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error' error you should refer to this thread or this serverfault question.

Thanks for the help.

Community
  • 1
  • 1
ALOToverflow
  • 2,679
  • 5
  • 36
  • 70