java authentication on OpenLDAP without OU in base gives invalid credentials

Question

My scope is to authenticate only with uid=User,dc=ldap,dc=com. With this base I get the following error LDAPException(resultCode=49 (invalid credentials), errorMessage='invalid credentials')

I can succesfull authenticate with a Java application to an OpenLDAP with the following base: uid=User,ou=People,dc=ldap,dc=com. So without writing the multiple organizational units that the user is part of. I was also able to authenticate on a different environment to ActiveDirectory only with uid=User,dc=com but not on OpenLDAP.

• Is there a setting on OpenLDAP that I missed?
• Is there something in Java that I can use for workaround? I would prefer a solution with JNDI.

In java I used JNDI and also UnboundID for test. These are the java connection settings:

    //JNDI Connection
    env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
    env.put(Context.PROVIDER_URL, url);
    env.put(Context.SECURITY_AUTHENTICATION, "simple");
    env.put(Context.SECURITY_PRINCIPAL, "uid=User,dc=com");
    env.put(Context.SECURITY_CREDENTIALS, password);

    //UnboundID connection
    LDAPConnection ldapConnection = new LDAPConnection(ip, 389, "dc=ldap,dc=com", pswrd);

File ldap.conf:

BASE dc=ldap,dc=com

File slapd.conf:

suffix      "dc=ldap,dc=com";
rootdn      "cn=Manager,dc=ldap,dc=com"

Answer 1

Is there a setting on OpenLDAP that I missed?

No.

Is there something in Java that I can use for workaround?

No. You have to provide the full DN.

Answer 2

You will always need a Fully Qualified Distinguished name. (Except for a few exceptions with Microsoft Active Directory).

You are always better off to perform a search for the user (Some examples )

-jim