0

I want to first say that unfortunately I am unable to change the code in this specific scenario, and that the code works everywhere except for this one installation. I suspect a configuration/permissions/trust issue, and I am hoping to get advice on how to modify the environment to fix this.

In this specific place, After running Search() method on LdapConnection, I get an LdapSearchQueue that does not contain LdapSearchResult for some reason. Note that LdapSearchQueue does contain other messages (specifically LdapSearchResultReference and LdapResponse), just not the LdapSearchResult. I can manually examine the AD and see that theoretically it should have the correct response.

Obviously it ends up with entry being null.

var filter = $"(&(objectClass=User)(sAMAccountName={<user_name>}))";
var searchBase = "DC=<domain_name>,DC=com";
var search = conn.Search(searchBase, LdapConnection.SCOPE_SUB, filter, null, false, null, null);
    LdapMessage message;
    LdapEntry entry = null;
    while ((message = search.getResponse()) != null)
    {
         if (!(message is LdapSearchResult searchResultMessage))
         {
              continue;
         }
         entry = searchResultMessage.Entry;
    }

Any advise is appreciated

concentriq
  • 359
  • 2
  • 6
  • 16
  • 1
    Well, we don't see any binding nor the filter. Besides there might simply be no matches. Have you tried using some LDAP browser with same authentication and filters? – DerSchnitz Nov 23 '20 at 23:44
  • @schnitz77. Thank you.. I updated the question: I didn't add binding/filter because it works/should work, but I am adding the filter. I also noted that the `LdapSearchQueue` does contain other messages (specifically `LdapSearchResultReference` and `LdapResponse`), just not the `LdapSearchResult`. I can manually examine the AD and see that theoretically it should have the correct response. – concentriq Nov 24 '20 at 00:14
  • 1
    thanks. I'm a bit confused as you mentioned Novell - is it an eDirectory or an Active Directory you are querying? Former doesn't neccessarily have sAMAccountName at all depending on installed directory extensions. – DerSchnitz Nov 24 '20 at 00:38
  • @schnitz77: this is Active Directory. If AD was not configured to have sAMAccountName, would it then fail to get anything in the `LdapSearchQueue`? We do get some messages in the search result,: its just that a specific message is missing. – concentriq Nov 24 '20 at 14:54
  • 1
    Ok, got it now, you are querying an Active Directory using NuGet package Novell.Directory.Ldap, sorry for the confusion. I imagine you don't get any match if it's a pre-Windows 2000 domain but that would not match up your manual examination. – DerSchnitz Nov 24 '20 at 22:09

1 Answers1

0

in this specific case, UPN and sAMAccountName attributes were different (result of a migration from a number of years back), whereas normally these have the same value. UPN was provided on client application, and used to successfully authenticate (for UPN), however using same value for sAMAccountName returned an error.

concentriq
  • 359
  • 2
  • 6
  • 16