LDAP / Active Directory UserX Logon only anonymous bind?

Hello,

is it true, that with the MappUserX component only anonymous binds are possible?
In other words, only connections to a LDAPS server without username and password is possible? Or are I am wrong?

1 Like

No this is not true. I’ve attached an example using LDAPS with username/password (389 Directory Server though).
Hope you can use it :slight_smile:

ldapExample.zip (3.7 MB)

Sorry @mads.andersen, I can’t see the point in your Example where a password is used to bind the LDAPS server.

There are two main ways to bind to a LDAPS server:

  1. Via Anonymous Bind, means without authentication. Its often disabled for security reasons.

  2. Bind with password, means that the client provides a Distinguished Name (DN) (like cn=admin,dc=example,dc=com) and a password.

Hi @dividebyzero ,

The 389 Directory Server is hosted on a B&R internal network so unfourtnately you can’t test the example without creating your own server. I do use the username/password in the sample task and it can login:

And the DN is specified in the configuration view:

One side note: the MpUserX LDAP only works with encryption (e.g. LDAPS). I read that somewhere but can’t remember the reference

The MpUserXLogin just query the ldap repository, but you need to first bind with credentials, if not, its anonymous bind. It looks like this is anonymous bind. Its not an authenticated bind.
Everyone can query the LDAP server if it is an anonymous bind.

I don’t think you are right but I am no expert in this area.

I checked the runtime logs after logging in with MpUserXLogin, and it confirms the bind is indeed authenticated. Here is the log entry:

So the user credentials (username/password) are used at login to create a session with an actual DN - meaning it’s a proper authenticated bind. This supports that MpUserXLogin does not perform an anonymous bind when credentials are provided at runtime.

If it was anonymous bind it wouldn’t use a DN + password and if i change just 1 char in the password the login fails.

Authenticated bind uses cn like “cn=Admin” as the Bind DN (Distinguished Name). But if I am wrong, how do you set this bind up with mappView? And how do you query a user after authenticatication with your bind user Support_User1?
If you do not login with Support_User1, you can not query any user from the directory, because it is not anonymous bind, right?

Authenticated binds don’t have to use cn=… as the DN - it depends on the LDAP schema. In my case, the server uses uid attributes.
My DN is dynamically constructed at login using the username entered in MpUserXLogin and the base DN (UserLocationDN) set in the XML config (you can see the uid in the logger entry i sent earlier)

Regarding your last question. You’re right: if I don’t log in, I can’t query anything from the LDAP server. That’s exactly why this is not an anonymous bind. The system requires the user to authenticate with username and password and only then does it query the directory under that users session.

Ok, I understand, you not have just one bind user per application, you have many bind users per application. Right?

Can you send me the configuration of the 389 Directory Server?

Unfortunately no :frowning: .

When I have the time I would like to setup my own Directory Server but didn’t find the time yet.