Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LDAP Bind #86

Open
shep2644 opened this issue Jun 2, 2020 · 6 comments
Open

LDAP Bind #86

shep2644 opened this issue Jun 2, 2020 · 6 comments

Comments

@shep2644
Copy link

shep2644 commented Jun 2, 2020

We have two instances of MIM using MIMWAL. One instance is dev and one is prod. The dev system, when making an anonymous bind to SunDS, will perform a bind and search the directory. On the other hand, the production system will not.

What we see is an error in our production MIM that states "The username or password are incorrect" . When using Wire Shark, we don't even see a bind. Below are the results from wireshark. Both instances of MIM are running version 2.19..0112.0

Protocol Length Info
TCP 66 60994  >  389 [SYN, ECN, CWR] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
TCP 62 389  >  60994 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 SACK_PERM=1
TCP 54 60994  >  389 [ACK] Seq=1 Ack=1 Win=64240 Len=0
LDAP 404 searchRequest(112) "" baseObject
TCP 60 389  >  60994 [ACK] Seq=1 Ack=351 Win=4730 Len=0
LDAP 823 searchResEntry(112) ""  | searchResDone(112) success  [1 result]
LDAP 65 unbindRequest(116)
TCP 54 60994  >  389 [FIN, ACK] Seq=362 Ack=770 Win=63471 Len=0
TCP 60 389  >  60994 [ACK] Seq=770 Ack=362 Win=4741 Len=0
TCP 60 389  >  60994 [ACK] Seq=770 Ack=363 Win=4741 Len=0
TCP 60 389  >  60994 [FIN, ACK] Seq=770 Ack=363 Win=4741 Len=0
TCP 54 60994  >  389 [ACK] Seq=363 Ack=771 Win=63471 Len=0
@NileshGhodekar
Copy link
Contributor

Hi @shep2644 , As the wiki for Generate Unique Value Activity mentions, "All queries are executed under the context of the FIMService account." So unless the director allows access to MIMService account (unlikely if the Directory does not support AD authentication) or anonymous access (which would be unlikely for a production system), this is not going to work.

@shep2644
Copy link
Author

shep2644 commented Jun 2, 2020

Our directory does support anonymous bind. Also, our dev, which is the same as prod, can connect to the directory. That's what's so odd.

@NileshGhodekar
Copy link
Contributor

Anonymous bind does not mean anonymous access to search anything in the directory. This thread may be helpful https://community.oracle.com/thread/2011892

@shep2644
Copy link
Author

shep2644 commented Jun 3, 2020

Thank you Nilesh. I appreciate your assistance. We got it figured out. We compiled a custom version of MIMWAL that hardcoded the ldap credentials for the bind.

Again, thank you for your assistance.

@NileshGhodekar
Copy link
Contributor

Hardcoding is a bad idea. You should look at updating the UI and the activity to take in the creds like RunPowerShell activity does and then send a pull request for MIMWAL.

@JayVDZ
Copy link
Contributor

JayVDZ commented Jun 4, 2020

Definitely recommend doing as Nilesh says. You'll not only be able to support MIM easier internally as no developer changes will be required when your creds get changed, plus you'll also have the benefit of being able to update your MIMWAL as we release new versions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants