Using LDAP Search to test ESP authentication

When troubleshooting issues it may be useful to test user credentials directly against the LDAP server.

There are two main ways of doing this; ldp.exe, which is included on Windows Server, and Ldapsearch utility, which can be installed on Linux. Ldapsearch replicates requests sent by the LoadMaster.

These are the credentials used in the following examples:

Domain: contoso.com
Domain-Controller: 10.110.0.150
Username: bgleeson
Password: 2fourall

 

LDP.EXE

First, use the ldp.exe program in Windows Server. This is most useful for testing the username/password in Bind Request.

  1. In the command prompt, type ldp.exe.
  2. In the Connect dialog box,  enter the LDAP server IP address and port.
  3. Select Bind with Credentials as the Bind type.

To examine the connection in Wireshark, untick Encrypt traffic after bind.

Successful BIND:
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='bgleeson'; Pwd=<unavailable>; domain = 'contoso.com'}
Authenticated as: 'CONTOSO\bgleeson'.

Unsuccessful BIND:

0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='bgleeson'; Pwd=<unavailable>; domain = 'contoso.com'}
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 8009030C: LdapErr: DSID-0C0904D0, comment: AcceptSecurityContext error, data 52e, v1db0
Error 0x8009030C The logon attempt failed

 

LDAP Search

Install ldapsearch on Linux. In this example we are using Ubuntu.

apt-get install ldap-utils
 
Alternatively, download ldapsearch here.
 
For simple Bind Query, run the following command:
ldapsearch -H ldap://10.110.0.150 -D "bgleeson@contoso.com" -w 2fourall
 
The text in red should be changed to the relevant values, as needed.
 
Successful BIND:
root@user-virtual-machine:~# ldapsearch -H ldap://10.110.0.150 -D "bgleeson@contoso.com" -w "2fourall"
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object
text: 0000208D: NameErr: DSID-031001E5, problem 2001 (NO_OBJECT), data 0, bes
t match of:
''


# numResponses: 1
 
Unsuccessful BIND:
root@user-virtual-machine:~# ldapsearch -H ldap://10.110.0.150 -D "bgleeson@contoso.com" -w "wrongpassword"
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db0
root@user-virtual-machine:~#
 
 
For a Group Membership Query (when permitted groups are being used), run the following command
 
(Note the below Example applies to Firmware <7.1-30. Firmware 7.1-30 on see below)
 
Pre 7.1-30
ldapsearch -H ldap://10.110.0.150 -D "bgleeson@contoso.com" -b "dc=contoso,dc=com" -w 2fourall "(&(objectclass=user)(userprincipalname=bgleeson@contoso.com))"  memberof primarygroupid &
 
 
Example
root@user-virtual-machine:~# ldapsearch -H ldap://10.110.0.150 -D "bgleeson@contoso.com" -b "dc=contoso,dc=com" -w 2fourall "(&(objectclass=user)(userprincipalname=bgleeson@contoso.com))" memberof primarygroupid
# extended LDIF
#
# LDAPv3
# base <dc=contoso,dc=com> with scope subtree
# filter: (&(objectclass=user)(userprincipalname=bgleeson@contoso.com))
# requesting: memberof primarygroupid
#

# Barry Gleeson, Users, contoso.com
dn: CN=Barry Gleeson,CN=Users,DC=contoso,DC=com
memberOf: CN=Group2,CN=Users,DC=contoso,DC=com
memberOf: CN=Group1,CN=Users,DC=contoso,DC=com
primaryGroupID: 513

# search reference
ref: ldap://ForestDnsZones.contoso.com/DC=ForestDnsZones,DC=contoso,DC=com

# search reference
ref: ldap://DomainDnsZones.contoso.com/DC=DomainDnsZones,DC=contoso,DC=com

# search reference
ref: ldap://contoso.com/CN=Configuration,DC=contoso,DC=com

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3
 
7.1-30 + 
 
As Per Updated Group Check:
 
(&(samAccountType=805306368)(|(memberOf=<group1-DN>)(memberOf=<group1-DN>)..(group<N>-DN))(samaccountname=<username>))
and
(&(samAccountType=805306368)(|(memberOf=<group1-DN>)(memberOf=<group1-DN>)..(group<N>-DN))(userPrincipalName=<userUPN>))
 
Example:
2 Allowed groups: GroupA; GroupB
User: bgleeson@contoso.com
 
New LDAP-query:
(&(samAccountType=805306368)(|(memberOf=CN=GroupA,OU=Groups,OU=RDE,DC=contoso,DC=com)(memberOf=CN=GroupB Access,OU=Groups,OU=RDE,DC=contoso,DC=com))(userprincipalname=bgleeson@contoso.com))
 
 
 
To capture the requests in a TCPDUMP, run the following command:
 
tcpdump -s 0 -i any port 389 -w LDAP_tests_file.pcap &
 
The & at the end means you can continue using your Linux shell.
 
ldapsearch -H ldap://10.110.0.150 -D "bgleeson@contoso.com" -b "dc=contoso,dc=com" -w 2fourall "(&(objectclass=user)(userprincipalname=bgleeson@contoso.com))"  memberof primarygroupid 
 
Then you can kill the TcpDump: (Grep for the TCPDump process and kill it.)

root@user-virtual-machine:~# ps | grep tcpdump
23646 pts/10   00:00:00 tcpdump
root@user-virtual-machine:~# kill 23646
root@user-virtual-machine:~# 32 packets captured
33 packets received by filter
0 packets dropped by kernel
[1]+  Done                    tcpdump -s 0 port 389 -i any -w LDAP2.pcap
 
root@user-virtual-machine:~# ls -rlt
total 20
drwxr-xr-x 2 root root 4096 Jul 29  2014 downloads
-rwxr-xr-x 1 root root  906 Jul 30 17:24 testscript
-rw-r--r-- 1 root root 8007 Jul 30 17:28 LDAP.pcap
-rw-r--r-- 1 root root 3801 Jul 30 17:37 LDAP2.pcap
 
 
You should now be able to open LDAP2.pcap to view in Wireshark.

 

 

Client Certificates.

 

Logon to Windows Server on customer Network
run LDP.EXE

Connection - BIND

1. define the server.

2. Bind with Credentials. The User should be that defined in the Client Cert SSO Config on Loadmaster - LDAP Administrator.

Password - Password configured on LM Domain- Domain defined

this should bind successfully.

3. Next we need to search for the User as defined in the Certificate under Subject name. e.g. userprincipalname=user.name@domain.com

BROWSE-Search

Base DN: dc=domain,dc=com
Filter: (userprincipalname=user.name@domain.com)
Scope: Base

Attributes: name;cn;

Was this article helpful?

1 out of 1 found this helpful

Comments