Archived Boards > Network Extenders

ADSI Extender LDAP problem

(1/2) > >>


i've written a very simple script to determine whether a specific Server is responding to LDAP requests.

I'm querying two Domain Controllers running Windows 2003 SP2.

The script works as long as I'm executing it on one of the two Domain Controllers itself.
As soon as I'm executing it from another machine (Windows 7), no matter if it's a Domain member or not, I'm getting "1074 Local error occured" at the DsIsContainer line.


#DefineSubroutine SetLDAPCredentials()

   slc_User="CN=xxxxxx,OU=Dienste,OU=LAN Benutzer,OU=People,DC=els1,DC=els-m68,DC=net"
   ;dsSetCredentX(slc_User,slc_Password,1 | 2)


#DefineSubroutine SelectLDAPServer()


While IsDefined(LDAP_Server%sls_Counter%)

   sls_ADSIpath=StrCat("LDAP://",LDAP_Server%sls_Counter%,"/CN=ELS-1 Netzwerk,OU=FW Devices,OU=People,DC=els1,DC=els-m68,DC=net")


   If sls_Result Then Message("sls_Result",StrCat("LDAP is OK on Server ",LDAP_Server%sls_Counter%))




So everything is explicitly defined. Any idea why this wouldn't work on other machines than the DCs ??
And what does "local error" mean?

Generally, this type of errors are the result of either the not having sufficient permissions to access the targeted object (because you are a Domain Admin does not necessarily mean you have permission) or not being able to  resolve the server/domain name via DNS.  Without knowing more about the topology and configuration of your network, it is difficult to determine if one of these or some other problem is causing the error.

The container interface is one of several ADSI interfaces that produces addition error information.  The extender writes the additional error information into the wwwbatch.ini file.  Since you are on Windows 7 the wwwbatch.ini file can be found in the <system drive>:\Users\<user account name>\AppData\Roaming\WinBatch\Settings directory. Look for the [ADSI extender] section in the file.  The file can have a lot of white space so make sure you keep scrolling until you find the section or reach the bottom of the file.  The [ADSI Extender]  section looks something like this

[ADSI Extender]
ErrorText=80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
Provider=LDAP Provider

If you find the [ADSI Extender] section post it here and we might be able to figure out what is going on.


The section Looks exactly as you pasted it.

[ADSI Extender]
ErrorText=80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
Provider=LDAP Provider

The above is a copy from my wwwbatch.ini file.

What does this mean?

As far as I understood, I'm providing credentials to the extender, thus the extender will use the provided credentials to bind to the LDAP server and it should not play any role whether the local machine and/or user is member of the domain or not.

And why does the exact same script work like a charm when I execute it on the Domain controller itself and does not from a member workstation (Win 7) to which I'm logged in with the same user account as to the domain controller.

And by the way, I have another version of this script making use of LDIFDE.EXE that uses exactly the same credentials for the LDAP bind. And that works from whatever machine I try. even from my personal workstation that has no relationship to the target domain at all.

I need to offer an apology.  I should have had you clear the [ADSI Extender] section of the wwwbatch.ini file before running your script.  That way we will know that the error is the result of your current problem and not some error lingering from a previous problem.  So first you need to clean our your wwwbatch.ini file, rerun your script and report back the ADSI extender related contents of the file.

If your current problem involves credentials, it is likely either an issue with the authentication method you are using or the format of the credentials themselves, e.g., switching from samaccountname to domain\samaccountname or UPN.  The extender doesn't do a lot of hand holding by defaulting, and requires a modicum of understanding of how the LDAP protocol is implemented on Windows servers and how your servers are configured. 

I cleared the ADSI Extender section and did a fresh run.
Here's the result:

[ADSI Extender]

ErrorText=80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
Provider=LDAP Provider

But that was a good point on the format of the credentials. If I specify the username as DOMAIN\USERNAME or just USERNAME it seems to work.
But why is this? Why does it work from a Windows 2003 Domain Controller and does not from a Windows 7 Domain member if I specify LDAP style credentials?
What I try to understand is how this extender is implemented. And to me it looks as if the version of the local operating System has some influence on the behaviour.
Since I'm able to detect the local OS Version, I would be able to handle that but since I'm not able to test each and every Version I need to understand what to expect on the different OSes...


[0] Message Index

[#] Next page

Go to full version