LDAP Test App

Owned by Jonathan Schmale
Last updated: Oct 02, 2023

https://www.bannisterlake.com/dl/installs/Chameleon/_Utilities/ldap/LDAPTest_1.6.zip

In an effort to help debug LDAP connection issues - and be able to test without using Flow - an app has been created that uses code that is very similar to what is found in Flow.

Using the App

The app is currently available for download as a simple zip which you unpack into a folder and run the exe.

The app allows you to test the basic LDAP functionality required by Flow to allow users to login.

Default Settings

When the app starts it may launch with default values to test against a public LDAP server.

Use a Standard Setting for an Input

Some of the fields have samples of default settings that you can apply by clicking on them. For example click on any of the cn, uid or sAMAccountName options to apply it to the User Attribute text box.

Use Your Existing Flow Settings

If you want to use your existing settings from Flow

  1. Enter your Flow URL in the bottom left corner text box (if different from the default)

  2. Press the Get Settings from Flow button.

  3. Confirm you want to apply the settings to the app

This will not pull in the password of the Search User - you will have to enter the password after applying the changes from Flow.

If you don’t provide a password for the search user and you try to use the Test Search User button you may get a message with an error reported like the following:

=========== LDAP TEST SEARCH USER ============ IsUserValid: Check if this user and password is valid. IsUserValid: DN: cn=read-only-admin,dc=example,dc=com IsUserValid: Attempt to connect to Host: ldap.forumsys.com Port: 389 with the user DN and pwd and Use SSL: No Client Cert: No LDAP user auth error: System.DirectoryServices.Protocols.DirectoryOperationException: The server cannot handle directory requests. at System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, Boolean needSetCredential) at LDAPTest.LdapHelper.IsLdapUserValid(LdapServer s, String userDn, String userPwd, List`1 log) IsUserValid: Exception: LDAP user auth error. Message: The server cannot handle directory requests.

Settings for LDAPS

To use LDAPS you will want to

  • use port 636

  • activate the Use SSL option.

  • make sure your host name corresponds with your certificate.

To get the certificate information

  • enter the correct host name

  • select port 636

before pressing the Check Certificate button.

Troubleshooting LDAPS

  1. You need to confirm basic network connectivity (no firewall in the way). To test this, you can use PowerShell's Test-NetConnection: (change the ldap.domain.com to your address)

Test-NetConnection ldap.domain.com -Port 636

  1. The Search user name may need to take the format Domain\UserName.

  2. The certificate needs to be trusted by the client machine. You can use the Check Certificate button to view basic info and it also saves a local copy of the certificate for you to view and verify manually. Open the .cer file and it should tell you right away if it's trusted on your machine. If not, then you will need to obtain the root certificate and install it as a Trusted Root Certificate on any machine where this code runs.

 

  1. The fully-qualified domain name you are using to connect to AD must match the SSL certificate exactly (or one of the "Subject Alternative Names" of the cert). Sometimes, the cert will be issued in the name of the domain controller (e.g. dc1.domain.com), in which case, you must target that specific DC ("LDAP://dc1.domain.com:636") instead of just the name of the domain.

  2. Some Microsoft links:

    1. https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority

    2. https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/ldap-over-ssl-connection-issues?source=recommendations

Active Directory Specific Test Options

If you are using Active Directory with Domain Controllers as your setup then there are a couple extra test options in the app that can be used.

AD Login Test

The first is the AD Login Test button that uses a different method to verify the user and password given. It doesn’t require the use of the Search User. Note that this method is not currently available in Flow (2023-09-27).

RootDSE Info

The other Active Directory specific test feature is the RootDSE Info button. It doesn't use any settings from the app. It provides a list of property values including:

  • Default naming context

  • Server name

  • DNS host name

Sample Successful Results

Successful Connection Test Result

=========== LDAP TEST CONNECTION ============ Test Connection: Host: ldap.forumsys.com Port: 389 Use SSL: No Client Cert: No BaseDN: dc=example,dc=com Test Connection: LDAP://ldap.forumsys.com:389/dc=example,dc=com Test Connection: SUCCES!

Successful Test Search User Result

Successful Check Certificate Result

Successful Test User Login Result