Active Directory in 601

I am attempting to read user/group information from MS Active Directory and use AD credentials to authenticate to webMethods IS (Admin screen). I have partially gotten this to work, but am still having a few problems that I am hoping someone may be able to help resolve. I have followed all instructions in the white paper on this. The current status is that IS is able to pull user and group information from AD. I have added the groups to the appropriate IS ACLs. I can authenticate correctly when using Cn as the Password attribute (as specified in the white paper) in JNDI. However, the Cn attribute is nothing more than the username again, thus making the username/pass the same. I believe the actual pass is housed in the unicodePwd attribute in AD, but need that confirmed. When I use that attribute the error displays “cannot read LDAP password for user xxxxxx.”
I realize that a few of the JNDI settings are site specific, but the majority should be standard. The best way to answer this would be as follows: you are installing a brand new DC (new domain, new forest) from scratch, with free reign over the DC. Desired wM groups have been placed in an OU called ISGroups. Desired wM users have been placed in an OU called ISUsers. How would you set up JNDI? Are there mods to AD that need to be made (pwd format, etc.)
Any help that forum users can give would be greatly appreciated. Thanks, mc

Yes the password is housed in the unicodePwd attribute in Active Directory. Unfortunately the password attribute is not accesible in Active Directory unless the LDAP connection is using SSL. But webMethods IS does not support SSL LDAP connections. So you have to use some other attribute as a password substitute.

Even if the attribute is accesible IS would still not be able to use it as it would be encrypted and would not match the password entered by the user.

Hi Matt,

If you’re attempting to authenticate a user against an LDAP-compliant directory (such as Active Directory), you should be using an LDAP BIND operation to accomplish this. Rather than attempting to retrieve the password from your directory server, you should authenticate (or bind) to the directory using the DN of the user logging in.

Typically, we first perform an LDAP BIND as a user with the ability to search the entire user directory (many LDAP servers impose search limitations for anonymous users). We then execute an LDAP SEARCH in order to confirm existence of the account and locate the DN of the user attempting to log in. Finally we perform a second LDAP BIND, this time as the individual user. A failed bind will indicate the authentication was unsuccesful.

Remember, a directory server can store user passwords using any encryption mechanism they desire. Most of them use one-way hash algorithms that prevent the actual passwords from being decrypted.

The LDAP BIND is the way to go. I’ve provided a link to a tutorial on the Sun website which you may find helpful:

[url=“LDAP Authentication”]JDK 19 Documentation - Home

Regards,
-jmh

Hi JMH,

Do you know how you can perform this BIND from wM to AD, do to some queries. Do you have an example for me?

Kind regards.

PAL

I’m attempting to use a third party device to authenticate against AD credentials but do not want to do an ldap bind. I want to extract the hash (as in a challenge) to authenticate the userid/pw at the device.
Above it was mentioned that the PW could be retrieved using an SSL connection. Can anyone explain the process to extract this hashed password?

Has anyone had success with AD and wM integration using LDAP. I am able to get user name and group information from AD. However if I authenticate using the password attribute I cannot get any user validated!

Anyone with success please email me rustom@shaw.ca (urgent). Thanks.

Hi Rustom,

Can you specify the JNDI parameter in the administrator settings when you configured to connect to LDAp with wM.

I too have the same need to connect to LDAP…

regards
bluesea

Active Directory does not store the password at all, the only thing you can do with a password is to set it, and this must be done over a secure channel (SSL). You must do a BIND to determine whether the credentials are valid.

See the technical note “Using LDAP and Active Directory” on how to do this on the Advantage web site under Best Practices->Product Security Information.

I want to integrate active directory with database. how can i go about with this i.e. which adapters to use etc