Oracle & Active Directory : A love/hate relationship
I'm currently trying to access Active Directory via the dbms_ldap API in Pl/Sql (Oracle). The trouble is that I'm not able to connect with my own username and password or anynoymously.
However, in C# I can connect anonymously with this code :
DirectoryEntry ldap = new DirectoryEntry("LDAP://Hostname");
DirectorySearcher searcher = new DirectorySearcher(ldap);
sear开发者_JAVA百科cher.Filter = "(SAMAccountName=username)";
SearchResult result = searcher.FindOne();
If I try to connect anonymously in Oracle, I only get the error(ORA-31202 : LDAP client/server error) when I try to search (and the result code for the bind is SUCCESS)...
my_session := dbms_ldap.init('HOST','389');
retval := dbms_ldap.simple_bind_s(my_session, '', '');
retval := dbms_ldap.search_s(my_session, ldap_base, dbms_ldap.scope_subtree, 'objectclass=*', my_attrs, 0, my_message);
Why is the anonymous connection is C# works but doesn't work in Pl/Sql? Do you have any other idea to connect to Active Directory via Oracle?
Help me reunite them together.
Thanks.Edit 1
When I bind with anonymous credentials I get :ORA-31202: DBMS_LDAP: LDAP client/server error
00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the >connection
And if I try to connect with my credentials, which are supposed to be valid since I'm connected to the domain with it... I get :
ORA-31202: DBMS_LDAP: LDAP client/server error Invalid credentials
80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error
Could it be possible that the Active Directory doesn't allow external LDAP actions like these ones?
Edit 2
Taking a look at the 'result' variable, in C#, I get this value for the 'Path' property : LDAP://SERVER_OR_DOMAIN/CN=LAST_NAME\,FIRST_NAME,OU=OU1,OU=OU2,OU=OU3,OU=OU4,DC=SERVER_NAME,DC=EXT1,DC=EXT2Maybe with these info you can help me solve the issue, it might be possible that the AD doesn't allow anonymous connection. Knowing the 'Path' propery, what would be the 'ldap_base', 'ldap_user' and 'ldap_passwd'?
Solved the problem after a hard day scratching my head for a few hours.
AD doesn't allow anonymous access by default. Therefore, I had to find the correct ' distinguishedName' in order to get access (which is the long string without the 'LDAP://SERVER_OR_DOMAIN/').
If you ever encounter the '80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error' error you should refer to this thread or this serverfault question.
Thanks for the help.
精彩评论