search

dsbenghe / Novell.Directory.Ldap.NETStandard

.NET LDAP client library for .NET Standard >= 2.0, .NET Core >=1.0, NET5/NET6/NET7/NET8 - works with any LDAP protocol compatible directory server (including Microsoft Active Directory).
MIT License
555 stars 152 forks source link

How to debug a Search that's always resulting in "Connect Error 91" #169

Closed dotdiego closed 8 months ago

dotdiego commented 3 years ago

Hello,

I'm trying to use this library to get informations on my users and validate their credentials. However i'm always getting a "Connect Error 91" on this search.

I'm able to get what i want using DirectorySearcher/DirectoryEntry.

I have some code like this :

var searchFilter=$"(&(objectCategory=person)(objectClass=user)(sAMAccountName={accountName}))";
using (var connection = new LdapConnection())
{
    connection.Connect(myServer, LdapConnection.DefaultPort);
    connection.Bind(accountName, password);

    if (connection.Bound)
    {
        var me = connection.WhoAmI(); ---> works
        var schema = connection.GetSchemaDn(); ---> works
        var searchResults = connection.Search(myServer, LdapConnection.ScopeSub, searchFilter, null, false);  ---> throws
    }
}

Has anyone an idea to how I can troubleshoot that issue and make that search work ? I've used my server name with both format : "LDAP://DC=name,DC=server,DC=my" and my.server.name

Regards,

Novell.Directory.Ldap.NETStandard version : 3.6.0

dsbenghe commented 3 years ago

you can always debug the library - in the end the source code is available.

AnthonyMastrean commented 3 years ago

We started seeing a similar issue after upgrading from 3.4.0 to 3.6.0. We connect to an Active Directory kind of like this...

using var connection = new LdapConnection() { Constraints = new LdapConstraints { ReferralFollowing = true }};
connection.Connect("dc.example.com", 389);
connection.Bind("cn=admin,ou=users,dc=example,dc=com", "password");

var results = connection.Search("dc=example,dc=com", LdapConnection.ScopeSub, "(&(objectClass=person)(objectClass=user)(sAMAccountName={username}))", null, typesOnly: false);

var entry = results.SingleOrDefault();

if (entry is not null)
{
    connection.Bind(entry.Dn, "{password}");
}

...

The Operations Error (91) would throw when we enumerated the search results. This is a very strange error because we could see that the connection was connected and bound and there were no relevant errors in the Active Directory event log.

"000004DC: LdapErr: DSID-0C090A7D, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839\0"

We started changing one thing at a time to try to get to the bottom of it and, at some point, we narrowed the search base by adding the users ou... and it started working?!

"ou=users,dc=example,dc=com"

We have no idea why... our Active Directory admin claims nothing has changed recently. The wider search base works on prior versions of this package.

We have not fully explored the server-side event logs yet or reproduced the issue with, say, ldapsearch.

avineshwar commented 1 year ago

Can you experiment using anything lower than TLS 1.2? Say, TLS 1.1?

Make sure any deprecated methods are not being used.

@AnthonyMastrean @dotdiego