If you are unable to create a new account, please email support@bspsoftware.com

 

News:

MetaManager - Administrative Tools for IBM Cognos
Pricing starting at $2,100
Download Now    Learn More

Main Menu

Connecting to Active Directory binding credentials

Started by captain karisma, 28 Apr 2008 01:33:40 AM

Previous topic - Next topic

captain karisma

Hi guys,

Was wondering if someone who has successfully plugged into AD can offer some advice.

When I leave binding credentials as empty , I can log onto cognos connection using my domain user/password. In the cognos 8 admin security for AD, I can see everything.

When i enter my DOMAIN USERNAME/password as the binding credentials, it has the same properties as anonymous above.

When I try to enter binding credentials in the format CN=DOMAIN USERNAME , CN=users ,DC=domain , DC=com
it fails to authenticate.
However, I can log into the AD via ldapbrowser using CN=DOMAIN USERNAME , CN=users ,DC=domain , DC=com  and navigate around.
But a test in cognos config reveals "credentials are invalid" .

Cognos 8 is started as a domain service. Domain operations set to native and have set the DOMAIN USERNAME account
to be trusted for delegation.
Also  logging in as CN=administrator , CN=users ,DC=domain , DC=com  gives "credentials are invalid" as well

Can anyone pinpoint what i'm missing? Thx in advance for any info.

ducthcogtechie

Just a small step back; what are you trying to achive?

captain karisma

Hi, just to connect C8 to active directory without anonymous bind

captain karisma

The fully qualified credentials work on a windows 2003 machine but not windows xp i have found

ducthcogtechie

Quote from: captain karisma on 28 Apr 2008 06:15:09 PM
Hi, just to connect C8 to active directory without anonymous bind

The fact that you can connect with an anonymous bind, means that your AD is configured to allow this. Any person plugging in a laptop in your network can drain your AD with ldp.exe. So for security you need to go to the AD administrator.

As for your C8 server; when anonymous binding is allowed, your user will authenticate faster. (with a bind user you do a bind, an unbind and a new bind with the users credentials)
So the only reason to use a bind user when anonyous is allowed, would be to protect your C8 administrator from browsing the complete AD. For that you need him/her to enter the AD with inside the bind user the OU= part. (and i hope all users are inside that OU)

Make sure there aro no typo's in the string:
CN=DOMAIN USERNAME , CN=users ,DC=domain , DC=com
Could be:
cn=Adminstrator, cn=Users, dc=Company, dc=Com

(above asumes a default AD with users not stuck in a dedicated OU)

captain karisma

WE have 1 domain.

I connected using cn=User , ou=my team , dc=domain , dc=com

But I can see the whole domain structure in cognos security. Basically same as I see when I log in as anonymous.

I was under the impression that I *should* only being seeing the "my team" folder, not every folder. Am i correct in this assumption?

ducthcogtechie

I know for sure that should happen when you connect with an LDAP connector, but am not sure with the AD connector. Any chance you can log the question with cognos support?

captain karisma

Hi dutch,

I think u are 100% spot on. In cognos 8 LDAP connecting to AD, when i put the base DN to say ou=test, dc=domain, dc=com and I log in as a user in ou=test , I see ONLY the ou=test folder.

In AD, there is no way you can specify a base dn so you can't specify the level to which you can see.
Bind user only indicates where you can search, it doesn't hide anything.

Thx for the tips.