LDAP test to ldap.forumsys.com issues

jdredd · 2025-03-31 18:16:15

I can get a conneciton to ldap.forumsys.com

username is "uid=einstein,dc=example,dc=com"
password is "password"

TLdapClient.Connect - works
TLdapClient.Connect(false) - works
TLdapClient.Bind - works
TLdapClient.Connected(True) - works

TLdapClient.GetUserInfo - throws an exception errror.

It seems to error out in

procedure TLdapClient.RetrieveRootDseInfo;
..
..
fRootDN := root.Attributes.GetByName('rootDomainNamingContext');
..
..

because root itself is NIL when i inspect it.

Using Delphi 12.3 and latest mORMot2 as of today.

What would be the trouble of asking for a simple demo program to connect to this free test server service?

To connect, bind, GetUserInfo then do

var
LDAPProperties := LDAP.SearchAll([], ObjectFilter(ofUsers, getUserNameOnly(self.Username.text)),
[roCanonicalNameAtRoot, roSortByName, roSddlKnownUuid, roAutoRange, roKnownValuesAsArray]);

To get the JSON dump of this info?

Also, I am struggling to know when to do what when it comes to these login process.

I have some AD LDAP servers, where user just types in an email address and works fine.
But when/when do i deal with cases where a person would have to type in something like "uid=einstein,dc=example,dc=com"
A bit wordy? Has to be something easier? Or this because of just a goofy test server setup requiring this for some reason?

Is there an example of a login process that would basically handle any and all possible login types?
Or maybe a good guide? As I have zero clue what people will be using. Or their setups.
And need to make it work as best as possible with any LDAP configuration. No matter how goofy it is.

Last edited by jdredd (2025-03-31 18:18:57)

ab · 2025-03-31 19:19:16

My guess is that ldap.forumsys.com is to test binding, and not much more.

jdredd · 2025-03-31 20:20:57

Using LDP.exe I can do some stuff...

Dn: uid=einstein,dc=example,dc=com
cn: Albert Einstein;
mail: einstein@ldap.forumsys.com;
objectClass (4): inetOrgPerson; organizationalPerson; person; top;
sn: Einstein;
telephoneNumber: 314-159-2653;
uid: einstein;
userPassword: {sha}W6ph5Mm5Pz8GgiULbPgzG37mj9g=;

ab · 2025-04-01 08:29:14

I have fixed the exception with
https://github.com/synopse/mORMot2/commit/a0e1c8e0c

But there is clearly something weird with this server.
It can't return its own root objects, whereas any real server we tested actually do (perhaps hundredths of production servers).
I am currently on holydays, so I can't debug more but I guess this server need some adaptation in our code (perhaps retrieve the root objects one by one?).

Try with a real LDAP server.
Just the fact that you can connect to this server with plain Bind and without TLS is clearly a sign that it is not a production-like server.

jdredd · 2025-04-01 16:22:22

Thanks! I will check it out. I only stumbled across this due to trying to test against NON ADFS LDAP servers. All I have at my disposal is AD LDAP servers, so wanted to try something different.

Is there other "free" test servers you know of and can recommend to hit up?

jdredd · 2025-04-01 20:29:13

Well.. it doesn't blow up now.

But I have no user info either.

Not sure what I can do to get that.

I have a user out in the wild having the same problem.

But fighting on getting what kind of LDAP server setup they even have.

Expanding base 'uid=einstein,dc=example,dc=com'...
Getting 1 entries:
Dn: uid=einstein,dc=example,dc=com
cn: Albert Einstein;
mail: einstein@ldap.forumsys.com;
objectClass (4): inetOrgPerson; organizationalPerson; person; top;
sn: Einstein;
telephoneNumber: 314-159-2653;
uid: einstein;

Not 100% sure what LDP.exe is doing to pull that, but would need to do the same I think.

jdredd · 2025-04-01 21:28:01

ldap.Search('uid=einstein,dc=example,dc=com', False, '(objectclass=*)', ['*']);

Then using LDAP.SearchResult.Dump

results: 1 in 15.96ms
0:
objectName : uid=einstein,dc=example,dc=com
objectClass :
- inetOrgPerson
- organizationalPerson
- person
- top
userPassword : {sha}W6ph5Mm5Pz8GgiULbPgzG37mj9g=
cn : Albert Einstein
sn : Einstein
uid : einstein
mail : einstein@ldap.forumsys.com
telephoneNumber : 314-159-2653

Also using LDAP.SearchResult.GetJson

{
"uid=einstein,dc=example,dc=com": {
"objectName": "uid=einstein,dc=example,dc=com",
"objectClass": [
"inetOrgPerson",
"organizationalPerson",
"person",
"top"
],
"userPassword": "{sha}W6ph5Mm5Pz8GgiULbPgzG37mj9g=",
"cn": "Albert Einstein",
"sn": "Einstein",
"uid": "einstein",
"mail": "einstein@ldap.forumsys.com",
"telephoneNumber": "314-159-2653"
}
}

This might get me by maybe.. if GetUserInfo fails... ?

jdredd · 2025-04-02 07:37:28

Well after a bunch of work, I have some stuff I did to give to a user to see how things react.

Crossing fingers

ab · 2025-04-09 13:34:59

I managed to get more information from this LDAP server.
With some commits like
https://github.com/synopse/mORMot2/commit/8511d7505
https://github.com/synopse/mORMot2/commit/d05742890
https://github.com/synopse/mORMot2/commit/0141623ec

Note that the "Users" in this LDAP server do not follow typical/standard attributes practice.
The official documentation states that users should be found via (&(objectCategory=person)(objectClass=user)) or (sAMAccountType=805306368).
We used the later, which is well known, and officially told to be faster to lookup.
https://learn.microsoft.com/en-us/archi … s#examples
Sadly, the "users" in this LDAP server do not follow it and has no sAMAccountType nor objectClass=user attributes defined. So our GetUserInfo() function does not work as expected.

Now, on my side I can access this ldap.forumsys.com server and retrieve its content.
For instance

    v := SearchAllRaw('', '', [], []);
    FileFromString(_Safe(v)^.ToJson('', '', jsonHumanReadable), 'Search.json');

returns https://gist.github.com/synopse/c5e1f4c … 3a75ef8026

ab · 2025-04-10 15:19:07

I have added regression tests using ldap.forumsys.com public server:
https://github.com/synopse/mORMot2/commit/b5f1c41f9
- this server seems in fact limited in content, but stable, and has a 100ms response time from Europe
- connect using plain bind
- execute an extension (WhoAmI)
- execute a search about all attributes of the logged user
- validate the search export into TDocVariant/JSON
- runs the process in a background thread, for efficiency
- also disconnect the socket and try the new TLdapSettings.AutoReconnect option

mORMot Open Source

#1 2025-03-31 18:16:15

LDAP test to ldap.forumsys.com issues

#2 2025-03-31 19:19:16

Re: LDAP test to ldap.forumsys.com issues

#3 2025-03-31 20:20:57

Re: LDAP test to ldap.forumsys.com issues

#4 2025-04-01 08:29:14

Re: LDAP test to ldap.forumsys.com issues

#5 2025-04-01 16:22:22

Re: LDAP test to ldap.forumsys.com issues

#6 2025-04-01 20:29:13

Re: LDAP test to ldap.forumsys.com issues

#7 2025-04-01 21:28:01

Re: LDAP test to ldap.forumsys.com issues

#8 2025-04-02 07:37:28

Re: LDAP test to ldap.forumsys.com issues

#9 2025-04-09 13:34:59

Re: LDAP test to ldap.forumsys.com issues

#10 2025-04-10 15:19:07

Re: LDAP test to ldap.forumsys.com issues

Board footer