Search This Blog

Monday, September 14, 2015

LDAP on Domino with iPhone (iOS8x) - can it work? (Updated)

Hi guys.

May be you can help me with this.
I need to provide users with ability to access Domino Directory (primary or additional) through iPhone LDAP account. Today I've spent a whole day on that and failed eventually. Sad feeling.

At the beginning the task looked extremely easy:
1) enable SSL on Domino server for Internet LDAP users ;
2) quick adjusting of Server document and Configuration document regarding LDAP task;
3) run "load ldap" from Domino console and enjoy;

I downloaded LDAP Admin (just a first link among search results) for testing purposes and made sure that everything worked perfectly. Here are a few proving screenshots.




Then I configured LDAP account on iPhone 5 (iOS8x) using the same parameters as on screen above and spent long time with the gadget after that. Whatever I tried to do - nothing helped. I always received a message "Unable to verify account information".


I don't want to describe here everything I tried but it was really a lot. I feel like I tried all possible combinations of all configuration fields in different state.

I managed to make it work only in one case - when I allowed Anonymous access to Directory on Domino and removed User Name and Password from iPhone LDAP Account configuration.


However such configuration couldn't stay, I couldn't let everyone in Internet access corporate Domino Directory. So the only one option for me was with authentication enabled but it refused to work.

Eventually I found two threads in Internet where people complained about similar (or even the same) issues. It seems the issues started with iOS7x and still isn't resolved.
Here are link1 and link2. These two posts were made in 2013 so probably something changed since then.

Please let me know if you have any suggestions I can try.

-------------------------------------------------------------------------
Updated next day.

I have enabled advanced logging of LDAP-related activities on Domino server using notes.ini variable "LDAPDebug" (thank's to the guy in comments below).
I have used UserName = "ypastov" (as on my first screens) for the following tests.

When I try to connect to Domino LDAP using LDAP Admin tool I see next messages in Domino console:

[05F4:0008-0C20] 09/15/2015 01:02:37.74 PM LDAP CIServ Listen> Connection Accepted on Port 389 for Session 21520002
[05F4:000A-0508] 09/15/2015 01:02:37.74 PM LDAP> InitForSearch
[05F4:0005-0508] 09/15/2015 01:02:37.74 PM LDAP> InitForSearch
[05F4:000A-043C] 09/15/2015 01:02:37.74 PM LDAP> BERGetTag State
[05F4:000A-0508] 09/15/2015 01:02:37.74 PM LDAP> BERGetLeadingLengthByte State
[05F4:000A-043C] 09/15/2015 01:02:37.74 PM LDAP> BERGetLength State
[05F4:000A-0508] 09/15/2015 01:02:37.74 PM LDAP> BERGetNext State
[05F4:0005-0508] 09/15/2015 01:02:37.84 PM LDAP> Bind State
[05F4:0005-0508] 09/15/2015 01:02:37.84 PM LDAP>     Version: 3
[05F4:0005-0508] 09/15/2015 01:02:37.84 PM LDAP>     DN: ypastov
[05F4:0005-0508] 09/15/2015 01:02:37.84 PM LDAP>     Method: 0x80 (Simple)
[05F4:000A-0508] 09/15/2015 01:02:37 PM  LDAP Server: 192.168.0.106 connected
[05F4:0005-0508] 09/15/2015 01:02:38.04 PM LDAP> Groups for name CN=Yuriy Pastovenskyy/O=myOrg:
[05F4:0005-0508] 09/15/2015 01:02:38.06 PM LDAP>     Yuriy Pastovenskyy
[05F4:0005-0508] 09/15/2015 01:02:38.09 PM LDAP>     *
[05F4:0005-0508] 09/15/2015 01:02:38.09 PM LDAP>     */O=myOrg
[05F4:0005-0508] 09/15/2015 01:02:38.09 PM LDAP>     LocalDomainAdmins
[05F4:0005-0508] 09/15/2015 01:02:38.09 PM LDAP> Successful bind, user ypastov authenticated as CN=Yuriy Pastovenskyy/O=myOrg
[05F4:0005-0508] 09/15/2015 01:02:38.09 PM LDAP> Return Result State (Bind operation)
[05F4:000A-043C] 09/15/2015 01:02:38.10 PM LDAP> SendBufferFree
[05F4:0005-043C] 09/15/2015 01:02:38.10 PM LDAP> InitForSearch
[05F4:000A-0508] 09/15/2015 01:02:38.12 PM LDAP> BERGetTag State
[05F4:000A-043C] 09/15/2015 01:02:38.12 PM LDAP> BERGetLeadingLengthByte State
[05F4:000A-0508] 09/15/2015 01:02:38.12 PM LDAP> BERGetLength State
[05F4:000A-043C] 09/15/2015 01:02:38.12 PM LDAP> BERGetNext State
[05F4:0005-043C] 09/15/2015 01:02:38.12 PM LDAP> Search State
[05F4:0005-043C] 09/15/2015 01:02:38.12 PM LDAP> ***** Start search request processing *****

So, it looks good.

When I try to connect to Domino LDAP using iPhone LDAP account I see following messages in Domino console:

[0BEC:0008-0DC0] 09/15/2015 03:26:00.58 PM LDAP CIServ Listen> Connection Accepted on Port 389 for Session 2152002C
[0BEC:000C-0D20] 09/15/2015 03:26:00.59 PM LDAP> InitForSearch
[0BEC:0005-0D20] 09/15/2015 03:26:00.59 PM LDAP> InitForSearch
[0BEC:000C-0E68] 09/15/2015 03:26:00.59 PM LDAP> BERGetTag State
[0BEC:000C-0D20] 09/15/2015 03:26:00.59 PM LDAP> BERGetLeadingLengthByte State
[0BEC:000C-0E68] 09/15/2015 03:26:00.59 PM LDAP> BERGetNext State
[0BEC:0005-0E68] 09/15/2015 03:26:00.59 PM LDAP> Failed, no previous successful Bind request, anonymous access not allowed
[0BEC:0005-0E68] 09/15/2015 03:26:00.59 PM LDAP> Return Result State (Search operation)
[0BEC:000C-0D20] 09/15/2015 03:26:00.59 PM LDAP> SendBufferFree
[0BEC:0005-0D20] 09/15/2015 03:26:00.59 PM LDAP> InitForSearch
[0BEC:000C-0D20] 09/15/2015 03:26:00 PM  LDAP Server: 192.168.0.102 connected
[0BEC:0005-0E68] 09/15/2015 03:26:00 PM  LDAP> StateReturnResult returning resultCode 1 (Operations error)

So, as you see provided user name "ypastov" was not used by iPhone for authentication at all.
I don't know if iOS8x LDAP account does not work with Domino based LDAP server only or it is a generic iOS bug for any type of LDAP servers.
Internet has almost nothing about this issue , I found a few old posts where people suggested to adjust some system iOS settings but it is not an option for corporate environment, I can't ask CEO to change configuration of his iPhone and I don't want to take such responsibility myself.

In any case if you have more ideas what is worth to check - please tell me. I will try that  and let you know the results.

8 comments:

  1. Turning on LDAP debugging may help in your case.
    http://www.kalechi.com/doc/notesini.nsf/85255a87005060c585255a850068ca6f/75d2a021772c9edbc1256d71006fc6f9!OpenDocument

    ReplyDelete
    Replies
    1. thank you, I have updated my post with your suggestions

      Delete
  2. what is on your LDAP bind authentication method settings?

    ReplyDelete
  3. try to dig to this side:
    http://notes.helsinki.fi/help/help8_admin.nsf/f4b82fbb75e942a6852566ac0037f284/dd405163b6300d30852572fa004e5729?OpenDocument

    http://notes.helsinki.fi/help/help8_admin.nsf/f4b82fbb75e942a6852566ac0037f284/01815913fe669a64852572fa004e3ebd?OpenDocument

    ReplyDelete
    Replies
    1. never mind, post your progress here please

      Delete
    2. No luck.
      I tried enabling and disabling of "DN Required on Bind" config on Domino side and it worked with LDAPAdmin or with ldapsearch.exe but never with iPhone LDAP account. I do not think the issue is on Domino side - Domino server just never got username/password set in iPhone LDAP account by some reason.

      Delete
    3. Usualy I'm doing a traffic sniff when there is something that should work but dont :)
      You can disable SSL on both side to simplify the sniff
      First of all try to sniff on server's side with wireshark or tcpdump

      Delete