[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
LDAP authentication with just sAMAccountName
- To: openldap-technical@openldap.org
- Subject: LDAP authentication with just sAMAccountName
- From: "Florea, Cosmin Petre" <fosminclorea@gmail.com>
- Date: Tue, 12 Mar 2019 14:52:18 +0200
- Content-language: en-US
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding:content-language; bh=auxxsN2eAOdRS3zozzir8iRWz7HoRrL/Dz5RVPikM8g=; b=lixaV1xEfw7pgGHS1w7vSgLRKCuFdQG15lKtmkzf9qDmJaDJhybV7Tv8vveRF3llfJ vQdLTXQ2Tzp3cPSBczhTvCYGv/OOh1kpk2zG1qqGChXsNtFrfX739KE9Kd5vEEQxmSZK VPkMc20LmPy/cWPmEnKr0sL2M6ufvck31qCh+M//g/2Ox0HVXT4GoKbLBAQUOVzTreHk Zro0dKYcq5r9ebXEdIP+E3VDBQOZqpPz/bd9sKvRd0LpvbCcOLVqaap0R5HcYO+VtVhV BHgWbND9wzloxskpeUareP56jSkGhq5H2oCiiNP61sz0kLLlm+wiRoTnG+Rr1jf+osgy ca+w==
- User-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.3
Hello,
I have a LDAP Linux client written with OpenLDAP and i need it to be
able to authenticate a user only by username and password (no domain).
By username i mean the sAMAccountName from the LDAP record. The bind
succeeds if i use "username@domain" or if i use the userPrincipalName
(which is not equal to sAMAccountName), but i am unable to make it work
just with username. Anonymous ldap_bind followed by a ldap_search does
not work (it works if the bind is not anonymous).
I have also a windows client (not using openldap library) implemented
with DirectoryEntry from C#. The login with just the username works fine
in that implementation (connected to the same LDAP server). In the LDAP
log file on Windows i see (i put [...] to hide the server address):
<Data Name="Message">ldap_bind called for connection
0xd059b718: DN is (null). Method is 0x486. Synchronous is 0x1.
<Data Name="Message">ldapBind found server is Windows 2003 or
better AD on connection 0xd059b718
<Data Name="Message">Connection->hostname is
'[.........]'
<Data Name="Message">Connection->DnsSuppliedNAme is
'[.........]'
<Data Name="Message">Connection->DomainName is
'(null)'
<Data Name="Message">LDAP: make spn returned
'ldap/[.........]' with error 0
<Data Name="Message">ldapBind found GSSAPI auth type on
connection 0xd059b718
<Data Name="Message">ldapBind found GSS-SPNEGO auth type on
connection 0xd059b718
<Data Name="Message">ldapBind found DIGEST auth type on
connection 0xd059b718
<Data Name="Message">ldap bind: Server is v3
<Data Name="Message">ldap bind: Server supports both GSS-SPNEGO
and GSSAPI
<Data Name="Message">New servicename for bind is
'ldap/[.........]'
<Data Name="Message">wldap32:Server is capable of 'NTLM'
<Data Name="Message">ldap_bind returned 0x0 for connection
0xd059b718.
So on windows it does ldap_bind 2 times , but i think it is using a
different mechanism, probably Windows specific (i mean not ldap_search)
to retrieve the userPrincipalName associated with the sAMAccountName
from input.
I do not have an account that i can use to make the initial bind (my
client should work with several distinct servers). My question is: how
to do it on linux with OpenLDAP? Is it possible?
Thank you.