Hi,
In the meantime, i learned from the DirectoryEntry's source file
that an anonymous bind is made first to URL "LDAP://RootDSE",
then the name of the domain is read from property "defaultNamingContext",
then a second bind with sAMAccountName@domain
is made. The problem is that i don't know how do do it with
OpenLDAP API. Do you have any examples?
Thank you.
On 2019-03-12 14:52, Florea, Cosmin
Petre wrote
Hello,
I have a LDAP Linux client written with OpenLDAP and i need it to
be able to authenticate a user only by username and password (no
domain). By username i mean the sAMAccountName from the LDAP
record. The bind succeeds if i use "username@domain" or if i use
the userPrincipalName (which is not equal to sAMAccountName), but
i am unable to make it work just with username. Anonymous
ldap_bind followed by a ldap_search does not work (it works if the
bind is not anonymous).
I have also a windows client (not using openldap library)
implemented with DirectoryEntry from C#. The login with just the
username works fine in that implementation (connected to the same
LDAP server). In the LDAP log file on Windows i see (i put [...]
to hide the server address):
<Data Name="Message">ldap_bind called for connection
0xd059b718: DN is (null). Method is 0x486. Synchronous is 0x1.
<Data Name="Message">ldapBind found server is
Windows 2003 or better AD on connection 0xd059b718
<Data Name="Message">Connection->hostname is
'[.........]'
<Data
Name="Message">Connection->DnsSuppliedNAme is
'[.........]'
<Data Name="Message">Connection->DomainName
is '(null)'
<Data Name="Message">LDAP: make spn returned
'ldap/[.........]' with error 0
<Data Name="Message">ldapBind found GSSAPI auth type
on connection 0xd059b718
<Data Name="Message">ldapBind found GSS-SPNEGO auth
type on connection 0xd059b718
<Data Name="Message">ldapBind found DIGEST auth type
on connection 0xd059b718
<Data Name="Message">ldap bind: Server is v3
<Data Name="Message">ldap bind: Server supports both
GSS-SPNEGO and GSSAPI
<Data Name="Message">New servicename for bind is
'ldap/[.........]'
<Data Name="Message">wldap32:Server is capable of
'NTLM'
<Data Name="Message">ldap_bind returned 0x0 for
connection 0xd059b718.
So on windows it does ldap_bind 2 times , but i think it is using
a different mechanism, probably Windows specific (i mean not
ldap_search) to retrieve the userPrincipalName associated with the
sAMAccountName from input.
I do not have an account that i can use to make the initial bind
(my client should work with several distinct servers). My question
is: how to do it on linux with OpenLDAP? Is it possible?
Thank you.
|