LDAP binding with end user credentials

[jap1968]

I am performing some tests in order to evaluate whether dex can fit in our working environment. What I pretend is to use the LDAP connector, but we do not have access to an administrative user to perform the binding step. I would like to know if the binding can be done using the credentials of the end user who is trying to authenticate in the system.

Could this be achieved? What should be the values of bindDN and bindPW in the LDAP section of the configuration file in order to get this behaviour?

[marcosterland]

If your LDAP can only be queried by an administrative or service user, you have to specify this in bindDN and bindPW. You have to specify the user in bindDN in LDAP style (e.g.: cn=admin,dc=acme,dc=edu). If your LDAP doesn't require credentials for queries, you can comment out those two parameters. You can test your settings pretty well with the command ldapsearch:

ldapsearch -h ldaphost -b "dc=acme,dc=edu" -D "cn=admin,dc=acme,dc=edu" -w 1234

Just specify your LDAP host (-h), base (-b), admin user (-D) and password (-w). To verify the user and group search, you'll find examples in the example config.

[rithujohn191]

Thank you for the reply @marcosterland. @jap1968 if you are satisfied with this answer please go ahead and close out the issue. Thanks

[jap1968]

Thanks a lot for your help. Unfortunately that was just a prototype for a proof of concept and I do not have access to it anymore. Anyway, since I assume your solution solves the problem, I am closing the issue.

[tooptoop4]

can it just use incoming user as sAMAccountName to bind?