search

inejge / ldap3

A pure-Rust LDAP library using the Tokio stack
Apache License 2.0
220 stars 38 forks source link

auth based on userPrincipalName? #9

Closed viperscape closed 7 years ago

viperscape commented 7 years ago

I noticed to bind successfully I must use the full DN, which includes the first and last name of the person. I basically want to use this library to quickly authenticate users, in something like nodejs I would bind anonymously and then authenticate using the userPrincipalName or something similar jdoe@domain.com

Is there a workaround for what I am trying to achieve?

inejge commented 7 years ago

Can you point me to existing code or a gist performing that kind of authentication, noting the precise name and version of the used LDAP package?

Protocol-wise, nothing stops you from supplying an arbitrary BindDN value for simple binds: it's encoded as an octet string, and this library doesn't check its form. However, the spec constrains it to the LDAP DN format, and a conforming server will reject anything else. Note that Active Directory is not conforming here, as it accepts a bunch of name forms in addition to DNs. To use an alternative name form and be standards-conformant, you'd have to use a SASL bind, which is a whole another can of worms, and unsupported by this crate.

What I suspect is happening in the Node scenario:

viperscape commented 7 years ago

Thanks for the reply, this is helpful!

The js gist is below:

const ActiveDirectory = require('activedirectory2');

const config = { url: 'ldap://host',
                 baseDN: 'DC=domain,DC=com' };
const ad = new ActiveDirectory(config);

ad.authenticate(username+"@domain.com", password, function(e,r) {
});

I was having trouble replicating this with the ldap3 crate, I'll keep tinkering! thanks

viperscape commented 7 years ago

I got it working now :) Thanks so much, I was still combining dn with the principle name, so replacing it all with just the full account works now. Thanks for your help!