I'm using Windows SBS 2008, and am creating an internal webapp and would like to authenticate with my LDAP server. What is the best method for determining what connection string I should use?

I'm using python-ldap, and it is looking for something LIKE:

l = ldap.initialize('ldap://')
dn = "cn=myuser,ou=Users,dc=pezcandyinc,dc=com"
pw = "mypassword"

l.simple_bind_s(dn, pw)

I believe this is what it is looking for, but any help would be appreciated.

  • 4,397
  • 6
  • 40
  • 51
  • Remember, when you bind ldap://, your password is send by cleartext and can be easily sniffed. Use ldap over SSL (ldaps:// - port 636/tcp) or ldap over TLS (port 389/tcp) – sumar Mar 02 '10 at 06:50

2 Answers2


Active Directory Explorer is one tool I use when spelunking around in Active Directory. I haven't tried this against a non-Windows domain LDAP server, but I doubt it will work well.

LDAP Browser is also very good, and the free read-only version should help you find the correct distinguished name for your domain. This also works against most any server that speaks LDAP.

There are a couple of ways you can make it easier to authenticate end users, for example if you want to allow them to use their domain credentials (either the SamAccountName or User Principal) you can have a service account setup that does the initial auth, and takes whatever they pass in to query the directory to retrieve their specific DN. You can then use the DN and whatever password they passed to login a second time to verify they can connect successfully.

  • 3,164
  • 5
  • 28
  • 37
  • This definitely allowed me to find the Distinguished Name, which allowed me to authenticate properly. The users are all part of a DN that looks like: CN=Firstname Lastname,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=pezcandyinc,DC=local This makes it very award to auth, because a user will have to type their full name as the user, and then their password, ass opposed to just typing their samaccountname. The only way I can think of to auth using the samaccountname is to first bind using an adminlogin, and then do a search on the samaccountname to pull a DN. If anyone has any thoughts, speak up. –  Mar 02 '10 at 04:53

Actually you just need to put "$user@$LDAP_DOMAIN" and it should bind how you want :p