We're on a corporate network thats running active directory and we'd like to test out some LDAP stuff (active directory membership provider, actually) and so far, none of us can figure out what our LDAP connection string is. Does anyone know how we can go about finding it? The only thing we know is the domain that we're on.
8 Answers
The ASP.NET Active Directory Membership Provider does an authenticated bind to the Active Directory using a specified username, password, and "connection string". The connection string is made up of the LDAP server's name, and the fully-qualified path of the container object where the user specified is located.
The connection string begins with the URI LDAP://
.
For the server name, you can use the name of a domain controller in that domain-- let's say "dc1.corp.domain.com". That gives us LDAP://dc1.corp.domain.com/
thusfar.
The next bit is the fully qualified path of the container object where the binding user is located. Let's say you're using the "Administrator" account and your domain's name is "corp.domain.com". The "Administrator" account is in a container named "Users" located one level below the root of the domain. Thus, the fully qualified DN of the "Users" container would be: CN=Users,DC=corp,DC=domain,DC=com
. If the user you're binding with is in an OU, instead of a container, the path would include "OU=ou-name".
So, using an account in an OU named Service Accounts
that's a sub-OU of an OU named Corp Objects
that's a sub-OU of a domain named corp.domain.com
would have a fully-qualified path of OU=Service Accounts,OU=Corp Objects,DC=corp,DC=domain,DC=com
.
Combine the LDAP://dc1.corp.domain.com/
with the fully qualified path to the container where the binding user is located (like, say, LDAP://dc1.corp.domain.com/OU=Service Accounts,OU=Corp Objects,DC=corp,DC=domain,DC=com
) and you've got your "connection string".
(You can use the domain's name in the connection string as opposed to the name of a domain controller. The difference is that the domain's name will resolve to the IP address of any domain controller in the domain. That can be both good and bad. You're not reliant on any single domain controller to be up and running for the membership provider to work, but the name happens to resolve to, say, a DC in a remote location with spotty network connectivity then you may have problems with the membership provider working.)
- 129
- 10
- 141,071
- 19
- 191
- 328
-
With SBS 2008 at least, it looks like they've started conforming to the standard "OU" prefix in the string for the OUs: CN=Your Name,OU=Users,DC=example,DC=local We're running functional level 2003. – gravyface Apr 08 '10 at 14:29
-
Great answer. Can I provide the login details of the querying account to the foreign domain controller in the connection string? – Dan Jun 28 '11 at 09:06
-
So you mean that, the remote machine accessing ActiveDirectory should be in its own domain? What if my local machine is not in its domain? If my machine is in a workgroup, do I need to pass 2 credentials to authenticate a user? I mean, One to login to WindowsServer machine and the other is to validate ActiveDirectory user's username and password. Am I right? – Dinesh Kumar P Feb 24 '15 at 06:05
-
@DineshKumarP: I'm having a little trouble parsing you. The Membership Provider uses a valid credential in the Active Directory (AD) to bind to the Directory. The computer running the Membership Provider doesn't need to be a member of any AD domain, but you have to configure it with a valid credential from the AD in order for it to function. – Evan Anderson Feb 25 '15 at 02:18
-
Yes, got it @Evan. I haven't added 'SamAccountName' previously in my AD user account. So it was not validating. Now working fine. :) – Dinesh Kumar P Feb 25 '15 at 05:11
-
@Evan Anderson Nice one! Just for curiosity, which username and password do you refer when binding to AD ? Would be a Admin username and password ? – Arthur Ronald Nov 03 '15 at 18:50
-
2@ArthurRonald - Unprivileged users can bind to and query Active Directory, by default. In fact, it's probably best if you use an unprivileged users. Active Directory has a fairly rich ACL model, and you can control access to objects and attributes in a very granular fashion. You should bind with an account that has enough privilege to do you what you need but no more. – Evan Anderson Nov 03 '15 at 22:31
Type dsquery /?
in a command prompt.
Eg: dsquery user -name Ja*
gets the connection strings for all users with names starting in Ja*.
- 288
- 4
- 12
-
I like this approach, it gives the correct ordering of OUs and such. To make it obvious, to use this take LDAP://dc1.corp.domain.com/ and the output from the command & combine them in order to form an ldap string quiet easily. – RandomUs1r Sep 10 '14 at 15:48
-
4
-
1Pred, see this [answer](http://stackoverflow.com/questions/936829/where-can-i-get-dsquery-and-other-tools-useful-for-debugging-active-directory-is). – Stas Bushuev Dec 08 '16 at 05:37
I just use this tool from Softerra (they make an excellent freeware LDAP Browser) to get the User DN from the currently-logged in user: http://www.ldapbrowser.com/download.htm
-
Step 1: At the "Credentials" step, select "Currently logged-in user (ActiveDirectory only)". Step 2: When the connection is created, in its Properties go to the "Entry" tab and copy the URL. Step 3: Use that URL together with the the DN found with ErJab's solution. – Nicolas Raoul Oct 21 '13 at 06:18
I always had problems finding the correct way to type out the OU. The command dsquery ou domainroot
will give you a list of the correct names of all the OUs in your domain. Not sure if this will help for a larger organization.
- 4,524
- 7
- 32
- 51
Install Remote Server Administration Tools: http://www.microsoft.com/en-us/download/details.aspx?id=7887
Open a command prompt and enter >dsquery server
For more information, please check this post (bottom of the post): http://www.schiffhauer.com/mvc-5-and-active-directory-authentication/
- 121
- 1
- 6
-
Remote Server Administration Tools for Windows 10: https://www.microsoft.com/en-us/download/details.aspx?id=45520 – zacran Aug 25 '20 at 18:05
I found easiest way:
You can also find from
Active directory server -> Choose the Organization Unit OU -> Right Click -> Properties -> AttributeEditor -> DistinguishedName
I got these from Microsoft windows server 2012 R2
- 141
- 3