1

I am trying to ingtegrate SLES with Windows Active directory server for authentication purposes.

We need to use sAMAccountName as login name but its unable to bind if we didn't give DOMAIN/sAMAccountName on ldapsearch command. But ny applicaton's login window does not support giving a domain name before user. I have configured ldap.conf and krb5.conf to provide authentication. Is there any way to give "DOMAIN/" to the beginning the sAMAccountName as default for binding?

This is working fine: ldapsearch -x -LLL -h adserver.customer.entp.tgc -D CUSTOMER\EXT123456 -w password -b "dc=customer,dc=entp,dc=tgc"

Thanks for your answers in advance.

nynonur

nynonur
  • 13
  • 1
  • 3
  • 1
    What application doesn't support a domain qualified username? Does it support UPN format? username@ad.example.com – Ryan Bolger May 27 '16 at 21:16
  • My application login window take whole username text as a username. So its also not supporting UPN. I need to add domain or UPN extension to it after application sends username and password for authentication. – nynonur May 27 '16 at 21:50
  • With credentials traversing the network, ensure LDAPS is being used. ldaps://adserver.customer.entp.tgc:636 – user2320464 May 28 '16 at 01:48
  • I have tried to change it to secure ldap but it changes nothing at all. – nynonur May 30 '16 at 13:25

1 Answers1

3

I don't know the details of your application, but it sounds to me like it is not compatible with Active Directory.

Read the public documentation for ADS_NAME_TYPE_ENUM.

Those are the login name formats that you are allowed to log in with. "EXT123456" is not one of them.

I know that you think "EXT123456" is logging in with a sAMAccountName, but it actually is not. Look at the documentation again. There actually is no valid login format that fits the "EXT12345" (or "johndoe") pattern.

Just "username" by itself is not a valid login format. Well, actually it is a valid login format... for the user's Display Name.

Active Directory will actually attempt to resolve that to a Display Name. ADS_NAME_TYPE_DISPLAY.

So if you cannot make your application either accept a domain prefix, or a UPN suffix, or ask your users to log in with their display names... Active Directory does not just assume that a bare string "johndoe" is a sAMAccountName.

But you are not alone. Most folks assume that logging in to AD with no domain prefix or UPN somehow magically maps to sAMAccountName. But it does not. If you want to see how this works for yourself, use ldp.exe, and perform simple binds using a user account whose display name is different from their sAMAccountName, and do not supply a domain name. Which one lets you in? It's the display name.

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
  • Hi Expert, I have checked the document, yes if we want to use sAMAccountName in login we need to send it UPN or NT4 format. That explain why I succeed on ldapsearches when I use this two format. But obviously my application is not supporting this formats on logon window. Also display names are in a format which cannot be a linux user (with spaces). So my idea is convert this sAMAccountName attribute into NT4 or UPN format in someway I cannot figure out.I thought that maybe a change in KRB5 or ldap.conf can help me to do it as default. What do you think? – nynonur May 30 '16 at 13:29