LDAP: How to bind via system ID/Password and then user ID/password for Authorization?

There is no built-in ldapsearch feature to do this in one step. What you're describing is application-specific logic; it's very commonly implemented in various LDAP-using software, but would require two ldapsearch invocations if you're trying to do the same via CLI, just as it requires creating two LDAP sessions through the API.

If you already know the user's full LDAP DN, then yes, you can just use it in the -D parameter.

However, if you only know the uid but not the entire DN, then you will need to search for it first (as you're doing right now), then manually copy the 'dn' from the search output and call ldapsearch a second time, with the user's DN specified as -D.

(One exception: If the LDAP server runs Active Directory, then it'll accept "user@domain" UPNs as well as "DOMAIN\user" in place of the DN, so you can use -D 'XXXXXXX@<domain>.com'. This is not a general LDAP feature, however, and I wouldn't rely on it.)

user1686

Posted 2019-07-04T02:47:16.710

Reputation: 283 655

Yup that worked... after looking at your suggestion and the output of the first LDAP search with system ID, I realized that I was missing an additional OU for the user. Now I can do it with just one call/user ID and User password. Makes a lot more sense now... – kittyboo – 2019-07-04T17:33:02.560

LDAP: How to bind via system ID/Password and then user ID/password for Authorization?

Answers