Active Directory Domain Name for authentication
I have a bit of a code that takes an ldap string, a username, and a password, and then attempts to authenticate with the ldap server. The username may or may not contain the domain name, e.g., "DOMAIN\username" or "username" was valid input to this code.
From the ldap string, I will have a clear url, that may look like this LDAP://servername.com/DC=...etc. If I split out the server name portion, I get "servername.com", or "servername.corp", or whatnot. But if I attempt to login with servername.com\username, it does not authenticate. So one option is to split off the last ".", if there is one. Is this valid from an active directory perspective? What happens if there are subdomains such as xyx.servername.com?
I must admit I don't know enough about active directory to answer the above questions, and I can't find documentation that explains them. Some documentation that supports your answer would really help!
Solution 1:
When a login is presented as DOMAIN\user
, DOMAIN is the NETBIOS name of the AD domain. This is normally the lowest subdomain of the domain, but it can be anything. The other valid way of presenting the name is with a UPN suffix, i.e. [email protected]
. The problem with this is that an administrator can have multiple UPNs in a domain, though the default is the FQDN.
Basically, if you control the AD you should know this. If you don't, then you can't know for sure.
Solution 2:
When looking at the source for LDAP authentication for various open source packages the vast majority will perform LDAP authentication in a couple steps. This method is generally use most often and works for most LDAP implementations including AD.
- The client will first connect and bind with a predefined user using the full distinguished name and password.
- The system will then perform a search against the directory using the generic credentials to find the distinguished name of the user attempting to authenticate
- If a valid user object is found then the initial connection will be closed and the client will attempt to reconnect and bind using the distinguished name that was found and password provided by the user.
With AD it is possible to authentication without using the full DN but this method doesn't really for some other LDAP servers so it isn't used as often.