Active Directory Domain Name for authentication

active-directory

I have a bit of a code that takes an ldap string, a username, and a password, and then attempts to authenticate with the ldap server. The username may or may not contain the domain name, e.g., "DOMAIN\username" or "username" was valid input to this code.

From the ldap string, I will have a clear url, that may look like this LDAP://servername.com/DC=...etc. If I split out the server name portion, I get "servername.com", or "servername.corp", or whatnot. But if I attempt to login with servername.com\username, it does not authenticate. So one option is to split off the last ".", if there is one. Is this valid from an active directory perspective? What happens if there are subdomains such as xyx.servername.com?

I must admit I don't know enough about active directory to answer the above questions, and I can't find documentation that explains them. Some documentation that supports your answer would really help!


Solution 1:

When a login is presented as DOMAIN\user, DOMAIN is the NETBIOS name of the AD domain. This is normally the lowest subdomain of the domain, but it can be anything. The other valid way of presenting the name is with a UPN suffix, i.e. [email protected]. The problem with this is that an administrator can have multiple UPNs in a domain, though the default is the FQDN.

Basically, if you control the AD you should know this. If you don't, then you can't know for sure.

Solution 2:

When looking at the source for LDAP authentication for various open source packages the vast majority will perform LDAP authentication in a couple steps. This method is generally use most often and works for most LDAP implementations including AD.

  • The client will first connect and bind with a predefined user using the full distinguished name and password.
  • The system will then perform a search against the directory using the generic credentials to find the distinguished name of the user attempting to authenticate
  • If a valid user object is found then the initial connection will be closed and the client will attempt to reconnect and bind using the distinguished name that was found and password provided by the user.

With AD it is possible to authentication without using the full DN but this method doesn't really for some other LDAP servers so it isn't used as often.

Related

How to specify install order for python pip?
In Vim, why doesn't my mouse work past the 220th column?
How do I get the rightmost column to fill the remaining space?
What is the difference between the widgets of tkinter and tkinter.ttk in Python?
iOS 9 Safari: changing an element to fixed position while scrolling won't paint until scroll stops
Where can I find specific Apple firmware like early 2011 SMC 1.69f3
Moving a Subversion repository to another server
Issue: Safari on macOS won't open a new window via keyboard shortcut
Can't update to iOS 13.5 over hotspot [duplicate]
How does this regex find primes? [duplicate]
Control master audio volume with Siri
Get information about a SHA-1 commit object?