LDAP/ActiveDirectory BindDN syntax
I'm troubleshooting a linux-based hardware firewall for a client. This hardware firewall connects to ActiveDirectory for Single SignOn authentication.
ActiveDirectory is largley just a perverted version of LDAP to the best of my knowledge, and uses the same BindDN syntax -- correct me if I'm wrong.
The client has configured this as their BindDN -- actual strings have been replaced for privacy reasons but special characters and whitespace remain. "somerandomplace\fubar fubaz"
This does not seem to be valid BindDN syntax to me and I've worked with LDAP before, but when we hit the Test button to test this BindDN, the test succeeds. When I change just one of the characters in the BindDN and run the test again, the test fails.
I'm trying to figure out what the problem is here:
A) That I don't completely understand the nuances of BindND and associated syntax
or
B) That the appliance fails to properly verify inputs and is falsely identifying the test as a success
LDAP is just a protocol. And like Greg said, Microsoft's implementation of it in Active Directory is compliant to the various RFCs that define it. (+1 to him)
Doug's answer is partially correct in that he gives one example of a valid Bind DN. But Active Directory specifically allows for the Bind DN value to be sent as other forms as well. The best form to use in my opinion is the UserPrincipalName (UPN)
which is usually in the following form unless it has been explicitly changed.
- <sAMAccountName>@<domain FQDN> (e.g. [email protected])
The benefit of this over a normal DN value is that the user account can be moved within AD and the application using the credential doesn't have to update it's config.
It can also be in the legacy NetBIOS form which looks like this and appears to be what your client is using.
- <Domain NetBIOS Name>\<sAMAccountName> (e.g. CONTOSO\user1)
This has the same benefit as the UPN value, but again is considered legacy. NetBIOS names should have died a long time ago, but that's a rant for another thread.
The bind DN would be CN=username,CN=Users,DC=yourdomain,DC=com for a user located in the Users container.
It might work if you just put in the username as well since it probably searches for sAMAccountname property if its Active Directory aware. Just don't preface the username with the domain.