We use Apache 2.2 for authentication
against Active Directory.
The configuration is
following:
AuthFormLDAPURL
"ldap://*.*.*.*:389/DC=domain,DC=com?userPrincipalName,sAMAccountName?sub?(objectClass=*)"
Note:
All traces below using WireShark.
I
defined the user john when the CN is equal to the sAMAcountMame
name:
src="https://i.stack.imgur.com/aWoxE.jpg" alt="enter image description
here">
I can authenticate using only john
(sAMAcountMame). Please find below LDAP bind
request:
src="https://i.stack.imgur.com/84bkm.jpg" alt="enter image description
here">
LDAP bind
response:
src="https://i.stack.imgur.com/W1JRb.jpg" alt="enter image description
here">
Then I defined the user johnd when the
CN is NOT equal to the sAMAcountMame
name:
src="https://i.stack.imgur.com/nIb5k.jpg" alt="enter image description
here">
Unfortunately, I can not
authenticate using johnd (sAMAcountMame). Please find below LDAP bind
request:
src="https://i.stack.imgur.com/lRYR4.jpg" alt="enter image description
here">
LDAP bind
response:
src="https://i.stack.imgur.com/liABx.jpg" alt="enter image description
here">
I can authenticate using a full name
jonhd@domain.com. Please find below LDAP bind
request:
src="https://i.stack.imgur.com/l2EC3.jpg" alt="enter image description
here">
LDAP bind
response:
src="https://i.stack.imgur.com/jBA9I.jpg" alt="enter image description
here">
Questions:
- Why
I can not authenticate using sAMAcountMame when the CN is NOT equal to the
sAMAcountMame? - Why I can authenticate using sAMAcountMame
at domain in this case? - Should we recommend to our users
always to authenticate using sAMAcountMame at domain to prevent the authentication
problems?
Thanks for your
help!
Answer
When performing LDAP simple bind, AD does
not try to match the passed name against the sAMAccountName
attribute without any suffixes. However, it could try to find a match against
displayName
, which worked for you in the first test (where it
looked like a match against sAMAccountName
, because values of
those attributes were the same).
The precise
description of name matching rules used when handling LDAP simple binds can be found in
the Microsoft documentation:
href="http://msdn.microsoft.com/en-us/library/cc223499.aspx" rel="nofollow
noreferrer">http://msdn.microsoft.com/en-us/library/cc223499.aspx
Using
UPN is probably more reliable, because displayName
might
contain some human-readable string (e.g., full name of a person) and is not guaranteed
to be unique. The DOMAIN\USERNAME form should also be unique, but depend on NetBIOS
domain names, which are considered to be obsolete now.
Comments
Post a Comment