Home > Software design >  How to do DN resolution using python ldap3 library
How to do DN resolution using python ldap3 library

Time:11-17

I am implementing some login procedure based on an active directory. The user will type in his mail.

I was already successfull finding the users db entry in the AD with the mail: I searched for:

(& (mail={0})(objectClass=organizationalPerson))

And got a lot of attributes about the user. But to check its password I need to execute a bind oparation. And to do so I need the login name, or DN.

How do I resolve / get the login name of a user that I already found by it's email adress using python ldap3?

CodePudding user response:

You can log in using the Distinguished Name (DN) of the user object that you just discovered. This is the pointer to the LDAP object and it does not require a new search.

In python-ldap, this means you have to use:

entry[0]

to retrieve that DN value. Simply use that value plus the password that the user inputs to bind to the server.

If you want to log in using an attribute, you need to know the LDAP attribute name that contains the login name. For Active Directory, you can log in with:

  • sAMAccountName
  • userPrincipalName

Tip: typically, users will know their userPrincipalName (UPN) as it has an email-style format like [email protected] and it is not seldom the same as the email address (though not necessarily).

In python-ldap, this means you have to use:

entry[1]['userPrincipalName'][0]

for the first UPN value.

CodePudding user response:

After executing conn.search(...) you can get the users DN with

conn.response[0]['dn']

Don't worry if it looks like

CN=username,OU=city,OU=company,DC=domain,DC=domain_ending

This is the DN. Also remember not not use authentication=NTLM when you log in with the DN. You might have used authentication=NTLM when binding the admin user to search with. Maybe the username is gives as DOMAIN\adminuser. But that is not a DN! The DN looks like the example above.

  • Related