Thanks for all the great work with the LDAP SDK. Not a LDAP question per se, I use whoami extension and on ActiveDirectory, I get in netbios format domain\sAMAccountName format. Usually I get example\user. When the user is in a different domain, I get eng\user (where eng is probably eng.example.com). How do you lookup this use using LDAP commands? I cannot search using sAMAccountName. Thanks much
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Unfortunately, I’m not really an Active Directory expert.
I do know that despite LDAPv3 requiring the “name” component of a simple bind request to be a DN, Active Directory lets you violate that requirement and provide the “domain\sAMAccountName” value instead. So if you do have that value, you can use that in place of the user’s DN when binding. However, it doesn’t seem like you can use it in place of a DN in other contexts (for example, as the base DN of a search request), so just being able to bind as that user isn’t sufficient for being able to retrieve the entry for that user.
The only thing that I see is to split the “domain\sAMAccountName” value into its two components and perform a subtree search with a base DN of “dc=${domain},dc=example,dc=com” and a filter of “(sAMAccountName=${sAMAccountName})”, but you already said that you can’t search using sAMAccountName, so I’m not sure if there are any alternatives.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Unfortunately, I’m not really an Active Directory expert.
I do know that despite LDAPv3 requiring the “name” component of a simple
bind request to be a DN, Active Directory lets you violate that requirement
and provide the “domain\sAMAccountName” value instead. So if you do have
that value, you can use that in place of the user’s DN when binding.
However, it doesn’t seem like you can use it in place of a DN in other
contexts (for example, as the base DN of a search request), so just being
able to bind as that user isn’t sufficient for being able to retrieve the
entry for that user.
The only thing that I see is to split the “domain\sAMAccountName” value
into its two components and perform a subtree search with a base DN of
“dc=${domain},dc=example,dc=com” and a filter of
“(sAMAccountName=${sAMAccountName})”, but you already said that you can’t
search using sAMAccountName, so I’m not sure if there are any alternatives.
Thanks for all the great work with the LDAP SDK. Not a LDAP question per se, I use whoami extension and on ActiveDirectory, I get in netbios format domain\sAMAccountName format. Usually I get example\user. When the user is in a different domain, I get eng\user (where eng is probably eng.example.com). How do you lookup this use using LDAP commands? I cannot search using sAMAccountName. Thanks much
Unfortunately, I’m not really an Active Directory expert.
I do know that despite LDAPv3 requiring the “name” component of a simple bind request to be a DN, Active Directory lets you violate that requirement and provide the “domain\sAMAccountName” value instead. So if you do have that value, you can use that in place of the user’s DN when binding. However, it doesn’t seem like you can use it in place of a DN in other contexts (for example, as the base DN of a search request), so just being able to bind as that user isn’t sufficient for being able to retrieve the entry for that user.
The only thing that I see is to split the “domain\sAMAccountName” value into its two components and perform a subtree search with a base DN of “dc=${domain},dc=example,dc=com” and a filter of “(sAMAccountName=${sAMAccountName})”, but you already said that you can’t search using sAMAccountName, so I’m not sure if there are any alternatives.
Searching by (samAccountName=<samaccountname value="">) should not be an
issue. Do it everyday.</samaccountname>
However, "When the user is in a different domain" needs to be clarified.
If the "different domain" is a sub-domain, then you can probably perform a
search for the user against the global Catalog
https://technet.microsoft.com/pt-pt/library/cc728188%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
.
if the user is not in a subdomain LDAP will can not be used.
--
-jim
Jim Willeke
On Mon, Sep 10, 2018 at 11:48 AM Neil Wilson dirmgr@users.sourceforge.net
wrote:
Thanks Jim WIlleke, it was the last scenario; not a subdomain. I do have two way trust between these domains. What good is it if I cannot search ;-(