RE: Active Directory authenticaion via UNIX

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Constructing a DN can be somewhat problematical in AD as users MAY be
distributed among multiple domains and OU's in an AD forest. I take the tack
in my code of using the NT domain and username as search keys to find the
user's DN and then authenticate. The combination of NT domain and username
is unique in AD.  In order for this simple code to work as it is, anonymous
queries must be enabled in AD.  Here is some example code:

($domain,$user,$pass,$execnode)=@ARGV;
use Net::LDAP;

# Build Search filter

$filter="(\&(userPrincipalName=*$domain*)(sAMAccountName=$user))";

$port=3268;

print "NODE:$execnode PORT: $port\n";

# Get the users DN via anonymous bind to Active Directory

# set the DN to null

$dn="";

# For performance reasons limit the data returned to the sAMAccountName

@attr=("sAMAccountName");

if ($ldap = new Net::LDAP("$execnode",port => $port,debug => 0,version
=>3)){

 if ($result=$ldap->ldapbind()){
  $result=$mesg = $ldap->search(filter => $filter,scope => "sub",attrs
=>[@attr]);
  foreach $entry ($mesg->all_entries) { 
   $dn=$entry->dn;
  }
  $ldap->unbind;
 }
 else
 {
  print "Anonymous Bind Failed to $execnode\n";
 }
}
else
{
 print "Initial connect to $execnode failed\n";
}

print "DN: $dn\n";

# Do an authenticated bind to a domain controller if we have a DN. Use port
3268
# so that the controller responds as a Global Catalog Server. IF you have no
network firewalls
# ANY domain controller will authenticate any user in any domain in the
forest.

if ($dn){
 if ($ldap = new Net::LDAP("$execnode",port => $port,debug => 0,version
=>3)){
  if ($result=$ldap->ldapbind('dn' => "$dn",'password' => "$pass" )){

   $err=$result->code;

   if ($err){
    if ($err==49){
     print "Incorrect username and/or password (49)";
    }
    else
    {
     print "ERROR:$err\n";
    }
   }
   else
   {
    print "Authenticated!";
   }
  }
  else
  {
   print "Authenticated Bind Failed to $execnode\n";
  }
 }
 else
 {
  print "Initial connect to $execnode failed\n";
 }
}
else
{

 print "No user found that corresponds to $user\n";
}

-----Original Message-----
From: Rick Tatem [mailto:Ric...@sa...]
Sent: Thursday, March 13, 2003 2:31 PM
To: per...@li...
Subject: RE: Active Directory authenticaion via UNIX

You're dn syntax is probably wrong... backwards, actually.  Try
"cn=MY_USER_ID,dc=MY_DOMAIN_SUFFIX,dc=MY_DOMAIN" instead (like "cn=Joe
User,dc=company,dc=com")

I've actually been working on a proxy do handle this very thing (i.e. take
an anonymous bind to Active Directory and use a general use account instead)
It also proxies to the Global Catalog port, instead of the general LDAP port
since, in AD, port 389 only give access to the domain level, not the entire
forest.  I'll tidy it up and share it soon, if there's interest.

Rick
--- 
Rick Tatem 
Messaging and Directory Resources 

-----Original Message-----
From: Jason Jolly [mailto:jas...@ho...]
Sent: Thursday, March 13, 2003 5:14 PM
To: Ken Cornetet
Cc: per...@li...
Subject: Re: Active Directory authenticaion via UNIX

Thanks Ken.  I wasn't aware of that.......

You don't, by chance, happen to know how to determine what dc / cn
information should be used for the connection:

    $ldap->bind(dn=>"dc=MY_DOMAIN,dc=MY_DOMAIN_SUFFIX,cn=MY_USER_ID",
password=>"MY_PASSWORD") 

on the Active Directory side (AD browser, etc)?

I've talked to my NT administrator and he states this is correct, but this
syntax always fails and I get this sinking feeling that I'm doing something
wrong that is *VERY* easy....

thnx,

~j