Account Options

  1. Sign in
The old Google Groups will be going away soon, but your browser is incompatible with the new version.
Google Groups Home
« Groups Home
perl.ldap
+ new post
About this group
Subscribe to this group
This is a Usenet group - learn more
Message from discussion basic question about binding without knowing the DN
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Dan Cutler  
View profile  
 More options Apr 14 2011, 2:55 pm
Newsgroups: perl.ldap
From: DCut...@intelimedix.com (Dan Cutler)
Date: Thu, 14 Apr 2011 18:55:12 +0000
Local: Thurs, Apr 14 2011 2:55 pm
Subject: RE: basic question about binding without knowing the DN
Print | View thread | Show original | Report this message | Find messages by this author
Mark,

Wow.  I remember having the EXACT same thoughts some years ago.

As it turns out, the process that happens when a user logs in is somewhat "shielded" from the average user.  Once you find out what is really happening, you'll gain some great insights into LDAP processes.

It is quite typical to not allow anonymous searches.  This usually a good idea.

Behind the scenes, "authenticating" requires three things:

An LDAP server that houses you "account"
An identifier called a "DN" (aka Distinguished Name) that represents the unique identifier of your account
A valid password.

What can be quite puzzling is the DN.

Nearly every LDAP authentication script I write follows a process like this:

Collect the user's login name and passwd:
Bind to the directory using a known "system account" and "system" password.
Search the directory for this user (the login name is unique) and return its "DN".
If the DN is found, use it as a parameter and bind again as the actual user (you).

Does this help?

--Dan

-----Original Message-----
From: Mark Inaba [mailto:min...@nyx.com]
Sent: Thursday, April 14, 2011 1:23 PM
To: 'perl-l...@perl.org'
Subject: basic question about binding without knowing the DN

hello perl-ldap mailing list,

i'm wondering if i'm trying to do the impossible, even though it seems like this might be a common situation.
i'm trying to verify a user/password by having the user bind to an ldap server. the problem is that just given a username, i can't guess the DN because the DN's components have values that could be many things:
example:
CN=mark,OU=paris,OU=short,...,DC=partA,DC=foo,DC=com
CN=mike,OU=new york,OU=tall,...,DC=partB,DC=foo,DC=com

it seems that all of this is necessary for me to bind (i can't just use CN=mark,DC=foo,DC=com and try a password against all matches sigh)
so if i get another user, i don't know what sort of OU values his/her DN will have. also, the DC's might be different too.

here's the wrinkles that make it harder:
1) anon bind is turned off, so i can't search around for promising matches and use their DN
2) they don't want a generic 'read' account to log in because they don't want the password in a file.
     but i might be ok if:
     a) though if script is not called by user i might be able to convince them to use o-r.
     b) if the final server is sasl aware, i might be able to use an encrypted string in the script

but here's why i think it MIGHT be possible... using the windows program: ldap.exe
i noticed that i'm able to bind filling in only the fields:
USER: mark
PASSWORD: mypassword
DOMAIN: parta.foo.com

so unless the application knows some secret settings...how does it authenticate me without my telling it my full DN?
if i new that i think i could write my perl script that checks every user against
DOMAIN: parta.foo.com and partb.foo.com

thanks for any help :)
-mark (not in paris...alas..)
Please consider the environment before printing this email.

Visit our website at http://www.nyse.com

****************************************************

Note:  The information contained in this message and any attachment to it is privileged, confidential and protected from disclosure.  If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by replying to the message, and please delete it from your system.  Thank you.  NYSE Euronext.


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2013 Google