I have an active directory that looks a little like this:
gdcmpny.com
|__GoodCompany
|
|__NYC
| |__Users
|
|__SF
|__Users
When a user sends me his username+password, i cant know if he's under NYC/Users or SF/Users. Is there a way to compound a string like this:
CN=Users,OU=%s,OU=GoodCompany,DC=gdcmpny,DC=com
so the ldap request will look in both NYC/Users and SF/Users? Or do I have to specify the exact absolute path?
I am using Go to send the request, with the package github.com/jtblin/go-ldap-client.
Thanks!
string formatting, like:
CN=Users,OU=%s,OU=Goenter code hereodCompany,DC=gdcmpny,DC=com
isn't supported, but I can simply don't specify the whole hierarchy in my request.
This is what worked for me:
OU=GoodCompany,DC=gdcmpny,DC=com
Unfortunately not on Microsoft Active Directory.
There is a thing called ExtensibleMatch, but not supported on Microsoft Active Directory.
-jim
You do not need to use the fully qualified DN for LDAP binds against an Active Directory server. You can use sAMAccountName and userPrincipalName values to authenticate to AD LDAP... provided you've got a single tree in a single forest, these are formed by concatenating the user-provided logon ID with a string.
For the AD domain gdcmpny.com with legacy domain name GDCMPNY, the user with logon ID MyUserName has userPrincipalName MyUserName@gdcmpny.com and sAMAccountName of GDCMPNY\MyUserName regardless of where their ID resides within the directory structure.
In cases where you've got multiple domains within the forest and cannot simply know the proper string to add to the user ID, you can bind under a known system credential, search for the user-supplied logon ID, and return the fully qualified DN (FQDN) of the matching entry. Then use the FQDN with the user-supplied password to validate the user's credentials.