1

I am creating a java application that able to login to LDAP server with OpenDJ Client SDK, but I only has Domain Name, User Name (also known as SAMAccountName), and Password. If you don't know domain login, see this image:

enter image description here

You enter the user name field in format: DOMAIN_NAME\USER_NAME instead of just plain USER_NAME. Example of Domain Name is: corp.fabrikam.com.


Now I need to know how to convert Domain Name to Distinguished Name (DN)? Because OpenDJ requires Distinguished Name to connect to LDAP.

For example: Distinguished Name from corp.fabrikam.com is: dc=corp, dc=fabrikam, dc=com.

It seems I just need to split it by ".", but I heard there is thing called Disjoint Domain:
http://technet.microsoft.com/en-us/library/cc731125%28v=ws.10%29.aspx

So splitting trick might not reliable here.

Also, user in LDAP can be under an Organizational Unit (OU). Let's say user john is belong to manager OU, so the full user DN of john would become like this:

uid=john, ou=manager, dc=corp, dc=fabrikam, dc=com

null
  • 8,669
  • 16
  • 68
  • 98

1 Answers1

2

You should always refer to the RootDSE entry of the ldap server to get information about the environment you are connecting to. The RootDSE entry is readable by anyone upon an anonymous bind ( or a particular user, it does not really matter, as long as you are bound ). It contains a lot of interesting stuff, the one you are looking for is defaultNamingContext.

Once bound, perform an ldap read operation on the DN of an empty string: ''. If the framework of your choice provides some API to read the rootDSE, try to use that. It might be much more simple.

This might help you to get a kickstart: http://opendj.forgerock.org/opendj-ldap-sdk/apidocs/index.html I did not find any mention of the defaultNamingContext on the opendj documentation pages, but you might just get the information you are looking for via getNamingContexts() method.

Note that rootDSE is an ldap feature, it's not implementation-specific.

Robert Rossmann
  • 11,931
  • 4
  • 42
  • 73
  • Hi, thank you. I found it in the documentation. But I have another question, what is the equivalent attribute for login USER_NAME in LDAP? Is it **uid** or **cn** ? I find out that uid is not unique but cn is. So if I have two entries with same uid in LDAP, I will get a trouble to connect to the right entry. – null Apr 16 '13 at 07:10
  • 1
    This is implementation-specific. For Active Directory, the login name is either **samaccountname** ( i.e. jsmith ) or, with the domain part as well, **userprincipalname** ( i.e. jsmith@example.com ). PS. CN atrtribute does not have to be globally unique - it only has to be unique for the relative part or the path ( simply put, RDN ( which is the CN attribute for objectclass=user ) has to be unique for the given container it resides in ). – Robert Rossmann Apr 16 '13 at 11:47
  • You're right about cn is not unique. Then how about the login name in OpenDJ LDAP? I can't find any info about it. Could it mean it's free for us to decide? – null Apr 16 '13 at 15:24
  • 1
    I would expect that the uniqueness is defined somewhere in the directory schema, but as I have just discovered, for Active Directory, there is no such thing. So AD handles uniqueness for some attributes internally. You can read more about AD-specific unique attributes here: http://blogs.msdn.com/b/openspecification/archive/2009/07/10/understanding-unique-attributes-in-active-directory.aspx However, I do not know about any applicable OpenDj documentation that could help you... I suspect, however, that a login name would be hard-coded somewhere to be unique. Just imagine the mess were it not.:) – Robert Rossmann Apr 16 '13 at 16:54