Easy way to test an LDAP User's Credentials

Question

Is there an easy way to test the credentials of a user against an LDAP instance? I know how to write a Java program that would take the 'User DN' and password, and check it against the LDAP instance. However is there any easier way? Specially a method that not only authenticates the user, but also lists all the user's roles.

score 105 · Answer 1 · edited Jan 14 '16 at 21:14

105

ldapwhoami -vvv -h <hostname> -p <port> -D <binddn> -x -w <passwd>, where binddn is the DN of the person whose credentials you are authenticating.

On success (i.e., valid credentials), you get Result: Success (0). On failure, you get ldap_bind: Invalid credentials (49).

edited Jan 14 '16 at 21:14

Garrett Hyde

5,409
8
49
55

answered Jul 04 '14 at 18:21

Yuvika

5,624
2
16
21

At least on my system, providing an empty username and/or password ("") causes ldapwhoami to return "Result: Success (0)" if the server is reachable. – Stephen May 09 '19 at 04:18
@Garrett Hyde, could you share an example with a mock DN? – ndemarco Jan 28 '20 at 14:41
1

@NicholasDeMarco Here's an example DN: `uid=john.doe,ou=People,dc=example,dc=com`. – Garrett Hyde Jan 28 '20 at 16:57
4

For me `ldapwhoami -D 'cn=username,ou=users,dc=compagny,dc=com' -x -W` – themadmax Nov 24 '20 at 14:50

score 17 · Answer 2 · answered Apr 29 '13 at 11:02

17

Use ldapsearch to authenticate. The opends version might be used as follows:

ldapsearch --hostname hostname --port port \
    --bindDN userdn --bindPassword password \
    --baseDN '' --searchScope base 'objectClass=*' 1.1

answered Apr 29 '13 at 11:02

Terry Gardner

10,957
2
28
38

This way the password can be viewed in cleartext in the process list? – Kiril Jun 10 '14 at 07:06
10

@Kiril I think substitute `--bindPasswrd password` with `-W` (prompt for password) would fix the problem. – ibic Jan 06 '17 at 08:14

score 12 · Answer 3 · edited Jan 20 '16 at 18:33

12

You should check out Softerra's LDAP Browser (the free version of LDAP Administrator), which can be downloaded here :

http://www.ldapbrowser.com/download.htm

I've used this application extensively for all my Active Directory, OpenLDAP, and Novell eDirectory development, and it has been absolutely invaluable.

If you just want to check and see if a username\password combination works, all you need to do is create a "Profile" for the LDAP server, and then enter the credentials during Step 3 of the creation process :

enter image description here

By clicking "Finish", you'll effectively issue a bind to the server using the credentials, auth mechanism, and password you've specified. You'll be prompted if the bind does not work.

edited Jan 20 '16 at 18:33

Daniel De León

13,196
5
87
72

answered May 03 '13 at 21:58

X3074861X

3,709
5
32
45

2

This does **not** work: This will only check if the user specified has permissions to list user information from LDAP, which isn't granted per se by Active Directory for instance. In that case authentication may still fail while the user credentials are valid. – Sebazzz Jun 21 '16 at 13:27
No. This command issues a full directory bind, just like a standard login attempt would. If you do not have permissions to view the base directory, you'll just see a blank screen. – X3074861X Jun 21 '16 at 15:57
Great answer! Didn't know that application. Thank you so much! – ClownCoder Feb 13 '18 at 19:59
Nice app - do you know any alternatives for it on Mac? – emmdee May 01 '18 at 03:30

score 7 · Answer 4 · answered Apr 12 '19 at 19:17

7

Note, if you don't know your full bind DN, you can also just use your normal username or email with -U

ldapsearch -v -h contoso.com -U turiya.gouw@contoso.com -w 'MY_PASSWORD' -b 'DC=contoso,DC=com' '(objectClass=computer)'

answered Apr 12 '19 at 19:17

turiyag

2,757
2
22
21

score 3 · Answer 5 · answered Apr 27 '13 at 11:16

3

Authentication is done via a simple ldap_bind command that takes the users DN and the password. The user is authenticated when the bind is successfull. Usually you would get the users DN via an ldap_search based on the users uid or email-address.

Getting the users roles is something different as it is an ldap_search and depends on where and how the roles are stored in the ldap. But you might be able to retrieve the roles during the lap_search used to find the users DN.

answered Apr 27 '13 at 11:16

heiglandreas

3,803
1
17
23

Thanks for your reply. What I'm really looking for is a tool where I can type the user DN, and password, and the tool would test and see if the user can be authenticated with those credentials. This is a very easy tool to develop; so I was hoping that there is already such a tool. – user1888243 Apr 27 '13 at 18:45
The tool is called ldap_bind. – user207421 Apr 27 '13 at 21:37
Unix/Linux offer 'ldapsearch' (mostly from openLDAP), with the proper options you don't see the password in the 'history' of 'process list' – Bernhard Thalmayr Apr 28 '16 at 17:27
@heiglandreas The `ldap_bind` command is not found on my system, is this a C function from OpenLDAP library ? – SebMa Jul 28 '22 at 09:52

Mohammed Noureldin · Answer 6 · 2022-09-20T22:25:46.047

1

For some reason, the accepted answer does not work, the arguments are not exactly the same (at least in Linux Alpine). This command should work:

ldapsearch -v -H ldap://dc1.MYDOMAIN.com -D "cn=Administrator,cn=Users,dc=MYDOMAIN,dc=com" -x -w SomeP@ssWord -Z -d 4

This is very helpful for debugging LDAP, as it outputs exactly the issue if there is any.

edited Sep 20 '22 at 22:25

answered Sep 20 '22 at 21:53

Mohammed Noureldin

14,913
17
70
99

Easy way to test an LDAP User's Credentials

6 Answers6