0

I am implementing some login procedure based on an active directory. The user will type in his mail.

I was already successful finding the users db entry in the AD with the mail - I searched for:

(& (mail={0})(objectClass=organizationalPerson))

and got a lot of attributes about the user.

But to check its password I need to execute a bind operation. And to do so I need the login name, or DN.

How do I resolve / get the login name of a user that I already found by it's email address using python ldap3?

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
EinEsellesEniE
  • 129
  • 1
  • 10

2 Answers2

0

You can log in using the Distinguished Name (DN) of the user object that you just discovered. This is the pointer to the LDAP object and it does not require a new search.

In python-ldap, this means you have to use:

entry[0]

to retrieve that DN value. Simply use that value plus the password that the user inputs to bind to the server.

If you want to log in using an attribute, you need to know the LDAP attribute name that contains the login name. For Active Directory, you can log in with:

  • sAMAccountName
  • userPrincipalName

Tip: typically, users will know their userPrincipalName (UPN) as it has an email-style format like name@domain.com and it is not seldom the same as the email address (though not necessarily).

In python-ldap, this means you have to use:

entry[1]['userPrincipalName'][0]

for the first UPN value.

mvreijn
  • 2,807
  • 28
  • 40
0

After executing conn.search(...) you can get the users DN with

conn.response[0]['dn']

Don't worry if it looks like

CN=username,OU=city,OU=company,DC=domain,DC=domain_ending

This is the DN. Also remember not not use authentication=NTLM when you log in with the DN. You might have used authentication=NTLM when binding the admin user to search with. Maybe the username is gives as DOMAIN\adminuser. But that is not a DN! The DN looks like the example above.

AzureIP
  • 338
  • 1
  • 10