Authenticating against ActiveDirectory - can't read userPassword/unicodePwd?

mhfs · April 6, 2010, 2:28am

Hello list,

So, the application I am working on right now needs to have LDAP
authentication build in, meaning that if the user enabled it, we will
query
about his basic data (email,pwd) on a user-setup LDAP directory. It used
to
work fine when I was testing with OpenLDAP. The code, essentially, is
this:

    connection.bind(self.bind_dn,self.password)
    connection.search2(self.base_dn,1,"(& (userPassword=#{password})

(mail=#{email}))",nil,false,5,5000)

It binds and then searches for the user by mail and password. The
entries
must have a userPassword and mail attributes. It’s part of the core
schema
(I guess), so it works fine on OpenLDAP.

I then went to test with Active Directory. I thought it would be
basically
the same stuff, since it is a LDAP server too and speaks the same
protocol.
The issue, however, is that, even though we had an entry with mail and
the
password set, it was just no authenticating. I then changed the query
to:

connection.search2(self.base_dn,1,"(mail=#{email})",nil,false,5,5000)

And then it did return the user entry.

The issue is the userPassword attribute (or is it unicodePwd?). From
what
I’ve read, you just can’t read it from an AD directory. If that’s true,
how
could LDAP authentication be implemented against an Active Directory
repository?

I would appreciate some enlightenment

Cheers,

Marcelo.

mhfs · April 7, 2010, 10:00am

Hi Matt, thanks for the reply,

The issue is solved. Fact is, you just can’t read the userPassword /
unicodPwd in a LDAP search on Active Directory. The solution was to just
directly use bind to authenticate, something along these lines:

… #create connection
connection.bind(‘user@domain’,‘password’)

Where user is the givenName attribute, and domain is the AD domain. This
works fine and authenticates the user. So, no need to bind as rootdn and
search for the user and compare agains the userPassword

Issue solved!

Thanks,

Marcelo.

mhfs · April 7, 2010, 2:44am

On Apr 5, 8:27 pm, Marcelo de Moraes S. [email protected]
wrote:

And then it did return the user entry.

The issue is the userPassword attribute (or is it unicodePwd?). From what
I’ve read, you just can’t read it from an AD directory. If that’s true, how
could LDAP authentication be implemented against an Active Directory
repository?

Typically, you’d want to store the user password as a hash (see
http://users.ameritech.net/mhwood/ldap-sec-setup.html for some
details) and then bind to server with the appropriate DN (based on the
email) and password.

This page:
http://www.mhsoftware.com/caldemo/manual/en/470.htm

may also be handy; it describes how to get a correct DN for
ActiveDirectory.

Hope this helps!

–Matt J.