1

I have a piece of legacy code on a internal app that needs to be revised. Before I redo the whole thing is there an easy way to accomplish binding to AD where the OU can vary depending on the user who is authenticating. The setup is pretty standard:

my($mesg) = $ldap->bind ("cn=$uid,ou=Workers,ou=Domain Users,dc=something,dc=com", password => "$psswd");

Not all users are the "Workers" OU. Some are in a different OU... Basically what I am wondering is if there is a "if-then-else" routine for binding to AD from perl. I would prefer not to setup a third party account for the purpose of searching for this if it can be avoided... But almost all the documentation I had read seems to point to this method of login. Any ideas or suggestions?

Improve this question
4
  • What's the actual problem here? Your code already shows a variable $uid, what's the problem with having a variable $ou? Commented Apr 24, 2012 at 8:44
  • Since the users that are authenticating might be in different OUs. I would need to have them specify what OU they are in so they could authenticate. That's an extra step I don't want to have them take. Commented Apr 25, 2012 at 12:19
  • So in other words you don't want a 'variable OU' at all, you want to filter against a number of possible OUs, or possibly against all available OUs? Commented Apr 25, 2012 at 12:42
  • That is correct. Maybe the choice of words was not the best. It would be optimal if there was a way to bind to AD without needing to specify the OU... or attempt to bind against all possible OUs. This legacy script was never written for AD, but has since been converted to use it. That is probably part of the problem. Commented Apr 25, 2012 at 12:57

2 Answers 2

Reset to default
1

You don't need to specify the full DN to AD. The username should be sufficient.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Changed it to ($uid, password => $psswd). Getting error "Died because LDAP_INVALID_CREDENTIALS:The wrong password was supplied or the SASL credentials could not be processed" Triple checked the password. Doesn't appear to be working. Is that specific to LDAP or any AD bind in general?
This is a Windows thing. You can use ldp.exe from the Windows RSAT / support tools to validate the bind. You might need to prefix with <domain>\ to make it work.
I have tried it as 'something.com\\$uid' and '$uid\@something.com'. Both to no avail. Thanks for the suggestion though.
1

This is known as a "simple" bind request, which takes as parameters a distinguished name and the credentials for the distinguished name. Zero or more request controls can be included with the bind request. Construct a variable called $distinguishedName before the bind request is transmitted, transmit the bind request, process the response, and process any response controls included with the response:

my $namingContext = "ou=domain users,dc=something,dc=com";
my $distinguishedName = sprintf "%s,%s,%s",$cn,$ou,$namingContext;
my $bindResult = $ldap->bind($distinguishedName,$credentials);
# handle any response controls attached to the bind response ...
Improve this answer

2 Comments

Thanks for the suggestion. With this method, is it possible to change the OU and attempt to bind again if the first bind result is invalid?
Yes. A connection is unauthenticated until the authentication state is set by a successful bind request. If the LDAP client is using LDAPv3, the connection authentication state is changed by each successive successful bind request, subject to any limitations set by the server. If the LDAP client requires information about the authentication state of the connection, the Who Am I? extended operation can be used to discover the authentication state, assuming that the server supports the extended operation and authorizes its use.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.