Thursday, February 3, 2011

Active Directory Login Problem

I have 2 users in my AD installation with the same CN

   CN=jack,CN=Users,DC=xyz,DC=com and 
   CN=jack,OU=abc,DC=xyz,DC=com

When I try to authenticate to the AD Server using the Apache Directory Studio client and give the following credentials

User: jack
Password: <password>

the authentication fails. The following credentials work

User: CN=jack,CN=Users,DC=xyz,DC=com
Passwprd: <password>

When I have only a single user CN=tom,DC=xyz,DC=com with a given CN

I am able to login with 

User: tom
Password: <password>

without having to specify the entire DN (CN=tom,DC=xyz,DC=com) .

I need to write a module to authenticate users against an AD installation. I have with me only the usernames and passwords and not the fully qualified BASE DNs. How do I do this as the problem it seems happens when there are more than one user with the same CN ?

EDIT: Can I configure the AD server to bind against mail address of the users instead of CN ? This would solve my problem as mail addresses are unique while CN's are not

From serverfault Stormshadow

  • I'm not sure what to say, mostly because its hard to see exactly what you're asking.

    If your organisation creates 'duplicate' user names in different contexts/OUs, which is certainly allowable in AD, then any code you write will have to support working with usernames under different contexts.

    Whether or not that's a good idea or "correct" is a question for your organisation to decide internally.

    Stormshadow : To be more clear, let us assume that I have a list of user names and passwords with me and not the fully qualified Domain Names. I have to write a program to authenticate these users against AD. How would one accomplish this ?
    Chris Thorpe : You don't. It's insufficient user information to log the user in. At a bare minimum you would also need those users login context.
    Stormshadow : When there is only one user with given CN in the AD, I am able to login using only the username and password as I mentioned.
    Robert Moir : I'm sorry but what you're basically saying is that you want the computer to take an ambiguous ID that matches more than one account and somehow magically figure out what account you meant and login with that.
    Stormshadow : @Robert, I think I was not clear in my question, but what I wanted was a unique attribute for a user which could be used for login which I found --> userPrincipalName
    From Robert Moir

  • The sAMAccountName of a user should be unique within a given domain, so you should be able to get the client to query AD based on the sAMAccountName and then use the full X.400 name you get back for authentication.

    If you have more than one domain, then you need domain + userID (sAMAccountName) to authenticate anyway.

    Stormshadow : I can use the filter (&(objectCategory=person)(objectClass=user)(sAMAccountName=jack)) to search by sAMAccountName but for doing this search I need to bind to the AD as a user.
    Richard Gadsden : The way that a windows domain member does it is that the computer has an account that it uses to bind to the AD, and then it does the query to get the CN from the sAMAccountName and then it binds as that user. (NB Simplification).
    From Richard Gadsden

  • You're trying to use the relative distinguished name (RDN), not the CN. The relative distinguished name is unique within the OU (it's relative path) but may not be unique within the domain. You should be using the distinguished name (DN), which is unambiguous and unique within the domain.

    http://technet.microsoft.com/en-us/library/cc977992.aspx

    From joeqwerty

  • I found the attribute I was looking for --> userPrincipalName (UPN) . This has a unique value in Active Directory and can be supplied as the user name while attempting to authenticate. So now I need a list of UPNs and the corresponding passwords for login.

    http://technet.microsoft.com/en-us/library/cc739093%28WS.10%29.aspx

    From Stormshadow

  • In user Object of Active Directory, the samaccountname(logon name) and UPN (User Principal name) for logon into Active Directory domain.

    And This Properties of user object must be unique in Active Directory

    as your question...

    CN=jack,CN=Users,DC=xyz,DC=com  
CN=jack,OU=abc,DC=xyz,DC=com

    you create two user object as above. the above syntax is DN's.

    you will check the samaccountname(logon name) or UPN for that users. I mean the above users have diffent samaccountnames and UPNs. after checking the real samaccountname or UPN for those users, and try to logon.

    P.S. Also, DN has the unique feature.

    From kj.park
Posted by Ku XI at 8:47 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)