I am writing a program in C++ that connects to an Active Directory server, searches for content, and then dumps that content to terminal. My problem has been that the only way I have been able to succesfully authenticate and connect is with a user's display name (E.g. Test User). I would like to change this authentication method to use the user's logon name instead. (E.g. [email protected])
Here is the code that is responsible for setting up the session:
char * _hostName = "The_Computer_Name";
char * _dn = "CN=Test User,DC=EXAMPLE,DC=COM";
char * _ps = "The_Password123";
int ldap_Query::session_init(){
if (_pLdapConnection != nullptr) return 0;
_pLdapConnection = ldap_init(_hostName, LDAP_PORT);
if ( _pLdapConnection == nullptr) {
int err = ldap_get_option(_pLdapConnection, LDAP_OPT_ERROR_NUMBER, &err);
throw LdapQueryException(ldap_err2string(err));
}
unsigned long lRtn = ldap_simple_bind_s(_pLdapConnection, _dn,_ps);
if (lRtn != LDAP_SUCCESS) {
ldap_unbind(_pLdapConnection);
_pLdapConnection = nullptr;
throw LdapQueryException(ldap_err2string(lRtn));
}
return 0;
}
I think what i'm looking for is called the User-Principal-Name, but have not seen an example of using this to authenticate. I've tried just replacing _dn with "CN=tuser,DC=EXAMPLE,DC=COM", but have had no luck with that.
Thanks for any help!
You can't do an ldap bind with the upn name directly.
When you do a simple bind to the directory via ldap you need to use the fully qualified DN of the user you are binding as and their password.
To use the userprincipalname the way you want you need to search for the user either with a service account or anonymously (if it is allowed) with their supplied userprincipalname attribute.
Search with something like this.
(&(objectclass=user)(userprincipalname=<supplied value>))
Get the DN from the resulting user entry if you get a match and then bind the user.