Authenticating against ActiveDirectory - can't read userPassword/unicodePwd?

rubyonrails-talk
1

Hello list,

So, the application I am working on right now needs to have LDAP authentication build in, meaning that if the user enabled it, we will query about his basic data (email,pwd) on a user-setup LDAP directory. It used to work fine when I was testing with OpenLDAP. The code, essentially, is this:

    connection.bind(self.bind_dn,self.password)
    connection.search2(self.base_dn,1,"(& (userPassword=#{password}) (mail=#{email}))",nil,false,5,5000)

It binds and then searches for the user by mail and password. The entries must have a userPassword and mail attributes. It’s part of the core schema (I guess), so it works fine on OpenLDAP.

I then went to test with Active Directory. I thought it would be basically the same stuff, since it is a LDAP server too and speaks the same protocol. The issue, however, is that, even though we had an entry with mail and the password set, it was just no authenticating. I then changed the query to:

    connection.search2(self.base_dn,1,"(mail=#{email})",nil,false,5,5000)

And then it did return the user entry.

The issue is the userPassword attribute (or is it unicodePwd?). From what I’ve read, you just can’t read it from an AD directory. If that’s true, how could LDAP authentication be implemented against an Active Directory repository?

I would appreciate some enlightenment :slight_smile:

Cheers,

Marcelo.

2

Typically, you'd want to store the user password as a hash (see http://users.ameritech.net/mhwood/ldap-sec-setup.html for some details) and then bind to server with the appropriate DN (based on the email) and password.

This page: http://www.mhsoftware.com/caldemo/manual/en/470.htm

may also be handy; it describes how to get a correct DN for ActiveDirectory.

Hope this helps!

--Matt Jones

3

Hi Matt, thanks for the reply,

The issue is solved. Fact is, you just can’t read the userPassword / unicodPwd in a LDAP search on Active Directory. The solution was to just directly use bind to authenticate, something along these lines:

#create connection connection.bind(‘user@domain’,‘password’)

Where user is the givenName attribute, and domain is the AD domain. This works fine and authenticates the user. So, no need to bind as rootdn and search for the user and compare agains the userPassword :slight_smile:

Issue solved!

Thanks,

Marcelo.