Tips and Tricks for LDAP/Active Directory

TRY TO USE LDAPSEARCH to find your LDAP directory Tree and Authentication Test

You can simulate the Bweb authentication method with the Ldapsearch tool, please check the following example:

ldapsearch -x -b "CN=Users,DC=supportlab,DC=baculasystems,DC=com" -H ldap://XXX.XXX.XXX.XXX -D
"CN=ad-admin,CN=users,DC=supportlab,DC=baculasystems,DC=com" -w "password" sAMAccountName=*

The above command will list all users under "CN=Users,DC=supportlab,DC=baculasystems,DC=com", if you set to "sAMAccountName=user", you will see the ldif card of the user.

With the ldapsearch tool, you can check if the base DN is correctly set and if the user can access the AD Directory and read the directory tree.

Check the following pictures and URLs to help you get better acquainted with the Ldapsearch tool: https://linux.die.net/man/1/ldapsearch

# extended LDIF
#
# LDAPv3
# base <CN=Users,DC=supportlab,DC=baculasystems,DC=com> with scope subtree
# filter: cn=pedro
# requesting: ALL
#

# pedro, Users, supportlab.baculasystems.com
dn: CN=pedro,CN=Users,DC=supportlab,DC=baculasystems,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: pedro
sn: Oliveira
givenName: Pedro
distinguishedName: CN=pedro,CN=Users,DC=supportlab,DC=baculasystems,DC=com
instanceType: 4
whenCreated: 20180403151958.0Z
whenChanged: 20201102162912.0Z
displayName: Pedro Oliveira
uSNCreated: 53322
uSNChanged: 2789194
name: pedro
objectGUID:: zp8x/XPKw06N5KqzVbLSXQ==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 131673917475251005
lastLogoff: 0
lastLogon: 131673917773373354
pwdLastSet: 132488081524100730
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAARJDCrCTkmXj8FpvsXQQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: pedro
sAMAccountType: 805306368
userPrincipalName: pedro@supportlab.baculasystems.com
lockoutTime: 0
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=supportlab,DC=baculasy
stems,DC=com
dSCorePropagationData: 20200824131529.0Z
dSCorePropagationData: 20181127035418.0Z
dSCorePropagationData: 16010101000417.0Z
lastLogonTimestamp: 131673917773373354

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
../../../../../_images/image.png

  • auth.backend.ldap.hostname: server address

  • auth.backend.ldap.base-dn: tree were are the user saved

  • auth.backend.ldap.filter: filter to apply to obtain the users

  • auth.backend.ldap.bind-dn: login to use to bind to LDAP server

  • auth.backend.ldap.bind-pw: associated password

auth.backend.ldap.bind-dn and auth.backend.ldap.bind-pw parameters are only necessary if the LDAP server require a specific account to be able to access the different information.

Go back to: LDAP/Active Directory - Authentication.