We use Apache 2.2 for authentication against Active Directory.
The configuration is following:
AuthFormLDAPURL "ldap://*.*.*.*:389/DC=domain,DC=com?userPrincipalName,sAMAccountName?sub?(objectClass=*)"
Note: All traces below using WireShark.
I defined the user john when the CN is equal to the sAMAcountMame name:
I can authenticate using only john (sAMAcountMame). Please find below LDAP bind request:
LDAP bind response:
Then I defined the user johnd when the CN is NOT equal to the sAMAcountMame name:
Unfortunately, I can not authenticate using johnd (sAMAcountMame). Please find below LDAP bind request:
LDAP bind response:
I can authenticate using a full name jonhd@domain.com. Please find below LDAP bind request:
LDAP bind response:
Questions:
- Why I can not authenticate using sAMAcountMame when the CN is NOT equal to the sAMAcountMame?
- Why I can authenticate using sAMAcountMame at domain in this case?
- Should we recommend to our users always to authenticate using sAMAcountMame at domain to prevent the authentication problems?
Thanks for your help!
Best Answer
When performing LDAP simple bind, AD does not try to match the passed name against the
sAMAccountNameattribute without any suffixes. However, it could try to find a match againstdisplayName, which worked for you in the first test (where it looked like a match againstsAMAccountName, because values of those attributes were the same).The precise description of name matching rules used when handling LDAP simple binds can be found in the Microsoft documentation: http://msdn.microsoft.com/en-us/library/cc223499.aspx
Using UPN is probably more reliable, because
displayNamemight contain some human-readable string (e.g., full name of a person) and is not guaranteed to be unique. The DOMAIN\USERNAME form should also be unique, but depend on NetBIOS domain names, which are considered to be obsolete now.