Ldap – How to figure out the LDAP connection string

active-directoryconnection-stringsldap

We're on a corporate network thats running active directory and we'd like to test out some LDAP stuff (active directory membership provider, actually) and so far, none of us can figure out what our LDAP connection string is. Does anyone know how we can go about finding it? The only thing we know is the domain that we're on.

Best Answer

The ASP.NET Active Directory Membership Provider does an authenticated bind to the Active Directory using a specified username, password, and "connection string". The connection string is made up of the LDAP server's name, and the fully-qualified path of the container object where the user specified is located.

The connection string begins with the URI LDAP://.

For the server name, you can use the name of a domain controller in that domain-- let's say "dc1.corp.domain.com". That gives us LDAP://dc1.corp.domain.com/ thusfar.

The next bit is the fully qualified path of the container object where the binding user is located. Let's say you're using the "Administrator" account and your domain's name is "corp.domain.com". The "Administrator" account is in a container named "Users" located one level below the root of the domain. Thus, the fully qualified DN of the "Users" container would be: CN=Users,DC=corp,DC=domain,DC=com. If the user you're binding with is in an OU, instead of a container, the path would include "OU=ou-name".

So, using an account in an OU named Service Accounts that's a sub-OU of an OU named Corp Objects that's a sub-OU of a domain named corp.domain.com would have a fully-qualified path of OU=Service Accounts,OU=Corp Objects,DC=corp,DC=domain,DC=com.

Combine the LDAP://dc1.corp.domain.com/ with the fully qualified path to the container where the binding user is located (like, say, LDAP://dc1.corp.domain.com/OU=Service Accounts,OU=Corp Objects,DC=corp,DC=domain,DC=com) and you've got your "connection string".

(You can use the domain's name in the connection string as opposed to the name of a domain controller. The difference is that the domain's name will resolve to the IP address of any domain controller in the domain. That can be both good and bad. You're not reliant on any single domain controller to be up and running for the membership provider to work, but the name happens to resolve to, say, a DC in a remote location with spotty network connectivity then you may have problems with the membership provider working.)

Related Solutions

Ldap – Where does Active Directory-integrated DNS store its data

Here is an article I found that may get you started. I can never remember the path to the records off the top of my head.

As it mentions basically you can find your DNS information in the AD at this path.

DC=<ZoneName>,cn=MicrosoftDNS,cn=System,<DomainDN>,

So if you had a domain example.org you would see it at.

DC=example.org,CN=MicrosoftDNS,CN=System,DC=example,DC=org

Your questions:

Is any DNS entry an actual LDAP object?

Your zones will have a object class of dnsZone. Under the zone there will be all your records stored as the class dnsNode.

Can they be accessed using LDAP tools such as ADSIEdit?

Yes, fire up adsiedit or ldp and browse to the above location.

Ldapsearch against Active Directory fails authentication + search params wrong

Well, there are a few things that could be wrong with this:

You are specifying simple authentication, but you are not providing a password and you are not telling ldapsearch either to collect a password from the command line. Does the user John_Marshall not have a password? If he does have one, it has to be provided somehow. Either specify -w <passsword> or -W (to enter a password at a prompt).
Is the users binddn really cn=John_Marshall,dc=Americas? In our AD, just as an example, my own binddn would be "dn: CN=Wolfgang Schulze-Zachau,CN=Users,DC=aminocom,DC=com", i.e. there is no underscore between first name and surname
A binddn of "cn=John_Marshall,dc=Americas" is possible, but looks a bit short to me. Of course, this all depends on how your AD is configured. Can you verify that this really is the DN for that user? When you look at AD Users and Computers, what is the complete list of tree items leading to that user?
If you don't specify a filter, you'll get a list of all items that are in the searchbase. That could be a very long list.

OP Edit:

The correct incantation that worked was:

[John_Marshall@WN7-BG3YSM1 ~]$ ldapsearch -x -h <new_ip_addr> \
-D "Americas\John_Marshall" -W \
-b "cn=John_Marshall,ou=users,ou=austin,dc=amer,dc=MyComanyName,dc=com" \
mail telephonenumber ""

Best Answer

Related Solutions

Ldap – Where does Active Directory-integrated DNS store its data

Ldapsearch against Active Directory fails authentication + search params wrong

OP Edit:

Related Topic