I am trying to ingtegrate SLES with Windows Active directory server for authentication purposes.
We need to use sAMAccountName as login name but its unable to bind if we didn't give DOMAIN/sAMAccountName on ldapsearch command. But ny applicaton's login window does not support giving a domain name before user. I have configured ldap.conf and krb5.conf to provide authentication. Is there any way to give "DOMAIN/" to the beginning the sAMAccountName as default for binding?
This is working fine:
ldapsearch -x -LLL -h adserver.customer.entp.tgc -D CUSTOMER\EXT123456 -w password -b "dc=customer,dc=entp,dc=tgc"
Thanks for your answers in advance.
nynonur
Best Answer
I don't know the details of your application, but it sounds to me like it is not compatible with Active Directory.
Read the public documentation for ADS_NAME_TYPE_ENUM.
Those are the login name formats that you are allowed to log in with. "EXT123456" is not one of them.
I know that you think "EXT123456" is logging in with a sAMAccountName, but it actually is not. Look at the documentation again. There actually is no valid login format that fits the "EXT12345" (or "johndoe") pattern.
Just "username" by itself is not a valid login format. Well, actually it is a valid login format... for the user's Display Name.
Active Directory will actually attempt to resolve that to a Display Name.
ADS_NAME_TYPE_DISPLAY.So if you cannot make your application either accept a domain prefix, or a UPN suffix, or ask your users to log in with their display names... Active Directory does not just assume that a bare string "johndoe" is a sAMAccountName.
But you are not alone. Most folks assume that logging in to AD with no domain prefix or UPN somehow magically maps to sAMAccountName. But it does not. If you want to see how this works for yourself, use ldp.exe, and perform simple binds using a user account whose display name is different from their sAMAccountName, and do not supply a domain name. Which one lets you in? It's the display name.