LDAP get Users DN by Username and Domainname

Question

I have some understanding problems of LDAP. When i use an Active Directory Server i can bind with username@domain and a password.

When i use ApacheDS i must give it the full DN of the user and a password.

So i have the folowing Questions:

• How do i find out the full dn of a User on a ApacheDS Server with anonymous privilegs and only the knowledge of username, domain (and password)?
• Is this evenposible? Is the ApacheDS Server even made to be an
• alternative to Active Directory?

Answer 1

As marabu said you can simulate the authentication using a search on the directory before doing the bind.

You can also look for SASL authentication which provides other ways to authenticate.

Here are a list of ApacheDS supported SASL mechanism : http://directory.apache.org/apacheds/advanced-ug/4.1.2-sasl-authn.html

Answer 2

Generally, LDAP authentication is done in two steps:

1. Map a given unique user identifier (uid) to its distinguished name using a search operation with a filter like (&(objectClass=user)(uid=%s))
2. Use a bind operation with that dn to authenticate against your LDAP server.

Active Directory comes with a convenience feature: You can bind using a couple of supported identifiers and AD will do the mapping internally for you.

ApacheDS isn't a plug-and-play substitute for AD, but it's extensible. A Java developer can easily write an authentication interceptor providing the same internal mapping as AD.