Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things

Re: Authenticate Active Directory

by strat (Canon)
on Jul 20, 2006 at 08:42 UTC ( #562524=note: print w/replies, xml ) Need Help??

in reply to Authenticate Active Directory

What is your webserver and OS? Maybe you could use the webserver's authentication to log on, then create an ActiveDirectory group of users who are allowed to log on.

If not, I'd recommend ADSI over LDAP (only works with Windows servers). If the AD consists of only one domain, LDAP will work fine; but if there are several domains, with LDAP you'll need to know to use one server for each domain. But with ADSI, you can first search the Global Catalog for the samAccountName or userPrincipalName, and then use the user's ADsPath to bind to the AD and authenticate the user.

If you have to use Net::LDAP, it is safer to use Version2 for writing and searching because AD normally doesn't use utf8 but iso-latin-1 as encoding; and if you want to search or write non-ascii-chars like umlauts, you will get problems with Ldap-Version3)

Update: with ADSI and some AD configurations, there exists a security feature/problem that the explicit logon to the AD doesn't work and is silently converted to the user which runs the script on the webserver. I don't know the name of this option, but usually find it out by trying to log on as a different user and then manually check the event-security log of the AD-Domaincontroller once to see if I can do such a log on. But there must be a better solution to find out which user is currently logged on on the AD via ADSI

Best regards,
perl -e "s>>*F>e=>y)\*martinF)stronat)=>print,print v8."

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://562524]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others musing on the Monastery: (6)
As of 2018-05-27 00:25 GMT
Find Nodes?
    Voting Booth?