[GRLUG] Looking for LDAP/ActiveDirectory coders.
Adam Tauno Williams
awilliam at whitemice.org
Fri Jul 3 06:21:15 EDT 2009
On Thu, 2009-07-02 at 22:49 -0400, Ben DeMott wrote:
> Right, but how for example in Active Directory would you obtain this
> information without Authenticating?
> If you authenticate (BIND), you are using a UserPrincipalName which
> looks like me at mycompany.local - which means you already know my
> Distinguished Name
You don't need to know the DN to do a SASL bind; an LDAP whoami after a
bind should provide you with your DN. In the case of AD, or many other
DSAs, the expected bind mech is GSSAPI (Kerberos) so allot of the
binding operations should be automatic.
> or a combination of my samaaccountname and distinguished name (eek)
> So then isn't that defeating the purpose? or am I not aware of some
> manner to anonymously query Active Directory for its first DC ?
In ADs case I think you can discover this with DNS SRV, unfortunately
DNS SRV (which is wonderful!) isn't very well supported in any other
environment [one wonders why; it is simple, open, and really easy to
use and setup]. Besides AD, Jabber/XMPP is the only common use of SRV
records I can think of.
> And I was referring to all of the account attributes that are
> proprietary when I said they would be different - if nothing else ya
> gotta give me that samaaccountname is proprietary and still needed.
True, but you can do schema sensing via the subschema dn provided by the
rootDSE. I haven't used it from Python but I thought the python-ldap
module supported subschema parsing.
More information about the grlug
mailing list