[python-ldap] sAMAccountName in DN for Bind

Anurag Chourasia anurag.chourasia at gmail.com
Mon Apr 22 20:23:10 CEST 2013


Dear Michael,

Thanks for your response. You answer clarified it all.

I was mixing up the bind operation with search.

What I should have done is bind using a fixed user and then search across
users for a match against sAMAccountName in order to authenticate a
particular user but now it becomes more clear to me.

Thanks again.
Guddu

On Mon, Apr 22, 2013 at 1:10 PM, Michael Ströder <michael at stroeder.com>wrote:

> Anurag Chourasia wrote:
> > Is *sAMAccountName *not allowed in the DN for bind operation?
>
> What is allowed in a DB is entirely up to the server's schema checking.
>
> So this is a question you have to ask the LDAP server vendor.
>
> > If i use a DN =
> "*CN=Guddu,OU=Users,OU=Central,OU=CL,DC=company,DC=corp*" then
> > I am able to bind and do a search operation also.
> >
> > However, if i use a DN=
> > "*sAMAccountName=Guddu,OU=Users,OU=Central,OU=CL,DC=company,DC=corp*"
> then i
> > get a *ldap.INVALID_CREDENTIALS* error
>
> Does entry
> sAMAccountName=Guddu,OU=Users,OU=Central,OU=CL,DC=company,DC=corp
> actually exist.
>
> I suspect you expect some special magic which isn't there.
> But better ask your LDAP server vendor.
>
> > I can confirm that the user has the attribute *sAMAccountName=Guddu *for
> sure.
>
> That's not how LDAP simple bind works in general.
>
> There is some special non-standard feature in AD to use the user's
> principal
> name in a simple bind request. Not sure whether that works with ADAM
> though.
>
> Ciao, Michael.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20130422/da42709e/attachment.html>


More information about the python-ldap mailing list