Join Log in
Score:0
tester778899 avatar Server

In Active Directory are Users always stored in the Users folder?

mx flag
tester778899

I am in a position where I am working with some very basic AD authentication. Basically as long as I can bind with some credentials, I consider a user authenticated with AD and I'm done. The difficult thing is I don't have access to the AD server and know very little about AD in general. So I cannot answer my own simple question and my requirement is kind of odd.

I need to let a user manually log in (by typing a user name and password) to a different AD login via LDAP than they are currently logged in as in Windows through a Chrome browser. So they are "authenticated" via NTLM, but now they can log in as someone else. Yes, weird, but that's the requirement.

From the initial NTLM process between the browser and Node.js, I get the URL to the AD and I get 3/4 attributes that I think I need. I get 3 DC attributes which match what I expect, but I don't get the CN which in my case is CN=Users. Basically it looks something like

CN=Users,DC=ABC1,DC=ABC2,DC=ABC3

But from the initial NTLM I don't get the CN=Users anywhere.

So to my question! In AD is the folder that contains users always called Users? Or am I a bit screwed since I cannot obtain that final CN value from the initial NTLM process. Maybe there is another NTLM message I can send to get more info?

Thanks.

47
0 + 0
Score:1
Swisstone avatar Server
cn flag
Swisstone

No, Users is just a container. Users and other objects can be stored in Organizational Units (OUs). As the documentation says:

OUs provide a means for administrators to group resources, such as user accounts or computer accounts, so that the resources can be managed as one unit. This makes it much easier to apply Group Policy to multiple computers or to control the access of many users to a single resource. OUs also make it easier to delegate control over resources to various administrators.

The string you are talking about is a Distinguished Name (DN) (example: CN=Jeff Smith,OU=Sales,DC=Fabrikam,DC=COM)

However, I don't understand why do you want to retrieve the DN for the user while logging in? You should be able to log on with the UPN (User Principal Name), such as: [email protected]

0 + 0
tester778899 avatar
mx flag
tester778899
It's weird but the flow is: 1. Authenticate via browser and Node.JS using NTLM (works). 2. Authenticate again with a manual username/password via LDAP, making use of any information obtained through the NTLM process. Using LDAP I need to provide an IP address and the DN.. AFAIK we don't have any `user@something` type names..
0
Reply
Swisstone avatar
cn flag
Swisstone
@tester778899 if it's Active Directory yes, you have `user@something` by default. Ask your Active Directory administrator for further information.
0
Reply
tester778899 avatar
mx flag
tester778899
You are correct. So I have one username, `Admin`, that works properly when I do a bind request like `CN=Admin,CN=Users,DC=bla,DC=bla` and supply the password (using ASN1/Bern over a TCP socket, etc). When I try `[email protected]` this fails. What's the correct way to utilize a UPN? Can it be done in the same way as bind with CN?
0
Reply
Swisstone avatar
cn flag
Swisstone
@tester778899 Just `[email protected]`. This is how it works from an Active Direcory point of view, I don't know how the LDAP library you are using works... but the UPN is meant to be used for authentication...
0
Reply
tester778899 avatar
mx flag
tester778899
Thanks! I got it to work by simply not using `upn=` and also I had the domain wrong.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.