Easy way to test an LDAP User's Credentials

Asked 27/4, 2013 at 2:3 Answered 20/9, 2022 at 21:53

Is there an easy way to test the credentials of a user against an LDAP instance? I know how to write a Java program that would take the 'User DN' and password, and check it against the LDAP instance. However is there any easier way? Specially a method that not only authenticates the user, but also lists all the user's roles.

Areola answered 27/4, 2013 at 2:3 Comment(0)

110

ldapwhoami -vvv -h <hostname> -p <port> -D <binddn> -x -w <passwd>, where binddn is the DN of the person whose credentials you are authenticating.

On success (i.e., valid credentials), you get Result: Success (0). On failure, you get ldap_bind: Invalid credentials (49).

Siberia answered 4/7, 2014 at 18:21 Comment(5)

At least on my system, providing an empty username and/or password ("") causes ldapwhoami to return "Result: Success (0)" if the server is reachable. – Alphaalphabet 9/5, 2019 at 4:18

@Garrett Hyde, could you share an example with a mock DN? – Sciential 28/1, 2020 at 14:41

@NicholasDeMarco Here's an example DN: uid=john.doe,ou=People,dc=example,dc=com. – Pulmonate 28/1, 2020 at 16:57

For me ldapwhoami -D 'cn=username,ou=users,dc=compagny,dc=com' -x -W – Burdett 24/11, 2020 at 14:50

In the newer version of the command ldapwhoami 2.5.16+dfsg-0ubuntu0.22.04.1 (Jul 31 2023 22:13:10) - the -h option doesn't exists anymore. Use the LDAP URI command rather as such: ldapwhoami -v -H ldaps://<hostname>:<port> -D <binddn> -x -W – Flute 3/1 at 9:6

Use ldapsearch to authenticate. The opends version might be used as follows:

ldapsearch --hostname hostname --port port \
    --bindDN userdn --bindPassword password \
    --baseDN '' --searchScope base 'objectClass=*' 1.1

Downtoearth answered 29/4, 2013 at 11:2 Comment(3)

This way the password can be viewed in cleartext in the process list? – Situs 10/6, 2014 at 7:6

@Situs I think substitute --bindPasswrd password with -W (prompt for password) would fix the problem. – Deloresdeloria 6/1, 2017 at 8:14

What package should I install to get ldapsearch? – Davon 23/10, 2023 at 7:31

You should check out Softerra's LDAP Browser (the free version of LDAP Administrator), which can be downloaded here :

http://www.ldapbrowser.com/download.htm

I've used this application extensively for all my Active Directory, OpenLDAP, and Novell eDirectory development, and it has been absolutely invaluable.

If you just want to check and see if a username\password combination works, all you need to do is create a "Profile" for the LDAP server, and then enter the credentials during Step 3 of the creation process :

enter image description here

By clicking "Finish", you'll effectively issue a bind to the server using the credentials, auth mechanism, and password you've specified. You'll be prompted if the bind does not work.

Zaporozhye answered 3/5, 2013 at 21:58 Comment(4)

This does not work: This will only check if the user specified has permissions to list user information from LDAP, which isn't granted per se by Active Directory for instance. In that case authentication may still fail while the user credentials are valid. – Stuccowork 21/6, 2016 at 13:27

No. This command issues a full directory bind, just like a standard login attempt would. If you do not have permissions to view the base directory, you'll just see a blank screen. – Zaporozhye 21/6, 2016 at 15:57

Great answer! Didn't know that application. Thank you so much! – Haulm 13/2, 2018 at 19:59

Nice app - do you know any alternatives for it on Mac? – Chronoscope 1/5, 2018 at 3:30

Note, if you don't know your full bind DN, you can also just use your normal username or email with -U

ldapsearch -v -h contoso.com -U [email protected] -w 'MY_PASSWORD' -b 'DC=contoso,DC=com' '(objectClass=computer)'

Hydroxy answered 12/4, 2019 at 19:17 Comment(0)

Authentication is done via a simple ldap_bind command that takes the users DN and the password. The user is authenticated when the bind is successfull. Usually you would get the users DN via an ldap_search based on the users uid or email-address.

Getting the users roles is something different as it is an ldap_search and depends on where and how the roles are stored in the ldap. But you might be able to retrieve the roles during the lap_search used to find the users DN.

Sestos answered 27/4, 2013 at 11:16 Comment(4)

Thanks for your reply. What I'm really looking for is a tool where I can type the user DN, and password, and the tool would test and see if the user can be authenticated with those credentials. This is a very easy tool to develop; so I was hoping that there is already such a tool. – Areola 27/4, 2013 at 18:45

The tool is called ldap_bind. – Appliance 27/4, 2013 at 21:37

Unix/Linux offer 'ldapsearch' (mostly from openLDAP), with the proper options you don't see the password in the 'history' of 'process list' – Unparalleled 28/4, 2016 at 17:27

@Sestos The ldap_bind command is not found on my system, is this a C function from OpenLDAP library ? – Laity 28/7, 2022 at 9:52

For some reason, the accepted answer does not work, the arguments are not exactly the same (at least in Linux Alpine). This command should work:

ldapsearch -v -H ldap://dc1.MYDOMAIN.com -D "cn=Administrator,cn=Users,dc=MYDOMAIN,dc=com" -x -w SomeP@ssWord -Z -d 4

This is very helpful for debugging LDAP, as it outputs exactly the issue if there is any.

Knavish answered 20/9, 2022 at 21:53 Comment(0)

Recommended topics

Hot tags