Forum Stats

  • 3,815,260 Users
  • 2,258,987 Discussions
  • 7,893,018 Comments

Discussions

Validate user id against AD

55366
55366 Member Posts: 3
edited Sep 19, 2008 3:36PM in Identity Manager
I need to write an application to validate a user id is in Active Directory. The only way I have figured out how to do this is using dbms_ldap.simple_bind_s and supplying the user id and a password (the password is not the actual password). I'm able to take the return value from the call and determine if the user exists in AD, but it also counts as an invalid login attempt to AD. During my testing I have managed to lock out several accounts.

Does dbms_ldap have a way to just validate if the user is valid without passing in a password?
Tagged:

Best Answer

  • Kiran Thakkar
    Kiran Thakkar Member Posts: 292
    Answer ✓
    Hi

    You cannot write such LDAP query in Procedure.

    If Anonymous binding is allowed then you can use dbms_ldap.search_s command to search a particular entry by created anonymous session with the directory.

    If Anonymous binding is not allowed, then you will have to bind using one of the generic user who has access to search the entries in directory. then search using dbms_ldap.search_s command with the valid session that you used to bind to the directory.

    Thanks
    Kiran Thakkar

Answers

  • Srinivas.R
    Srinivas.R Member Posts: 252
    Hello,

    dbms_ldap is NOT the only way to do it. This may be the "database" way to do it. You can verify whether a user exists using command line. "ldapsearch". Here is the explanation

    ldapsearch -h <ad host> -p <ad port> -D "<AD service account" -w *** samAccountName=<AD userid>


    If the above returns output, then that means your user exists in AD, otherwise not. So there is no need to enter any password. samAccountName is for verifying using the username. If you want to verify using email address, you can use "userPrincipalName=<AD email address>"

    Hope that helps.

    -Srinivas
  • 55366
    55366 Member Posts: 3
    Thanks for the reply, but do you know if this is something I can call within an Oracle Procedure?
  • Kiran Thakkar
    Kiran Thakkar Member Posts: 292
    Answer ✓
    Hi

    You cannot write such LDAP query in Procedure.

    If Anonymous binding is allowed then you can use dbms_ldap.search_s command to search a particular entry by created anonymous session with the directory.

    If Anonymous binding is not allowed, then you will have to bind using one of the generic user who has access to search the entries in directory. then search using dbms_ldap.search_s command with the valid session that you used to bind to the directory.

    Thanks
    Kiran Thakkar
  • 55366
    55366 Member Posts: 3
    Thank you for your help, I will give it a try.
This discussion has been closed.