Lookup Active Directory entry by implicit UPN

active-directory ldap kerberos
17,198

The way to do this is to do an LDAP query against both the sAMAccountName and the userPrincipalName. For example: ( &(sAMAccountName=uname)(userPrincipalName=*@example.com) ) would query for the user [email protected] if his sAMAccountName ("implied UPN prefix" I suppose) were uname.

Programs like adfind will allow you to run arbitrary LDAP queries such as this one against AD.

In the event that you can't rely on the UPN suffix to match the domain because that was also overridden, you could create a list of the SID parts for each domain (every part of a user's SID except the last part) and search on that. If a domain example.net had an SID part of 1234-5678-9012, users in the domain would all have an SID starting with S-1-5-21-1234-5678-9012-. If you have that mapping, you could write an LDAP search

( &(sAMAccountName=uname)(objectSID=S-1-5-21-1234-5678-9012-*) )
Share:
17,198

Related videos on Youtube

Michael-O
Author by

Michael-O

Passionate software developer with structured thinking in mind, one of few Apache Software Foundation members. Active in Apache Maven (PMC member) Apache Commons (committer) Apache HttpComponents (PMC chair) Apache Velocity (PMC member) Apache Tomcat (committer) Apache APR (PMC member) Codehaus Plexus Components msktutil WebSVN MojoHaus Contributed to curl and libcurl Checkstyle MIT Kerberos Spring Framework Cyrus SASL Apache Subversion JOpt Simple mod_spnego libserf DisplayTag sslscan FreeBSD Ports HawtJNI mod_auth_gssapi pupnp Gerbera (formerly MediaTomb) JMeter Python libutf8proc sha1collisiondetection GNU coreutils, readline Git blake2 libapr KdcProxy diffoscope colordiff asciinema Apache Directory Kerby SQLite JDBC Driver sudo gitup py-requests-negotiate-sspi FreeBSD py-gssapi py-requests-gssapi Logback libarchive and others which I already forgot. Author of JNDI DirContentSource Michael Osipov's Apache Tomcat Extras SPNEGO/Kerberos Authenticator and Active Directory Realm for Apache Tomcat Enterprise-Class Authentication for Apache Subversion FreeBSD port maintainer of Sonatype Nexus OSS 2.x PEAR GeSHi Java Service Wrapper websvn

Updated on September 18, 2022

Comments

  • Michael-O
    Michael-O almost 2 years

    In our company exists a forest-wide UPN suffix company.com and almost all user accounts have the explicit UPN set to [email protected]. This value is also set in the Active Directory userPrincipalName attribute.

    Now we have an application where users perform authentication through Kerberos. So we are given the Kerberos principal, i.e. implicit UPN. We'd like to look up that user and retrieve several LDAP attributes. Since iUPN and userPrincipalName do not match anymore, the lookup is not possible.

    Is there any "official" way to retrieve a mapping from the Active Direcory? My workaround is to perform a LDAP bind against the realm component and search for the sAMAccountName attribute which matches the user id component of the iUPN. Searching for the mere sAMAccountName in the forest is not possible because the value is unique in the domain only.

    • uSlackr
      uSlackr about 12 years
      Sounds like you are on the right path. Do you foresee any issues with this approach?
  • Michael-O
    Michael-O almost 12 years
    How is this supposed to work if the userPrincipalName attribute value does not match the implicit UPN? The sAMAccountName won't help me here.
  • Falcon Momot
    Falcon Momot almost 12 years
    Yeah, the explicit UPN suffix would definitely make that useless. However, you could use objectSID for this.
  • Michael-O
    Michael-O almost 12 years
    Well, this would lead me to a chicken-and-egg problem. Since I do only have a iUPN, I cannot simply turn that to the domain SID :-( I found a workaround. I thought there might be a better way to do that.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How do I clear a user's cached Active Directory password on CentOS 7?
query Kerberos encryption modes supported by AD through LDAP
How to determine the Kerberos realm from an LDAP directory?
Linux AD integration, unable to login when using Windows Server 2012 DC
SSSD Kerberos Authentication vs AD
Troubles with sssd and Active Directory Integration
Seamless SSO with Kerberos, IE, Firefox, LDAP Active Directory
Kerberos - Active Directory Domain Failure (Ubuntu)
Joining Linux host to Active Directory fails to update Microsoft DNS
How to connect with Java into Active Directory