Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

macOS How to bind and query LDAP server without specifying user credentials

N

ninadvartak

macrumors newbie
Original poster
Dec 22, 2016
2
0
Currently my Mac has been successfully configured to be in Active Directory Domain. (System Preferences -> Users & Groups -> Login Options -> Network Account Server)

We are developing a Mac application that has following requirements:
  1. It should communicate with the LDAP server in Active Directory Domain and retrieve users & their attributes from LDAP server.
  2. While communicating (bind or search) with the LDAP server, we are not allowed to explicitly specify logged-in user's credentials. (e.g. we should not prompt username / password screen to the user)
If we explicitly specify logged-in user's credentials,
  • we are able to bind to the LDAP server
  • we are able to search the users & their attributes in LDAP server.
If we do not specify logged-in user's credentials,
  • we are able to bind to the LDAP server,
  • but it does not allow us to search the users & their attributes in LDAP server.
Is there a way with which we can use logged-in user's credentials implicitly while communicating with the LDAP server?

Can you please guide us how we can query LDAP server (search users & their attributes in LDAP server) without specifying logged-in user's credentials explicitly.

Any kind of help is highly appreciable.

Thanks
 
ninadvartak said:
If we explicitly specify logged-in user's credentials,
  • we are able to bind to the LDAP server
  • we are able to search the users & their attributes in LDAP server.
If we do not specify logged-in user's credentials,
  • we are able to bind to the LDAP server,
  • but it does not allow us to search the users & their attributes in LDAP server.
Is there a way with which we can use logged-in user's credentials implicitly while communicating with the LDAP server?
Click to expand...

I don't know the answer but maybe if you give some more details it will help someone else who might. What API are you using to speak with the LDAP server? Are you going via Directory Services?
 
cqexbesd said:
I don't know the answer but maybe if you give some more details it will help someone else who might. What API are you using to speak with the LDAP server? Are you going via Directory Services?
Click to expand...


We are currently using OpenLDAP framework for LDAP operations.
 
I'm betting you didn't allow much actions in your slapd ACLs for anonymous binds. You will need to define ACLs to grant access for anonymous binds to be able to read from your directory. You can get as granular as only allowing an anonymous bind to read specific attributes, for specific object(Class) types, in specific branches/bases.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back