How to bind and query LDAP server without specifying user credentials

Discussion in 'Mac Programming' started by ninadvartak, Dec 22, 2016.

  1. ninadvartak macrumors newbie

    Joined:
    Dec 22, 2016
    #1
    Currently my Mac has been successfully configured to be in Active Directory Domain. (System Preferences -> Users & Groups -> Login Options -> Network Account Server)

    We are developing a Mac application that has following requirements:

    1. It should communicate with the LDAP server in Active Directory Domain and retrieve users & their attributes from LDAP server.
    2. While communicating (bind or search) with the LDAP server, we are not allowed to explicitly specify logged-in user's credentials. (e.g. we should not prompt username / password screen to the user)
    If we explicitly specify logged-in user's credentials,
    • we are able to bind to the LDAP server
    • we are able to search the users & their attributes in LDAP server.
    If we do not specify logged-in user's credentials,
    • we are able to bind to the LDAP server,
    • but it does not allow us to search the users & their attributes in LDAP server.
    Is there a way with which we can use logged-in user's credentials implicitly while communicating with the LDAP server?

    Can you please guide us how we can query LDAP server (search users & their attributes in LDAP server) without specifying logged-in user's credentials explicitly.

    Any kind of help is highly appreciable.

    Thanks
     
  2. cqexbesd macrumors regular

    Joined:
    Jun 4, 2009
    #2
    I don't know the answer but maybe if you give some more details it will help someone else who might. What API are you using to speak with the LDAP server? Are you going via Directory Services?
     
  3. ninadvartak thread starter macrumors newbie

    Joined:
    Dec 22, 2016
    #3

    We are currently using OpenLDAP framework for LDAP operations.
     
  4. ocabj macrumors 6502a

    ocabj

    Joined:
    Jul 2, 2009
    #4
    I'm betting you didn't allow much actions in your slapd ACLs for anonymous binds. You will need to define ACLs to grant access for anonymous binds to be able to read from your directory. You can get as granular as only allowing an anonymous bind to read specific attributes, for specific object(Class) types, in specific branches/bases.
     

Share This Page