Python ldap3 使用邮件或用户 ID 进行身份验证

Question

I am using the ldap3 library ( https://ldap3.readthedocs.io/en/latest/ ) with Python and authenticating against LDAP

conn = Connection(server, user='CN=person,OU=Service Accounts,DC=mydc,DC=mydomain,DC=co,DC=uk', password='Password123', auto_bind=True)

The below works but only because I know the person value. How would I set this up so someone can authenticate using their mail or user ID eg forename.surname

At the moment they would need to use the dn form which of course no user will ever be likely to know

Thanks

Answer 1

Using this page https://ldap3.readthedocs.io/en/latest/tutorial_intro.html#logging-into-the-server

I got the following to work

from ldap3 import Server, Connection, ALL, NTLM

server = Server('ldap://my_ldap_server', get_info='ALL')
conn = Connection(server, user="mydomain\\user", password='Password123', authentication=NTLM)
conn.bind()
authenticated = conn.bound
print(authenticated)
conn.unbind()

Answer 2

At the moment they would need to use the dn form which of course no user will ever be likely to know

With standard LDAP directories, you're supposed to bind with the application's own account first, then perform a search for some attribute as the username (eg search Active Directory for sAMAccountName=theuser ), and finally use the found entry's DN as the actual bind DN for password verification.

For Active Directory in particular, you can directly specify either the UPN theuser@ad.example.com or the legacy SAM account name EXAMPLE\theuser in place of the bind DN.