How to bind and query LDAP server without specifying user credentials

Question

Currently my Mac has been successfully configured to be in Active Directory Domain. (System Preferences -> Users & Groups -> Login Options -> Network Account Server)

We are developing a Mac application that has following requirements:

1. It should communicate with the LDAP server in Active Directory Domain and retrieve users & their attributes from LDAP server.
2. While communicating (bind or search) with the LDAP server, we are not allowed to explicitly specify logged-in user's credentials. (eg we should not prompt username / password screen to the user)

If we explicitly specify logged-in user's credentials,

• we are able to bind to the LDAP server

• we are able to search the users & their attributes in LDAP server.

If we do not specify logged-in user's credentials,

• we are able to bind to the LDAP server

• but it does not allow us to search the users & their attributes in LDAP server.

We are currently using OpenLDAP framework for LDAP operations.

Is there a way with which we can use logged-in user's credentials implicitly while communicating with the LDAP server?

Can you please guide us how we can query LDAP server (search users & their attributes in LDAP server) without specifying logged-in user's credentials explicitly.

Any kind of help is highly appreciated.

Answer 1

Is there a way with which we can use logged-in user's credentials implicitly while communicating with the LDAP server?

Maybe.

IF you CAN set up Kerberos (and SPNEGO is using a WEB browser) you might be able to obtain a "ticket" that you could then use a GSSAPI to Authenticate the user.

You would probably be more secure if you used a one of the many third-party Access Manager Products to perform these services due to the inherent security risks involved.