79

Is there an easy way to test the credentials of a user against an LDAP instance? I know how to write a Java program that would take the 'User DN' and password, and check it against the LDAP instance. However is there any easier way? Specially a method that not only authenticates the user, but also lists all the user's roles.

Improve this question

6 Answers 6

Reset to default
111

ldapwhoami -vvv -h <hostname> -p <port> -D <binddn> -x -w <passwd>, where binddn is the DN of the person whose credentials you are authenticating.

On success (i.e., valid credentials), you get Result: Success (0). On failure, you get ldap_bind: Invalid credentials (49).

Improve this answer
5
  • At least on my system, providing an empty username and/or password ("") causes ldapwhoami to return "Result: Success (0)" if the server is reachable.
    – Stephen
    Commented May 9, 2019 at 4:18
  • @Garrett Hyde, could you share an example with a mock DN?
    – ndemarco
    Commented Jan 28, 2020 at 14:41
  • 1
    @NicholasDeMarco Here's an example DN: uid=john.doe,ou=People,dc=example,dc=com.
    – Garrett Hyde
    Commented Jan 28, 2020 at 16:57
  • 4
    For me ldapwhoami -D 'cn=username,ou=users,dc=compagny,dc=com' -x -W
    – themadmax
    Commented Nov 24, 2020 at 14:50
  • 2
    In the newer version of the command ldapwhoami 2.5.16+dfsg-0ubuntu0.22.04.1 (Jul 31 2023 22:13:10) - the -h option doesn't exists anymore. Use the LDAP URI command rather as such: ldapwhoami -v -H ldaps://<hostname>:<port> -D <binddn> -x -W
    – Zailux
    Commented Jan 3 at 9:06
17

Use ldapsearch to authenticate. The opends version might be used as follows:

ldapsearch --hostname hostname --port port \
    --bindDN userdn --bindPassword password \
    --baseDN '' --searchScope base 'objectClass=*' 1.1
Improve this answer
3
  • 2
    This way the password can be viewed in cleartext in the process list?
    – Kiril
    Commented Jun 10, 2014 at 7:06
  • 12
    @Kiril I think substitute --bindPasswrd password with -W (prompt for password) would fix the problem.
    – ibic
    Commented Jan 6, 2017 at 8:14
  • What package should I install to get ldapsearch?
    – lindhe
    Commented Oct 23, 2023 at 7:31
12

You should check out Softerra's LDAP Browser (the free version of LDAP Administrator), which can be downloaded here :

http://www.ldapbrowser.com/download.htm

I've used this application extensively for all my Active Directory, OpenLDAP, and Novell eDirectory development, and it has been absolutely invaluable.

If you just want to check and see if a username\password combination works, all you need to do is create a "Profile" for the LDAP server, and then enter the credentials during Step 3 of the creation process :

enter image description here

By clicking "Finish", you'll effectively issue a bind to the server using the credentials, auth mechanism, and password you've specified. You'll be prompted if the bind does not work.

Improve this answer
4
  • 2
    This does not work: This will only check if the user specified has permissions to list user information from LDAP, which isn't granted per se by Active Directory for instance. In that case authentication may still fail while the user credentials are valid.
    – Sebazzz
    Commented Jun 21, 2016 at 13:27
  • No. This command issues a full directory bind, just like a standard login attempt would. If you do not have permissions to view the base directory, you'll just see a blank screen.
    – X3074861X
    Commented Jun 21, 2016 at 15:57
  • Great answer! Didn't know that application. Thank you so much!
    – ClownCoder
    Commented Feb 13, 2018 at 19:59
  • Nice app - do you know any alternatives for it on Mac?
    – emmdee
    Commented May 1, 2018 at 3:30
7

Note, if you don't know your full bind DN, you can also just use your normal username or email with -U

ldapsearch -v -h contoso.com -U [email protected] -w 'MY_PASSWORD' -b 'DC=contoso,DC=com' '(objectClass=computer)'
Improve this answer
3

Authentication is done via a simple ldap_bind command that takes the users DN and the password. The user is authenticated when the bind is successfull. Usually you would get the users DN via an ldap_search based on the users uid or email-address.

Getting the users roles is something different as it is an ldap_search and depends on where and how the roles are stored in the ldap. But you might be able to retrieve the roles during the lap_search used to find the users DN.

Improve this answer
4
  • Thanks for your reply. What I'm really looking for is a tool where I can type the user DN, and password, and the tool would test and see if the user can be authenticated with those credentials. This is a very easy tool to develop; so I was hoping that there is already such a tool.
    – user1888243
    Commented Apr 27, 2013 at 18:45
  • The tool is called ldap_bind.
    – user207421
    Commented Apr 27, 2013 at 21:37
  • Unix/Linux offer 'ldapsearch' (mostly from openLDAP), with the proper options you don't see the password in the 'history' of 'process list'
    – Bernhard Thalmayr
    Commented Apr 28, 2016 at 17:27
  • 1
    @heiglandreas The ldap_bind command is not found on my system, is this a C function from OpenLDAP library ?
    – SebMa
    Commented Jul 28, 2022 at 9:52
3

For some reason, the accepted answer does not work, the arguments are not exactly the same (at least in Linux Alpine). This command should work:

ldapsearch -v -H ldap://dc1.MYDOMAIN.com -D "cn=Administrator,cn=Users,dc=MYDOMAIN,dc=com" -x -w SomeP@ssWord -Z -d 4

This is very helpful for debugging LDAP, as it outputs exactly the issue if there is any.

Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.