Authenticating a user using LDAP in ASP

Posted on 2003-03-20
Medium Priority
Last Modified: 2013-12-04
I am attempting to authenticate a user in ASP using LDAP on an Intranet.
The Active Directory Server is Windows 2000, and the IIS box is Windows 2000.

In the ASP app, I check to see if they have a certain cookie. If the cookie doesn't exist, I redirect them to a login page and have them enter their credentials which then get stored in the cookie. If the cookie does exist it will contain their username and password (encrypted). Great! Now I can query LDAP with their credentials to see if they are members of a certain group.
The problem I am facing is:

In the cookie, the username is stored as the sAMAccountName. In other words, 'nbrewer'. Also, the cookie does not store their 'Distinguished Name' A.K.A. DN. An example of a DN is something like:

"CN=Neil Brewer,CN=Developer,OU=Administration,DC=lc,DC=local"

This means Neil Brewer is a member of the container 'Developer' in the Organizational Unit 'Administration' in the lc.local domain.

However, at this point I only have the sAMAccountName, and to authenticate, I need th DN of the user. MS pointed me to the following code to authenticate a user:

Dim dso As IADsOpenDSObject
Dim obj1, obj2 As IADs
Dim szUsername As String
Dim szPassword As String

Set dso = GetObject("LDAP:")

' Insert code securely.

' Bind using full credentials.
Set obj1 = dso.OpenDSObject( _
    "LDAP://server1/CN=Dept1,DC=Fabrikam,DC=com", _
    szUsername, _
    szPassword, _

' Bind to another object with the default credentials.
Set obj2 = GetObject("LDAP://server1/CN=Dept2,DC=Fabrikam,DC=com")

Found at: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi/iadsopendsobject_opendsobject.asp

That's well and good, but it requires the DN, which I don't yet have. So they then pointed me to:


Which has the following code:

<%@ Language=VBScript %>
  Dim nto
  const ADS_NAME_TYPE_1779 = 1
  const ADS_NAME_TYPE_NT4 = 3
  server = "aDsServer"
  user   = "jeffsmith"
  dom    = "Fabrikam"
  passwd = "top secret"
  dn = "CN=jeffsmith,CN=Users,DC=Fabrikam,DC=COM"
  Set nto = Server.CreateObject("NameTranslate")
  nto.InitEx ADS_NAME_INITTYPE_SERVER, server, user, dom, passwd
'  nto.Set ADS_NAME_TYPE_1779, dn
  nto.Set ADS_NAME_TYPE_NT4, dn ' I was told by MS to switch this
'  result = nto.Get(ADS_NAME_TYPE_NT4)
  result = nto.Get(ADS_NAME_TYPE_1779) ' I was told by MS to switch this.
  Response.Write "<p>Translated name: " & result

Result SHOULD now hold the DN. But, I get an error everytime I run that. Probably a permissions thing, I'll address that later. Also note though, that example requires you enter the DN in the code.
I don't know the DN! That code is suppose to tell me the DN!
What do I need to change there to have it return the proper DN?
Once I have the proper DN, I can query LDAP using the first snippet of code and properly authenticate the user.

So, the question boils down to:
If I have the sAMAccountName, how do I get the DN?
If I have the DN, how do I get the sAMAccountName?

(You may be wondering why MS didn't fully answer all my questions and get this working. Twas because I kept pushing him for more and more answers. By the time we got this far, I had squeezed about 5 support calls into one and he cut me off.)

Also, the tech guy gave me a great tool to browse theough LDAP. Similar to ADSIEdit but better. It's called 'Active Directory Browser' and the exe name is 'AdsVw.exe'. Search for it on Google, or let me know and I can email it to you.

Thanks in advance for any help,
Neil Brewer

Question by:L00M

Accepted Solution

DominicCronin earned 600 total points
ID: 8186513
Actually, the most useful ldap tool from MS is LDP, which ships on the Win2K CD but is only installed if you install the resource kit. It hides in the menus as Active Directory Admin tool - or some such nonsense, but it's a generic LDAP browser, in fact a very thin GUI wrapper over the LDAP API.

If you're in any doubt as to whether your problem is to do with permissions, then use this or another LDAP browser to bind with the credentials you are going to use, and navigate through the tree. If you don't have permissions, you won't see the entry.

Now to your main problem. You are not alone. Everyone has to look up the user's DN first. All you need is a subtree search based at the root of the tree where all your users are. Let's say "dc=local" in this case, although maybe you can choose a smaller tree.

You should use the ADSI OLEDB provider. This means that you can create an ADO Command object that will accept a search string and return a recordset. Once you have it, you'll find the DN in the 'adspath' field, although you'll have to write a little function to strip off some additional junk that MS adds.


shows briefly how to set up a connection object that provides this functionality. Then you just need to create a command object and set this connection as its active connection. After that you set the CommandText to your search query and execute.

For the search queries, you can choose between an SQL-like dialect or an LDAP-like one. Personally I prefer the ldap style.


gives the details

If you take their example, you could adapt it to search for a samAccountName, so instead of:
"<LDAP://DC=Fabrikam,DC=com>;(objectClass=*);AdsPath, cn;subTree"

you'd end up with something more like:

[Searching for Mickey Mouse]


The query can also include the server if you need that too.

Good luck - I know how frustrating this stuff can be, and the MS documentation really suffers from not having a good "how-to" on this subject.
LVL 11

Author Comment

ID: 8195436
Thank you for the help. You're correct, the documentation could certainly be better. That being said, thank you very much for pointing me in the right direction. I still have a ways to go, but this helps me immensely.

Have a great day,
Neil Brewer

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Planning to migrate your EDB file(s) to a new or an existing Outlook PST file? This video will guide you how to convert EDB file(s) to PST. Besides this, it also describes, how one can easily search any item(s) from multiple folders or mailboxes…
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question