We're on a corporate network thats running active directory and we'd like to test out some LDAP stuff (active directory membership provider, actually) and so far, none of us can figure out what our LDAP connection string is. Does anyone know how we can go about finding it? The only thing we know is the domain that we're on.
The ASP.NET Active Directory Membership Provider does an authenticated bind to the Active Directory using a specified username, password, and "connection string". The connection string is made up of the LDAP server's name, and the fully-qualified path of the container object where the user specified is located.
The connection string begins with the URI
LDAP://
.For the server name, you can use the name of a domain controller in that domain-- let's say "dc1.corp.domain.com". That gives us
LDAP://dc1.corp.domain.com/
thusfar.The next bit is the fully qualified path of the container object where the binding user is located. Let's say you're using the "Administrator" account and your domain's name is "corp.domain.com". The "Administrator" account is in a container named "Users" located one level below the root of the domain. Thus, the fully qualified DN of the "Users" container would be:
CN=Users,DC=corp,DC=domain,DC=com
. If the user you're binding with is in an OU, instead of a container, the path would include "OU=ou-name".So, using an account in an OU named
Service Accounts
that's a sub-OU of an OU namedCorp Objects
that's a sub-OU of a domain namedcorp.domain.com
would have a fully-qualified path ofOU=Service Accounts,OU=Corp Objects,DC=corp,DC=domain,DC=com
.Combine the
LDAP://dc1.corp.domain.com/
with the fully qualified path to the container where the binding user is located (like, say,LDAP://dc1.corp.domain.com/OU=Service Accounts,OU=Corp Objects,DC=corp,DC=domain,DC=com
) and you've got your "connection string".(You can use the domain's name in the connection string as opposed to the name of a domain controller. The difference is that the domain's name will resolve to the IP address of any domain controller in the domain. That can be both good and bad. You're not reliant on any single domain controller to be up and running for the membership provider to work, but the name happens to resolve to, say, a DC in a remote location with spotty network connectivity then you may have problems with the membership provider working.)
Type
dsquery /?
in a command prompt.Eg:
dsquery user -name Ja*
gets the connection strings for all users with names starting in Ja*.I just use this tool from Softerra (they make an excellent freeware LDAP Browser) to get the User DN from the currently-logged in user: http://www.ldapbrowser.com/download.htm
I always had problems finding the correct way to type out the OU. The command
dsquery ou domainroot
will give you a list of the correct names of all the OUs in your domain. Not sure if this will help for a larger organization.If you open up ADSIedit, it should show you the path when you choose to Connect To...
Install Remote Server Administration Tools: http://www.microsoft.com/en-us/download/details.aspx?id=7887
Open a command prompt and enter >dsquery server
For more information, please check this post (bottom of the post): http://www.schiffhauer.com/mvc-5-and-active-directory-authentication/
The full syntax is at http://www.faqs.org/rfcs/rfc2255.html
I found easiest way:
You can also find from
I got these from Microsoft windows server 2012 R2