HOWTO Validate credentials against AD

Questions / Help
1

I’m trying to achieve simple AD Credential Validation.
C# Equivalent code works fine.

C#

private static void Main(string[] args)
{
  try
  {
    using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, "132.10.100.156"))
    {
      bool isValid = pc.ValidateCredentials("my-username", "my-password");
      
      Console.WriteLine(isValid);
    }
  }
  catch (Exception e)
  {
    Console.WriteLine(e);
  }

  Console.ReadLine();
}

Elixir

defmodule AD do
  @moduledoc false
  require Logger

  @format [
    limit: :infinity,
    pretty: true,
    structs: true,
    width: 210,
    syntax_colors: [number: :yellow, atom: :cyan, string: :green, boolean: :magenta, nil: :magenta]
  ]

  def test do
    {:ok, pid} = :eldap.open(['132.10.100.156'], log: &log/3)
    :eldap.simple_bind(pid, 'my-username', 'my-password')
  end

  def log(_, format_string, format_args) do
    Logger.debug(inspect({format_string, format_args}, @format))
  end
end

Console:

iex> AD.test
[2019-11-16 18:23:53.354] {'bind request = ~p~n', [{:BindRequest, 3, 'my-username', {:simple, 'my-password'}}]}
{:error, :invalidCredentials}
[2019-11-16 18:23:53.511] {'bind reply = ~p~n',
 [
   ok: {:LDAPMessage, 1,
    {:bindResponse,
     {:BindResponse, :invalidCredentials, [],
      [56, 48, 48, 57, 48, 51, 48, 56, 58, 32, 76, 100, 97, 112, 69, 114, 114, 58, 32, 68, 83, 73, 68, 45, 48, 67, 48, 57, 48, 51, 67, 56, 44, 32, 99, 111, 109, 109, 101, 110, 116, 58, 32, 65, 99, 99, 101, 112,
       116, 83, 101, 99, 117, 114, 105, 116, 121, 67, 111, 110, 116, 101, 120, 116, 32, 101, 114, 114, 111, 114, 44, 32, 100, 97, 116, 97, 32, 53, 50, 101, 44, 32, 118, 50, 53, 56, 48, 0], :asn1_NOVALUE,
      :asn1_NOVALUE}}, :asn1_NOVALUE}
 ]}
iex>

Erlang docs on :eldap are not of much help. I’ve also tried to use a Elixir library :paddle without success.

Any help please.

2

I haven’t used eldap but in most other implementations in other languages typically with bind you supply the full dn. so something in the form cn=commonname,ou=something,dc=domain,dc=domainsuffix Rather than just the username

4 Likes
3

Thanks! I’ve been stuck on this all day. C# allows for a simple username/password validation, did not know to use DN String format as none was provided.

4

Just to add to the previous post since im guessing you might doing this; If you’re looking for users to login via a form what I’ve done in the past is use a read only/low privilege account to do an initial bind, then search for the user account using an attribute (samAccountName, Mail, upn, whatever) get their full dn and then bind again as that user.

1 Like
6

It seems i can just use username@my-domain-name.xxx and password, directly

1 Like