Heathcliff Heathcliff - 1 month ago 5x
Node.js Question

What do I need to connect to an LDAP, and bind to a more "general" DN to search for users?

I have a problem about something I've never really encountered before, that is connecting to an LDAP from a NodeJS application. Until now, I didn't even know there was such a thing as an LDAP, so I've been learning on the go. That's why this may be a stupid question, but I haven't found any concise answer.

The requirement is: "log to an LDAP from your application with the user and pass provided in your login screen". The client has an LDAP, and wants to use it to authenticate our application's users, so the user and pass entered in our log in screen are used to try to log in to the LDAP.

I understand that I need three things to connect to an LDAP:

  • the server's URL

  • A user (with pass)

  • And a DN to bind to

I'm currently using
to connect from NodeJS. The operation that I'd need to use to authenticate the user, I understand, it's the
. For that, I need to have created the server (already done, and no problems) and pass the dn, and the password. I assume the DN includes the user. Something like


Which works... provided that the users belong to the same "branch". That is, if all of them are in, say,
. That's why I'm able to "hardcode" the DN in the
and just change the user with a replace.

Problem is, not all of them belong to the same "branch" (I don't know the technical name for this). Say, I have some in
, some in

So I don't know to begin with what the user's organization is, so I can't make him bind to the LDAP client because I lack the DN.

The client only provided us with an example, from another application that used ASP.NET and ADO.NET to do so, using something like a SQL command to get the LDAP info. Thing is, the equivalent to the DN was a more generic one. Something like


This, apparently, worked. If I try to do the same thing, using that more "general" DN route (which, I assume, is a node higher on the LDAP tree), providing one of the users' password, I get an authentication error.

So, how come? What am I missing? What do I need to log the users to LDAP using just the "CN=[username]" DN? Is that something that only ADO.NET can use?

Thanks, and sorry if it's too generic a question.


Per the comment I made:

To bind with Active Directory you do not need to know the full DN of the user. There is a list of all the different available methods on this page in the docs. So you could use user@domain.com as an example. Or just the supplied username would work in most cases.