Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Q&A

Welcome to Software Development on Codidact!

Will you help us build our independent community of developers helping developers? We're small and trying to grow. We welcome questions about all aspects of software development, from design to code to QA and more. Got questions? Got answers? Got code you'd like someone to review? Please join us.

Comments on How to check if a ldap username is valid without contacting the active directory via ldap?

Post

How to check if a ldap username is valid without contacting the active directory via ldap?

+2
−0

I have some code connecting to an active directory via ldap. Something like this:

public Response add(User user) {

    try {
        LDAPConnectionPool ldapPool = ldapConnectionPool.getPool();
        // Code
        LDAPResult res = ldapPool.add(user);
    } catch (LDAPException exeption) {

Before the try block, I'd like to check if the username is valid, in the sense that it's not too long, cotains illegal characters, does not end with dot etc. And sure, that would be fairly easy to write. But I thought that there must be a library function that does this, but I have not been able to find it anywhere.

When I google "validate username ldap", "validate samaccountname" etc in various ways, all I find is stuff to check if the user exists on the server and similar. Was that a bad search query? Is this called something else?

Sure, in theory I could try to create the user on the server and check the return code, but I want to perform this check without contacting the ldap server at all. And I don't want to reinvent the wheel either. (Ok, I do want to reinvent the wheel, but the code would suffer)

I have found this https://ldapwiki.com/wiki/SamAccountName

We have used this and it appears to work:

^(?:(?:[^. \"\/\\\[\]\:\|\\+\=\;\?\*\<\>\,][^\"\/\\\[\]\:\|\\+\=\;\?\*\<\>\,]{0,62}[^. \"\/\\\[\]\:\|\\+\=\;\?\*\<\>\,])|[^.\"\/\\\[\]\:\|\\+\=\;\?\*\<\>\,])$

But this seems very experimental and unofficial. Plus that I need a way to validate more restricted version with maximum 20 characters.

History
Why does this post require attention from curators or moderators?
You might want to add some details to your flag.
Why should this post be closed?

2 comment threads

I strongly recommend you don't do this. The LDAP server has to do it all anyway when you register the... (2 comments)
RFC-4915 and RFC-4517 (5 comments)
RFC-4915 and RFC-4517
elgonzo‭ wrote over 2 years ago · edited over 2 years ago

Look at the "LDAP: Schema for User Applications" RFC-4915. It defines 'uid'/'userid' being a "Directory String" (LDAP syntax identifier 1.3.6.1.4.1.1466.115.121.1.15). "Directory String" is defined in RFC-4517 (LDAP: Syntaxes and Matching Rules).

Basically, a user name must be at least one character, with the characters being any from the UCS. UCS is equivalent to the the characters and char code points defined in Unicode without all the metadata and rules Unicode assigns to various characters (such as combining rules, for example).

That's all that LDAP defines. (Any further restrictions on uid/userid could potentially be imposed by the concrete directory service/server you are contacting, but that's outside the scope of LDAP itself.)

elgonzo‭ wrote over 2 years ago · edited over 2 years ago

I am right now not having the energy to write a proper clean and self-contained answer. Feel free to look up the mentioned RFCs, and put the information together into a coherent answer, if you or anyone else feels like... ;-)

P.S.: The ldapwiki page you linked to is clearly stating that that page is about SAM user names, and not about ldap user names (uid/userid). SAM is a Windows-specific thing (as the page also mentions multiple times), not an LDAP-specific thing. You are going down the wrong road here with respect to the question you posed.

klutt‭ wrote over 2 years ago

elgonzo‭ You're probably right there. I'm using the protocol Ldap to connect to an active directory. When I google it, I'm not the first one to mix this up. :D

elgonzo‭ wrote over 2 years ago · edited over 2 years ago

Okay, if you are interfacing with an AD service, i would suggest to go with what the https://ldapwiki.com/wiki/SamAccountName page says. Although, you could probably simplify the regex by using look-ahead/look-behind assertions (depending on the capabilities of Java's regex engine). If you have a Windows box or VM at hand, you should be able to relatively easily verify the statements the page makes about the logon format name -- simply try creating a new user account, and try both exceeding the max. logon name length and using illegal characters (the Windows dialog for creating new user accounts should not allow you to create user names longer than 20 chars, and complain about illegal characters kinda like this: https://software.codidact.com/uploads/3sqPwnCHejcBwysfCbUggUeV)

elgonzo‭ wrote over 2 years ago · edited over 2 years ago

And for good measure, here the "horse's mouth": https://docs.microsoft.com/en-us/windows/win32/adschema/a-samaccountname :-)

With regard to any library offering functions doing this format check for you, i honestly don't know. But it should be relatively simple and straightforward to implement yourself if you can't find some ready-to-use function, i guess.

(Note that Active Directory also maintains uid alongside samaccountname. uid is the user name, and not necessarily required to be equal to the NTLM logon name samaccountname.)