Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Q&A

Welcome to Software Development on Codidact!

Will you help us build our independent community of developers helping developers? We're small and trying to grow. We welcome questions about all aspects of software development, from design to code to QA and more. Got questions? Got answers? Got code you'd like someone to review? Please join us.

Comments on How to check if a ldap username is valid without contacting the active directory via ldap?

Post

How to check if a ldap username is valid without contacting the active directory via ldap?

+2
−0

I have some code connecting to an active directory via ldap. Something like this:

public Response add(User user) {

    try {
        LDAPConnectionPool ldapPool = ldapConnectionPool.getPool();
        // Code
        LDAPResult res = ldapPool.add(user);
    } catch (LDAPException exeption) {

Before the try block, I'd like to check if the username is valid, in the sense that it's not too long, cotains illegal characters, does not end with dot etc. And sure, that would be fairly easy to write. But I thought that there must be a library function that does this, but I have not been able to find it anywhere.

When I google "validate username ldap", "validate samaccountname" etc in various ways, all I find is stuff to check if the user exists on the server and similar. Was that a bad search query? Is this called something else?

Sure, in theory I could try to create the user on the server and check the return code, but I want to perform this check without contacting the ldap server at all. And I don't want to reinvent the wheel either. (Ok, I do want to reinvent the wheel, but the code would suffer)

I have found this https://ldapwiki.com/wiki/SamAccountName

We have used this and it appears to work:

^(?:(?:[^. \"\/\\\[\]\:\|\\+\=\;\?\*\<\>\,][^\"\/\\\[\]\:\|\\+\=\;\?\*\<\>\,]{0,62}[^. \"\/\\\[\]\:\|\\+\=\;\?\*\<\>\,])|[^.\"\/\\\[\]\:\|\\+\=\;\?\*\<\>\,])$

But this seems very experimental and unofficial. Plus that I need a way to validate more restricted version with maximum 20 characters.

History
Why does this post require attention from curators or moderators?
You might want to add some details to your flag.
Why should this post be closed?

2 comment threads

I strongly recommend you don't do this. The LDAP server has to do it all anyway when you register the... (2 comments)
RFC-4915 and RFC-4517 (5 comments)
I strongly recommend you don't do this. The LDAP server has to do it all anyway when you register the...
EJP‭ wrote over 2 years ago

I strongly recommend you don't do this. The LDAP server has to do it all anyway when you register the user after passing your own code, and you can never have a guarantee that your own code exactly matches the LDAP server's tests. And merely passing a syntax check locally still allows plenty of other possible failures, such as duplicate username for a start. There's no value in having two levels of checking.

klutt‭ wrote over 2 years ago

EJP‭ We ended up using something anyway, and I got pretty good argument from my boss about it. Firstly, our requirements are stricter than the ldap server. We don't care if they match to 100%. The only thing we care about is that those that the check lets through to the server are 100% guaranteed to work.

And even if it isn't likely, it could be the case that the server allows a name that it shouldn't that is also a vulnerability, something a hacker could take advantage of.