Aide memoire: Remote LDAP access with ColdFusion

June 16th, 2010 by Gareth Hughes
No Comments

When attempting to extract user data from Active Directory or some other LDAP server you need to have the full account details (username and password) of a user with read (and write if making updates) access to the server for the record(s) you want to retrieve. This would be supplied by a network admin or similar.

On IIS where using basic authentication, you can access CGI.AUTH_USER and CGI.AUTH_PASSWORD. This is bad practise as passwords are sent in plain text. On IIS when using integrated NT authentication only CGI.AUTH_USER is populated. On IIS with anonymous access neither field is populated. CGI.AUTH_USER uses the format DOMAIN\username.

To retrieve the information of a specific individual use the username and password of an authorised account and filter using the CGI.AUTH_USER variable. Using ColdFusion against Active Directory the format is as follows:

<cfset domain = listFirst(CGI.AUTH_USER,'\')>
<cfset username = listLast(CGI.AUTH_USER,'\')>

<cfset adminDomian = "ADdomain">
<cfset adminUsername = "joeblogs">
<cfset adminPassword = "joeblogs123">

<cfldap action="QUERY"
	name="auth"
	attributes="c,cn,company,department,displayName,dn,givenName,homeDrive,l,mail,objectCategory,objectClass,physicalDeliveryOfficeName,postalCode,sAMAccountName,sn,st,streetAddress,telephoneNumber,title,userPrincipalName"
	start="DC=subdomain,DC=domain,DC=com"
	scope="SUBTREE"
	filter="sAMAccountName=#username#"
	sort="userPrincipalName"
	server="ldap.server.address"
	username="#adminDomian#\#adminUsername#"
	password="#adminPassword#">

Getting the LDAP server address using DOS: