LDAP (Active Directory) querying "the current user"

Report · Jul 15, 2009

I've reviewed a lot of stuff on this but I'd appreciate a summary answer of this (no doubt...) FAQ:

Using CF (latest & greatest) on an (I presume) IIS server, I want to be able to auto-detect the Windows identity of "the currently logged-on Windows user" and, by means of LDAP (Active Directory) queries, determine his attributes and group-memberships for authentication purposes. The user would not be challenged to enter any sort of user-name or password on his own. (This is strictly an intra-net application and always will be.)

In the Apache Server environment with mod_ldap, I know that reliable information about the currently logged-on user can be obtained from environment variables with which to do subsequent LDAP queries. But I'm a little fuzzy on what I might expect/use in this situation.

Pointers? Hyperlinks? Tips?

Report · Jul 15, 2009

Look at your cgi variables. Anything promising show up?

In Response To Dan_Bracuk · Jul 15, 2009

I am of course aware of CGI.AUTH_USER, et al, which will reliably tell me who the user is. But I'm not certain that this is sufficient information to allow me to execute an LDAP query against this information, to find group-memberships and such.

Hmmm... maybe it is. I'm somehow thinking that the user's password must be supplied ... or some password ... but the more that I think about it now, maybe that's not the case.

I'll have to go back into my source-code archives and remind myself of how I once did this very thing in Perl.

Yup... sure 'nuf, it's a FAQ: http://forums.adobe.com/thread/203351 seems to sum it up rather well.

Ahh, "senior moments." I guess I need to get used to ... to ... uhh, what was I talking about?

In Response To TLC-IT · Jul 15, 2009

No the password will not be supplied in the CGI scope. For our systems we do not use the users password to access their ldap record. We have a ColdFusion user in Active Directory that is used to access the users record and read their group and other data from active directory.

In Response To ilssac · Jul 15, 2009

> We have a ColdFusion user in Active Directory that is used to access the users record and read their group and other data from active directory.

I saw another older thread where you said that ... so you do need to possess a username/password (e.g. this "canned" one set-up for the purpose and built-in to the application) in order to query about someone else? (So it would seem. No problem.)

Report · Jul 15, 2009

With Windows IIS on a Windows Server on a Windows domain to a Windows client using a Windows browser it can be easily done.

If the "Windows Integrated Security" option is selected in the IIS administrator and "Anymous Logon" is NOT selected, then the cgi.auth_user variable will be poplulate by the web server with the domain/username of the user logged into the client machine.

It is quite simple to access this cgi.auth_user value and use it in a <CFLDAP...> tag to read the active directory record for other information about that user.

Report · Jul 15, 2009

Yep, I found this juicy post from February 19th shortly after posting... http://forums.adobe.com/thread/203351

Seems to be the "cookbook" that I was looking for but did not quite take the time to find.

Adobe Community

LDAP (Active Directory) querying "the current user"

1 Correct answer