I have a Java app that can authenticate to LDAP by logging users into the AD LDAP server with the NTLM name (which they are used to - this is a requirement).
I now also need to do authorization, and hence need to find a forest-unique identifier for the user (DN or UPN should work), from which I can further query the directory.
The method needs to be absolutely portable, even if the AD is structured in an unusual fashion, otherwise I could just do a string replacement and search for a UPN of "${ntlm-user}@${ntlm-domain}.${configured-trailing-domain}"
How can I do this, using pure LDAP?
Currently, I'm using the java.naming.directory package, which I'd like to keep using, since it doesn't throw up problems when not binding with a DN but logging in with an NTLM name?