Forum Discussion
gavin84_31753
Nimbostratus
NimbostratusAD LDAP Authentication fails with mail as username
We are migrating from OID to AD LDAP. Oracle password works fine. Tried to replicate the configuration for AD LDAP. All is the same with the exceptions of a query at the beginning. The LDAP team is telling me they use userpassword attribute...I have also configured it to look for that attribute but it failed with invalid credentials.
Oracle LDAP Auth OBJECT
Search FIlter
mail=%{session.logon.last.username}
Variable Assign session.custom.uid = expr { [ mcget {session.logon.last.username}]}
IF AUTH PASSES Variable Assign session.custom.mechanism = expr { "password" }
AD LDAP Query OJBECT
Search FIlter mail=%{session.logon.last.username}
require attribute mail Variable Assign session.custom.uid = expr { [ mcget {session.logon.last.username}]}
AD LDAP Auth OJBECT
Search FIlter mail=%{session.logon.last.username}
IF AUTH PASSES Variable Assign session.custom.mechanism = expr { "password" }
It will fail auth, so the variable assign password never triggers.
Thank you for any assistance
gavin84_31753To add a little more info. We now have the same search criteria, however, we removed the Auth and are only doing LDAP Query requiring mail and userPassword attributes. We then will do a comparison using expr { [mcget -secure {session.logon.last.password}] equals { [mcget {session.ldap.last.attr.userPassword}]} . The userPassword attribute has the password we are looking to authenticate against.
The APM log does not like the comparison string. I get a rule evaluation missing close brace on it after the query is successful.It seems you have a curly brace too many.
Instead of:
expr { [mcget -secure {session.logon.last.password}] equals { [mcget {session.ldap.last.attr.userPassword}]}Try:
expr { [mcget -secure {session.logon.last.password}] equals [mcget {session.ldap.last.attr.userPassword}]}
