Forum Discussion
ldap / AD authentication
Hello All,
I am looking for some help getting AD authentication to work. I have been working on this for a few weeks off and on and I just can't seem to make it work as expected.
When I setup the connection like below it works fine, but it will only authenticate users in my sub-domain.
bind dn "user,OU=sub_ou,OU=main_ou,DC=sub_domain,DC=domain,DC=com"
bind pw "Password"
login attr "samaccountname"
search base dn "DC=sub_domain,DC=domain,DC=com"
servers "1.2.3.4"
service 3268
When I setup the connection to point to the root doamin like below it will not work at all. I know this is not a domain issue as we have nearly this same thing configured on our firepass. (The only diffrence is firepass has a query string)
bind dn "user,OU=sub_ou,OU=main_ou,DC=sub_domain,DC=domain,DC=com"
bind pw "Password"
login attr "samaccountname"
scope base
search base dn "DC=domain,DC=com"
servers "1.2.3.4"
service 3268
Can anyone suggest something I am missing or something I can try?
smp_86112Cirrostratus
If you haven't gotten this to work yet...try changing the scope from base to sub.
Erki_Märks_2779Nimbostratus
bind dn "user,... should look like ou=People,dc=test,dc=ee
You could always use ldapsearch or smth to verify that the base dn etc are correctly set: ldapsearch -h ldaphost -b "ou=People,dc=test,dc=ee" -x "samaccountname=test"
I got ldap authentication to work with the wollowing profile:
auth ldap test_ldap_conf {
search base dn "DC=test,DC=ee"
bind dn "user@domain"
bind pw "password"
search timeout 10
bind timeout 10
filter "company=test"
login attr "samAccountName"
servers {
"xxx.xxx.xxx.xxx"
"xxx.xxx.xxx.xxx"
}
}- This is actually a pretty old thread. I did get this working an I think the main issue was base vs sub, but I don't remember what did it exactly.
ParlorTricks_14While an old thread, i am currently implementing LDAP/AD and reading through your explanation, the fix from switch from the specific to less specific search will be fixed changing base to sub. When you had specified your subdomain you were only searching that for your user and of course it works because you exist in there. Changing to dc=domain,dc=com, you would need to use Sub as your scope, so that it searches through all the sub directories to find your user, otherwise if you use base, it only looks at what is available at the root of your search. Its like using Windows Explorer looking at files, if you use Base then you will see only the files right there unless you use Sub which opens up the directories and looks through those too.
