Jump to content

LDAP and Active Directory


pmow

Recommended Posts

Just wanted to mention that I could simply not get authenticated using the manual and finally, just used USERNAME for the Authentication user DN and it worked!

 

Specifying 'cn' for the username attribute means my users have to type in their full names instead of their "login name".  I used sAMAccountName instead which is the shortened user account name most AD shops are used to.

 

Finally, for all users, I really wanted to use a security group rather than an OU - the reason for this is that our users are spread across the domain by location.  For the base DN, I used DC=domain,DC=com and for the Query I used: (&(objectClass=user)(objectCategory=person)(memberof=CN=Intella Users,OU=Subgroups,OU=Groups,DC=domain,dc=com))

 

 

Link to comment
Share on other sites

Hi pmow!

 

For authentication you should use the CN of an LDAP entry who can perform LDAP lookups (queries). An example from my AD below. Did that not work for you?

<authUserDn>CN=admin,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=site,DC=local</authUserDn>
<authUserPassword>xxxx</authUserPassword>

Also, in the end you supplied "sAMAccountName" for the username attribute, is that correct? That's exactly what for I introduced this "username" attribute in the first place. It allows you to pick some other property of the LDAP entry (associated with a user account) to be treated as the login principal.

 

I'm glad it worked out well for you in the end!

Link to comment
Share on other sites

Hi pmow!

 

For authentication you should use the CN of an LDAP entry who can perform LDAP lookups (queries). An example from my AD below. Did that not work for you?

<authUserDn>CN=admin,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=site,DC=local</authUserDn>
<authUserPassword>xxxx</authUserPassword>

Also, in the end you supplied "sAMAccountName" for the username attribute, is that correct? That's exactly what for I introduced this "username" attribute in the first place. It allows you to pick some other property of the LDAP entry (associated with a user account) to be treated as the login principal.

 

I'm glad it worked out well for you in the end!

Correct, it did not work for me.  Thanks for including the field!  The reason I mentioned the attribute is that the 'cn' field was recommended in the manual and I think most users would not want to login with "John C. Doe" as their account name.

Link to comment
Share on other sites

×
×
  • Create New...