Jump to content

LDAP and Active Directory


Recommended Posts

Just wanted to mention that I could simply not get authenticated using the manual and finally, just used USERNAME for the Authentication user DN and it worked!

 

Specifying 'cn' for the username attribute means my users have to type in their full names instead of their "login name".  I used sAMAccountName instead which is the shortened user account name most AD shops are used to.

 

Finally, for all users, I really wanted to use a security group rather than an OU - the reason for this is that our users are spread across the domain by location.  For the base DN, I used DC=domain,DC=com and for the Query I used: (&(objectClass=user)(objectCategory=person)(memberof=CN=Intella Users,OU=Subgroups,OU=Groups,DC=domain,dc=com))

 

 

Link to post
Share on other sites

Hi pmow!

 

For authentication you should use the CN of an LDAP entry who can perform LDAP lookups (queries). An example from my AD below. Did that not work for you?

<authUserDn>CN=admin,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=site,DC=local</authUserDn>
<authUserPassword>xxxx</authUserPassword>

Also, in the end you supplied "sAMAccountName" for the username attribute, is that correct? That's exactly what for I introduced this "username" attribute in the first place. It allows you to pick some other property of the LDAP entry (associated with a user account) to be treated as the login principal.

 

I'm glad it worked out well for you in the end!

Link to post
Share on other sites

Hi pmow!

 

For authentication you should use the CN of an LDAP entry who can perform LDAP lookups (queries). An example from my AD below. Did that not work for you?

<authUserDn>CN=admin,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=site,DC=local</authUserDn>
<authUserPassword>xxxx</authUserPassword>

Also, in the end you supplied "sAMAccountName" for the username attribute, is that correct? That's exactly what for I introduced this "username" attribute in the first place. It allows you to pick some other property of the LDAP entry (associated with a user account) to be treated as the login principal.

 

I'm glad it worked out well for you in the end!

Correct, it did not work for me.  Thanks for including the field!  The reason I mentioned the attribute is that the 'cn' field was recommended in the manual and I think most users would not want to login with "John C. Doe" as their account name.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...