Active Directory LDAP Authentication

I've tried to configure the UCMDB to enable LDAP authentication for Active Directory, but I'm unable to logon once I set "Remote users repository mode" to "true".    I can still logon using the local sysadmin UCMDB account, but any other account gives me "Authentication failed".

 

I think I'm close as I have 3 different Active Directory groups showing up under Security, LDAP Mapping.  They are UCMDB_Admins, UCMDB_SuperAdmins, UCMDB_Viewers.  Each of these groups is associated with a corresponding group in the UCMDB (i.e. UCMDB_Admins has Admins in the select groups window).

 

I have one user in the UCMDB_SuperAdmins group in Active Directory and still can't logon with that user ID.

 

Here are the settings for the 4 LDAP categories.  I've changed a couple for the purpose of posting them here.

 

*** deprecated *** Security Protocol: 
Automatically assigned user group: 
Enable User Permissions Synchronization: TRUE
Is case-sensitivity enforced when authenticating with LDAP: FALSE
LDAP Server URL: ldap://somedc.its.corp.gwl.com:389/??sub
LDAP vendor type: Microsoft Active Directory
Remote users repository mode: TRUE
Use bottom up algorithm for finding parent groups from the LDAP server.: FALSE
Users filter: (&(objectClass=person)(objectClass=user))
 
Distinguished Name (DN) Resolution: TRUE
Distinguished Name of Search-Entitled User: CN=Some\,\20User,OU=SOMEORG,OU=ORG\20Users,DC=its,DC=corp,DC=gwl,DC=com
Password of Search-Entitled User: *********
Search Retries Count: 5
 
Groups base DN: DC=its,DC=corp,DC=gwl,DC=com
Groups search filter: (&(objectClass=group)(CN=UCMDB*))
Root groups base DN: DC=its,DC=corp,DC=gwl,DC=com
Root groups filter: (&(objectClass=group)(CN=UCMDB*))
Root groups scope: sub
Scope for groups search: sub
 
Group class object: group
Groups description attribute: description
Groups display name attribute: cn
Groups member attribute: member
Groups name attribute: cn
User display name attribute: name
Users object class: user
UUID attribute: sAMAccountName

 

Any suggestions on what to try next?

 

Thanks.

 

Parents Reply Children
  • I figured this out.  Turns out my value of "LDAP Server URL" was causing the issue.

     

    I previously tried these values:

    ldap://mydc.mydomain.com:389??sub

    ldap://mydc.mydomain.com:389/??sub

     

    I changed it to this, and now it works:

    ldap://mydc.mydomain.com:389/DC=firstou,DC=secondou,DC=com??sub

     

    Obviously, the values above were changed to mask out our real values.  But basically, I had to put in the DC=... stuff representing the root of my AD forest.

     

    I am able to logon using the short name from AD and not the UPN.  For example, I can now logon with user IDs like abcd and not like abcd@mydomain.com.

     

    Thanks.

  • I figured this out.  Turns out my value of "LDAP Server URL" was causing the issue.

     

    I previously tried these values:

    ldap://mydc.mydomain.com:389??sub

    ldap://mydc.mydomain.com:389/??sub

     

    I changed it to this, and now it works:

    ldap://mydc.mydomain.com:389/DC=firstou,DC=secondou,DC=com??sub

     

    Obviously, the values above were changed to mask out our real values.  But basically, I had to put in the DC=... stuff representing the root of my AD forest.

     

    I am able to logon using the short name from AD and not the UPN.  For example, I can now logon with user IDs like abcd and not like abcd@mydomain.com.

     

    Thanks.

  • I figured this out.  Turns out my value of "LDAP Server URL" was causing the issue.

     

    I previously tried these values:

    ldap://mydc.mydomain.com:389??sub

    ldap://mydc.mydomain.com:389/??sub

     

    I changed it to this, and now it works:

    ldap://mydc.mydomain.com:389/DC=firstou,DC=secondou,DC=com??sub

     

    Obviously, the values above were changed to mask out our real values.  But basically, I had to put in the DC=... stuff representing the root of my AD forest.

     

    I am able to logon using the short name from AD and not the UPN.  For example, I can now logon with user IDs like abcd and not like abcd@mydomain.com.

     

    Thanks.