Active Directory LDAP Authentication

I've tried to configure the UCMDB to enable LDAP authentication for Active Directory, but I'm unable to logon once I set "Remote users repository mode" to "true".    I can still logon using the local sysadmin UCMDB account, but any other account gives me "Authentication failed".


I think I'm close as I have 3 different Active Directory groups showing up under Security, LDAP Mapping.  They are UCMDB_Admins, UCMDB_SuperAdmins, UCMDB_Viewers.  Each of these groups is associated with a corresponding group in the UCMDB (i.e. UCMDB_Admins has Admins in the select groups window).


I have one user in the UCMDB_SuperAdmins group in Active Directory and still can't logon with that user ID.


Here are the settings for the 4 LDAP categories.  I've changed a couple for the purpose of posting them here.


*** deprecated *** Security Protocol: 
Automatically assigned user group: 
Enable User Permissions Synchronization: TRUE
Is case-sensitivity enforced when authenticating with LDAP: FALSE
LDAP Server URL: ldap://
LDAP vendor type: Microsoft Active Directory
Remote users repository mode: TRUE
Use bottom up algorithm for finding parent groups from the LDAP server.: FALSE
Users filter: (&(objectClass=person)(objectClass=user))
Distinguished Name (DN) Resolution: TRUE
Distinguished Name of Search-Entitled User: CN=Some\,\20User,OU=SOMEORG,OU=ORG\20Users,DC=its,DC=corp,DC=gwl,DC=com
Password of Search-Entitled User: *********
Search Retries Count: 5
Groups base DN: DC=its,DC=corp,DC=gwl,DC=com
Groups search filter: (&(objectClass=group)(CN=UCMDB*))
Root groups base DN: DC=its,DC=corp,DC=gwl,DC=com
Root groups filter: (&(objectClass=group)(CN=UCMDB*))
Root groups scope: sub
Scope for groups search: sub
Group class object: group
Groups description attribute: description
Groups display name attribute: cn
Groups member attribute: member
Groups name attribute: cn
User display name attribute: name
Users object class: user
UUID attribute: sAMAccountName


Any suggestions on what to try next?




Parents Reply
  • I figured this out.  Turns out my value of "LDAP Server URL" was causing the issue.


    I previously tried these values:




    I changed it to this, and now it works:



    Obviously, the values above were changed to mask out our real values.  But basically, I had to put in the DC=... stuff representing the root of my AD forest.


    I am able to logon using the short name from AD and not the UPN.  For example, I can now logon with user IDs like abcd and not like



No Data