cancel
Showing results for 
Search instead for 
Did you mean: 

Active directory and users OU

pkc_
Contributor

Active directory and users OU

Hi all,

I set up an AD server for authentication.

it works fine for the users in the default AD users OU, but not for users that are placed in another OU.

is there a way to specify the OU to use, or shall all the OUs be in the Users one ?

thanks

7 REPLIES 7
Munpe_Q_
Occasional Contributor

Re: Active directory and users OU

In my experience, using LDAP authentication against AD is the most flexible for what you are trying to do. You will be able to see groups and OU's very easily. Do you have an option of moving your auth to LDAP?
imtravis_
Contributor

Re: Active directory and users OU

You may need to use the OU that covers all the users you're authenticating. So if you have admins under admins, and users under users, you may need to use DC=Domain, DC=Local for the OU to search. Although I agree LDAPS is the preferred method (as it's more flexible, and gives you the password expiration, errors from MS).

Message Edited by imtravis on 10-06-2008 02:25 PM
pkc_
Contributor

Re: Active directory and users OU

This is a lab installation, so I can configure ldap for authorization.

But this will prevent from using AD attributs for role mapping for instance.

I guess I have to escalate this to TAC and ask for a proper solution.

It's quite too restrictive IMHO to propose AD authentication but only for a single OU.

Munpe_Q_
Occasional Contributor

Re: Active directory and users OU

Actually it won't prevent that at all, in fact once you get your head wrapped around it, you'll see how much flexibility you have with LDAP to AD. I promise.
pkc_
Contributor

Re: Active directory and users OU

demo effect, it works today ...

looks like I have to double check for passwords next time.

muttbarker_
Valued Contributor

Re: Active directory and users OU

I would add to the comments made previously. You should absolutely look at LDAP against your AD server - AD only allows for the use of groups for both authentication and authorization so your mappings are very limited authorization iwse.

When you use LDAP against your domain you can use basically any attribute in the user profile for mapping. In my demo system I have both setup so that I can contrast them. I setup role mappings based on state, group, phone number........

If you need any help on LDAP just ask away.

DanSmart_
Contributor

Re: Active directory and users OU

1. You want to use LDAP unless you are dealing with multiple domains. As long as it's only OUs, no problem.

2. Only two things you need to do in production is add a SSL certificate to your domain controller you will use for LDAP since changing passwords requires ldaps. Every DC is a LDAP server, but you only really need to pick one and one more for redundancy. You also need a LDAP "Bind" user that has the right to update passwords.

3. Start your LDAP search base at the uppermost OU (domain OU) as other described.

It's counter-intuitive, but AD authentication is very limiting. The only benefits are allowing specifying of domains and automatic group use. LDAP allows you to use user attributes for drive mappings, and much better password management. The only down side is having to populate your catalog with the groups you are going to be using.

At first I tried AD authentication with LDAP authorization, but this doesn't help you with the password issues.

Bottom line: Use LDAP

=============================

Finding user entries

Base DN: dc=domain,dc=company,dc=com
Filter: samaccountname=<USER>

Determining group membership

Base DN: dc=domain,dc=company,dc=com
Filter: cn=<GROUPNAME>
Member Attribute: member
"Uncheck" Reverse group search
Query Attribute:
Nested Group Level: 3 ?Note: never specify more than 5 per JTAC?
Nested Group Search: "Check" Search all nested groups