cancel
Showing results for 
Search instead for 
Did you mean: 

Authentication Problem with AD/LDAP

aeroplane_
Regular Contributor

Authentication Problem with AD/LDAP

I am trying to authenticate users via LDAP. My users are in abc.com->Computer departement->System Departement->Networking Departement. In Neworking Department there is a group Netdep. But my users are in Networking Departement.

When I search the group then It is showing me only abc.com->Computer departement->System Departement->Networking Departement->Netdep. But I need abc.com->Computer departement->System Departement->Networking Departement. I used depth option also but no luck.

Can any one explain me AD/LDAP supports users in OU? What I am missing?

Thanks

4 REPLIES 4
DeaconZ_
Frequent Contributor

Re: Authentication Problem with AD/LDAP

Are you talking about your Base DN in your Auth Servers?

ozmark_
Occasional Contributor

Re: Authentication Problem with AD/LDAP

The SA's do hierarchial LDAP searches.

The two things to consider are what is looking for and what access does the binding account

have to LDAP.

In looking for an LDAP group

Groups ... -> Search ...

The SA unit is looking for objects with an objectclass of 'groupofUniqueNames' or 'groupOfNames' or 'posixGroup'

it expects the entry to have a CN - does your object/group match these conditions?

TravisJohnson_
Occasional Contributor

Re: Authentication Problem with AD/LDAP

I have a similar issue. I am using ADAM for my ldap, and my SSG firewalls auth fine, but when I try to auth the same user in the SA, it isn't found in the searches?

My users do have a CN.

muttbarker_
Valued Contributor

Re: Authentication Problem with AD/LDAP

That is an interesting problem. If you try and create a role mapping based on group membership it will fail as your users are members of the OU "Networking Department" but not the Group "Netep" - Correct?

You can't use the attribute "member-of" as that also only applies to groups. I am assuming you have some reason why you don't want to use groups and need to use an OU match instead.

Have you tried testing using the distinguishedName attribute? That attribute is the only one that I know of that would contain the full string with the OU.

Maybe there is a custom expression that could be written based on that. Just a thought.