cancel
Showing results for 
Search instead for 
Did you mean: 

Using LDAP to login with domain\username Possible?

Highlighted
Contributor

Using LDAP to login with domain\username Possible?

Is it possible to login with domain\username (eng\hsimpson) against LDAP?

What attribute(s) do I need to pass for the LDAP to recognize the domain?

Thanks for any help you can throw at me.

5 REPLIES 5
Highlighted
Respected Contributor

Re: Using LDAP to login with domain\username Possible?

nope; LDAP requires just username.

you can do UPN if you change your user variable from sAMAccountName=<USER> to userPrincipleName=<USER>

the domain\username is available only with the AD/NT server type. what is the reason for wanting this functionality?

you could try doing AD/NT for authentication (which accepts that format) and LDAP for authorization (group lookup & attributes); but if the reason is for a multi-domain environment, you will need multiple LDAP servers regardless.

Highlighted
Contributor

Re: Using LDAP to login with domain\username Possible?

Yes multi-domain environment. Users are scattered across multiple domains, groups used to map rolls are in one container.

But the rolls/groups would have members from users from the various domains.

Highlighted
Respected Contributor

Re: Using LDAP to login with domain\username Possible?

Your best bet for multi-domain environments is an LDAP server instance & realm for each domain.
It is *possible* to do it w/ the AD/NT server type but DNS issues can cause group lookup to fail and ALL groups in ALL domains must be retrieved during the login & authorization process.

I have seen LDAP-based server instances defined for the global catalog port (3269) work in this type of environment; ymmv.

Good luck!
Highlighted
Frequent Contributor

Re: Using LDAP to login with domain\username Possible?

I actually tricked Juniper with LDAP. I have 4 domains asia.co.com europe.co.com. southamerica.co.com northamerica.co.com. We do not have co.com in AD it is latteral. I went at the local DC using port 3268 and telling juniper that the base DN is dc=co, dc=com. Juniper complains the base dn is invalid but will authenticate and do group look ups accross domains. This wokrs well. You do loose 389 port messages from AD.

Highlighted
Frequent Contributor

Re: Using LDAP to login with domain\username Possible?

To finish you no longer need domain only ID password. I did have to set server to generic and unencrypted. Also loose pwd reset external. AD hold attribute <userAttr.userPrincipalName> that is ID@Domain. You can use that in SSO if you want.