cancel
Showing results for 
Search instead for 
Did you mean: 

Using LDAP to login with domain\username Possible?

imanenvoy_
Contributor

Using LDAP to login with domain\username Possible?

Is it possible to login with domain\username (eng\hsimpson) against LDAP?

What attribute(s) do I need to pass for the LDAP to recognize the domain?

Thanks for any help you can throw at me.

5 REPLIES 5
zanyterp_
Respected Contributor

Re: Using LDAP to login with domain\username Possible?

nope; LDAP requires just username.

you can do UPN if you change your user variable from sAMAccountName=<USER> to userPrincipleName=<USER>

the domain\username is available only with the AD/NT server type. what is the reason for wanting this functionality?

you could try doing AD/NT for authentication (which accepts that format) and LDAP for authorization (group lookup & attributes); but if the reason is for a multi-domain environment, you will need multiple LDAP servers regardless.

imanenvoy_
Contributor

Re: Using LDAP to login with domain\username Possible?

Yes multi-domain environment. Users are scattered across multiple domains, groups used to map rolls are in one container.

But the rolls/groups would have members from users from the various domains.

zanyterp_
Respected Contributor

Re: Using LDAP to login with domain\username Possible?

Your best bet for multi-domain environments is an LDAP server instance & realm for each domain.
It is *possible* to do it w/ the AD/NT server type but DNS issues can cause group lookup to fail and ALL groups in ALL domains must be retrieved during the login & authorization process.

I have seen LDAP-based server instances defined for the global catalog port (3269) work in this type of environment; ymmv.

Good luck!
RexPGP_
Frequent Contributor

Re: Using LDAP to login with domain\username Possible?

I actually tricked Juniper with LDAP. I have 4 domains asia.co.com europe.co.com. southamerica.co.com northamerica.co.com. We do not have co.com in AD it is latteral. I went at the local DC using port 3268 and telling juniper that the base DN is dc=co, dc=com. Juniper complains the base dn is invalid but will authenticate and do group look ups accross domains. This wokrs well. You do loose 389 port messages from AD.

RexPGP_
Frequent Contributor

Re: Using LDAP to login with domain\username Possible?

To finish you no longer need domain only ID password. I did have to set server to generic and unencrypted. Also loose pwd reset external. AD hold attribute <userAttr.userPrincipalName> that is ID@Domain. You can use that in SSO if you want.