Configuring LDAP to Authenticate Against Active Directory
If you have customized Active Directory (by, for example, specifying a search base instead of using the AD
default), you need to authenticate to Active Directory using LDAP. The procedure for configuring an LDAP server
is defined in Configuring LDAP and LDAPS Authentication. When configuring LDAP, you should pay special
attention to the attributes you’re using to query the directory. Because every implementation of AD is different,
you must know how the object classes and related attributes are configured in your Active Directory schema.
When an Active Directory (AD) server is used as an LDAP server, ACL checks cannot be performed.
Short names (SN) or common names (CN) are not supported on LDAP servers. They are only supported on
The following table describes the key AD attributes used to validate username and password credentials. The
attributes are not case-sensitive.
AD attributes for credential validation
The DN used to establish a connection with your Active Directory server. In a generic
AD configuration located in the
example.com domain, the DN for a user named
John Doe would be:
The point in the AD directory from which you want to search for user information.
Usually, this is the lowest point in the directory tree that contains user information.
The user binding to AD must have permissions to view the directory at this level.
For a generic installation, a search base of
cn=users,dc=example,dc=com will find most users. You may want to search from a higher level (such as
dc=example,dc=com) if some users are stored in a different branch.
|Username attribute||The attribute used to match usernames. In most AD implementations, sAMAccountName matches the user ID (for example, jdoe). You can use |
but that would require the user to authenticate with his full name (John Doe) instead
of his user ID (jdoe).
If you create an access control rule that references a group, a user must be an explicit member of that group forhis or her request to match the rule. To include nested groups when evaluating group membership, make sure
that Nested group lookup is set accordingly when you configure the authentication server in AMC.
For example, assume that the SeattleCampus group contains a group called Marketing. Employee John Doe is a
member of the Marketing group, but is not explicitly a member of SeattleCampus. If Nested group lookup is
set to 0, the appliance will not recognize John Doe as a member of the SeattleCampus group; if it is set to 1, he
Microsoft provides a graphical tool that makes it easy to perform LDAP operations, including connecting,
browsing, and modifying a directory. The tool—called LDP (
ldp.exe)—is available with the Support Tools for
the Windows Server platform; see the Microsoft Product Support site for more information.
Was This Article Helpful?
Help us to improve our support portal