Secure Mobile Access 12.4 Administration Guide

Configuring LDAP to Authenticate Against Active Directory

If you have customized Active Directory (by, for example, specifying a search base instead of using the AD default), you need to authenticate to Active Directory using LDAP. The procedure for configuring an LDAP server is defined in Configuring LDAP and LDAPS Authentication. When configuring LDAP, you should pay special attention to the attributes you’re using to query the directory. Because every implementation of AD is different, you must know how the object classes and related attributes are configured in your Active Directory schema.

When an Active Directory (AD) server is used as an LDAP server, ACL checks cannot be performed. Short names (SN) or common names (CN) are not supported on LDAP servers. They are only supported on AD servers.

The following table describes the key AD attributes used to validate username and password credentials. The attributes are not case-sensitive.

AD attributes for credential validation
FieldDescription
Login DN

The DN used to establish a connection with your Active Directory server. In a generic AD configuration located in the example.com domain, the DN for a user named John Doe would be:

cn=John Doe,cn=users,dc=example,dc=com

Search base

The point in the AD directory from which you want to search for user information. Usually, this is the lowest point in the directory tree that contains user information. The user binding to AD must have permissions to view the directory at this level.

For a generic installation, a search base of cn=users,dc=example,dc=com will find most users. You may want to search from a higher level (such as

dc=example,dc=com) if some users are stored in a different branch.

Username attributeThe attribute used to match usernames. In most AD implementations, sAMAccountName matches the user ID (for example, jdoe). You can use cn instead, but that would require the user to authenticate with his full name (John Doe) instead of his user ID (jdoe).

If you create an access control rule that references a group, a user must be an explicit member of that group forhis or her request to match the rule. To include nested groups when evaluating group membership, make sure that Nested group lookup is set accordingly when you configure the authentication server in AMC.

For example, assume that the SeattleCampus group contains a group called Marketing. Employee John Doe is a member of the Marketing group, but is not explicitly a member of SeattleCampus. If Nested group lookup is set to 0, the appliance will not recognize John Doe as a member of the SeattleCampus group; if it is set to 1, he is recognized.

Microsoft provides a graphical tool that makes it easy to perform LDAP operations, including connecting, browsing, and modifying a directory. The tool—called LDP (ldp.exe)—is available with the Support Tools for the Windows Server platform; see the Microsoft Product Support site for more information.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.