Halp! Setting up LDAP Authentication w/ 2k8 and AD

Zentraedi

Can I haz halp?

Anyway, I have a device that has the option to enable LDAP authentication, as opposed to simple local users/groups. The problem is that I can't seem to be able to get it to work with a Win2k8 DC.

Here are the settings on the device:
LDAP Server: Server01.contoso.com
LDAP Port: 389
Transport Security: (X) Unencrypted ( )SSL Encryption ( )TLS Encryption
Authenticate via search: checked

LDAP Search Authentication
Base DN: DC=contoso,DC=com
Bind DN: CN=User01,OU=Users,DC=contoso,DC=com
Binding Credentials: ******
User ID Attribute: User01
User Object Class: User
Search Scope: (X) One Level ( ) Subtree

BTW, I made User01 a member of the Domain Admins group.

Unfortunately, I still can't seem to get authentication working.

Any ideas as to what might be wrong and where to start? I'm thinking my Base and Bind DNs are probably wrong.

Is there anything I need to configure on my DC?

Any help would be much appreciated! Thanks.

undomiel

It doesn't look like you have the right user id attribute. You probably want to set that to "cn" without the quotes. Also Users is a CN not an OU which is probably what is breaking your query.

Zentraedi

Hmmm....

Thanks for the suggestions. I just tried those, but still seem to get an authentication failure.

As for the User ID Attribute, I thought that was just supposed the sAMAccountName??


Any other ideas?

undomiel

The user id attribute would be for what value you want the search to return. You could set it to sAMAccountName as well, or any other attribute of an account.

Are you getting any error messages? Seeing anything logged on the server you're authenticating against? Give a try with ldp.exe with those credentials and see if they are authorized.

Zentraedi

Well, I managed to get it working. Thanks for the help.

Eventually it was these settings which enabled me to successfully authenticate:
=======================
LDAP Search Authentication
Base DN: CN=Users,DC=contoso,DC=com
Bind DN: CN=User01,CN=Users,DC=contoso,DC=com
Binding Credentials: ******
User ID Attribute: sAMAccountName
User Object Class:
Search Scope: (X) One Level ( ) Subtree
================

Now that I've got it working on port 389 unencrypted, I want to move it to 636 over SSL.

I've created a server cert and installed in both the local machine personal store and the NTDS server personal store, but I still can't bind on 636.

When trying to bind via ldp on the same machine, I just get this:
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Error <0x51> : Fail to connect to Server01.contoso.com.

and LDP opens up a window box saying "Cannot open connection"

Any ideas?

Zentraedi

lolz, figured it out myself.

Apparently the NTDS service account needs a copy of server cert w/ private key in its personal store.

undomiel

I had to struggle through this the other week. First off I would check the server firewall and make sure that port 636 is open. Hopefully it is a simple fix like that but most likely isn't. If the port isn't being blocked by the firewall then the problem you're having is that the server isn't using the certificate for LDAPS. To fix that you'll either need to create a proper self signed certificate or issue one from an internal CA. I did a self-signed certificate using openssl.