PDA

View Full Version : LDAP Architecture (tree)



Toleukhan
2010-08-31, 02:17
HI,
Please help what I must to type in Login DN field.

In our AD our structure:

Domain: XYZ.com

user (read write access) : CheckP
this user located in grour: Service Account
this group located in group: Service.

So the tree like this:
CheckP > Service Account > Service > XYZ > com

When press button fetch, all is OK, there appear some information.

So Account Unit created with no problem

But when I want to retrieve users form that Account unit, I have error:
Binding to LDAP server: Failed to bind to LDAP server: wrong password or wrong login DN.

The password is correct, so the problem in wrong login DN. I tried to type login DN in several different manner, but the results the same.

Please share your experience.

melipla
2010-08-31, 10:35
So the tree like this:
CheckP > Service Account > Service > XYZ > com


Something about your tree doesn't seem right. I thought it was normally like XYZ.com -> Service -> Service Accounts -> CheckP?

Which would mean your DN should be something like this:
CN=checkp,OU=ServiceAccounts,OU=Service,DC=XYZ,DC= com

HTH

Toleukhan
2010-09-01, 23:57
Something about your tree doesn't seem right. I thought it was normally like XYZ.com -> Service -> Service Accounts -> CheckP?

Which would mean your DN should be something like this:
CN=checkp,OU=ServiceAccounts,OU=Service,DC=XYZ,DC= com

HTH

About tree, yes it is right.
About DN I also tried like this, but no results.

I asked our AD admin to make tree as it showed in CheckPoint documentation, after that all is ok.

But how to write DN, if tree differ from documentation, remain not so clear

ShadowPeak.com
2010-09-02, 10:20
To test if it is a tree location problem or a domain permissions problem, have your AD administrator put the service account in the predefined "users" cn. So your DN will look like this:

cn=account,cn=users,dc=blah,dc=com

If it still doesn't work make sure the service account has "domain admin" privileges, read only. For testing only you can also try the generic Administrator account.

It is kind of sad, but getting the Login DN just right in a complex Active Directory tree is one of the toughest parts of a SmartDirectory LDAP integration.

mcarey
2010-10-18, 16:38
I hate to ThreadJack, but I'm seeing a similar issue.

Two Domain Controllers setup with both CRL retrieval and User managment, MS AD. I can fetch the branches without being prompted. I've deleted all of them expect, "cn=users,DC=unit,DC=local"

I then go to LDAP groups with the group scope being "All Account-Unit's Users"

When I expand the tree, I see the "Users" group sometimes as a person icon, sometimes as a buiding icon (depending on which option I choose in the LDAP group). HOWEVER, I can never expand and search the users group.

The only rule I have is to all the SMC to talk to the DC on 389. What should I check next? Unfortunately, another department controls the AD servers which is making this even more complicated.

ShadowPeak.com
2010-10-18, 21:44
I hate to ThreadJack, but I'm seeing a similar issue.

Two Domain Controllers setup with both CRL retrieval and User managment, MS AD. I can fetch the branches without being prompted. I've deleted all of them expect, "cn=users,DC=unit,DC=local"

I then go to LDAP groups with the group scope being "All Account-Unit's Users"

When I expand the tree, I see the "Users" group sometimes as a person icon, sometimes as a buiding icon (depending on which option I choose in the LDAP group). HOWEVER, I can never expand and search the users group.

The only rule I have is to all the SMC to talk to the DC on 389. What should I check next? Unfortunately, another department controls the AD servers which is making this even more complicated.

- When you open the LDAP tree, is there a red line under the users cn object? That means it is not valid.

- When you are surfing the LDAP tree in the SmartDashboard and double-click the users cn, what happens? Does it fail immediately or take awhile? Does anything at all come up in the objects list?

- I assume your AD administrator made you a service account to access the AD server, any chance you can try it with the Administrator account? That will rule out a permissions issue on the AD side (which is pretty common).

- Finally since you are not running encrypted you could try capturing the port 389 traffic between you and the AD server and pull it into Wireshark, usually in a failure scenario the AD server is kicking back some kind of error message in a response packet's payload and a sniffer is the only way to see it.

mcarey
2011-01-12, 12:17
When you open the LDAP tree, is there a red line under the users cn object? That means it is not valid.

This tip helped out immensely. I'm finally getting somewhere with this, but still have a small problem.

Under "Fetch Branches", I have "OU=User Group, OU=Users,OU=Department,DC=local"

And I can see all the all groups defined in that OU, but I only want to see one group. If I go to the LDAP Group configuration, and try to put the group name "CN=VPN" into either the "Only Sub Tree" option, or the "Only Group in branch" option, I still see all the groups within that OU???

I can't figure out what I'm missing. I tried to change the "Fetch Branches" to "CN=VPN,OU=User Group, OU=Users,OU=Department,DC=local" and it doesn't help either.

mcarey
2011-02-01, 16:18
This tip helped out immensely. I'm finally getting somewhere with this, but still have a small problem.

Under "Fetch Branches", I have "OU=User Group, OU=Users,OU=Department,DC=local"

And I can see all the all groups defined in that OU, but I only want to see one group. If I go to the LDAP Group configuration, and try to put the group name "CN=VPN" into either the "Only Sub Tree" option, or the "Only Group in branch" option, I still see all the groups within that OU???

I can't figure out what I'm missing. I tried to change the "Fetch Branches" to "CN=VPN,OU=User Group, OU=Users,OU=Department,DC=local" and it doesn't help either.


I've learned that this is correct. You should be able to see all groups within the OU. Then you can create LDAP groups for authentication using these groups.

HOWEVER, I still can't get it to work. I was hoping I could add the created LDAP group to the existing User group that is already linked to the ipassignment.conf file, but no luck.

I don't even see it attempt user authentication to the LDAP server??