Unsolved
This post is more than 5 years old
23 Posts
0
14190
How do I setup LDAP auth
There is not much info or examples in the documentation about how to setup this, I've tried added an AD group that my user account is a member of but I still can only login with the local admin, not any AD users.
I also can't find info on the LDAP setup, the BASE DN gives me an error CSEC5002 - Unable to connect to the LDAP or AD server because the input provided for server configuration are invalid. I'm using a service account that has AD access but can't seem to figure out where I went wrong.
DarenN
6 Posts
0
February 22nd, 2018 10:00
Same issue here as well.
so_it
1 Message
0
April 12th, 2018 05:00
Same here. I managed to connect OMEnt to my domain - "Connection Successful" but doing any search on groups gives me the CSEC5002 Error
leejohnc
26 Posts
0
April 12th, 2018 06:00
I assume you're using LDAP over SSL (TCP 636). First upload the CA your ldap server uses. The CA is only the very top of the certificate chain, who signed (Symantec, Comodo, GoDaddy, etc.)
Generic LDAP Enabled is enabled
Use Distinguished Name to Search Group Membership is enabled
LDAP Server address is the Fqdn of your ldap service
LDAP Server port 636 or whatever the port is
BIND DN= CN=someserviceaccountthatcanreadldapattribsoftheusers,OU=yadayadayada,DC=LDAP,DC=Server
BIND Password=SomeHardtoGuessPwd
Base DN to search=OU=thetreewhereyourusersare,DC=LDAP,DC=Server
Attribute of User Login=CN (shortname), userPrincipalName (this one will require the user to sign in as user@ldap.server)
Attribute of Group membership=member
Search Filter=objectClass=user
Certificate Validation=Enabled
leejohnc
26 Posts
0
April 12th, 2018 06:00
Role Group1=CN=DRACAdmins,OU=someou,DC=LDAP,DC=Server
I would steer clear of nested groups, and just put each user in the group directly
leejohnc
26 Posts
0
April 12th, 2018 07:00
If you're using AD you can set
Attribute of User Login=sAMAccountName
That will allow users to logon using just their username without specifying a domain
A lot of times cn doesn't match samaccountname in various AD's I've seen over the years. CN is often set as the full name, by accident, because people free hand create accounts using the ADUC gui. They set the "full name" value as the person's "full name" which actually sets the cn also. The end result is the person's cn is cn=Lastname\, first name or cn=firstname\, lastname or something along those lines.
FYI, in the ADUC gui, when creating accounts, you should set the full name as the samaccountname and then change the display afterwards completing creation.
IdM solutions like ARS, MIM/FIM, so on should do this automagically.
powershell can do this by setting new-aduser -name "samaccountname" -displayname "the person's full name"
DELL-Rob C
2 Intern
2 Intern
•
2.8K Posts
0
April 26th, 2018 11:00
linking this related post FYI...will cross link
https://www.dell.com/community/Dell-OpenManage-Enterprise/Setting-up-LDAP-in-OpenManage-Enterprise/m-p/6069646#M370
dwatadventsol
1 Rookie
1 Rookie
•
37 Posts
0
June 21st, 2018 12:00
Hi LeeJohnC
I've been trying unsuccessfully to get this to work.
I don't have the option to set as :
"Use Distinguished Name to Search Group Membership is enabled". See screenshot. Secretly I suspect this is actually part of the issue, although with Free IPA the DN is used in the member field.
I hate the way even once you've uploaded the certificate, if you go back to edit your ldap server settings the UI doesn't show that you've already uploaded the certificate.