AD authentication with BaseDN on domain root not possible

[ricodramp]

Hello all,

I have already found several threads on this topic here in the forum, but have not found a answer. We have an OpenVPN server with the ldap script for AD authentication. My problem is that I always have to specify an OU with the "BaseDN" under <Authorization>, otherwise the authentication fails. But since my users are in different OUs, I need the query on the root domain level. Otherwise I would only think of setting up a separate server for each OU in which users are located, which would be overkill. Do I have a mistake in my config, or am I doing something else wrong?
Thanks in advance for any helpful hints!

Here is my auth-ldap.conf:

Code: Select all

<LDAP>
	# LDAP server URL
	URL		ldap://dc01.my.company.com

	
    BindDN  "CN=ldapquery,OU=ldap,OU=services,OU=department1,DC=my,DC=company,DC=com"
	Password "XXXXXXXXXXXXXXXXXXX"

	Timeout		15

	FollowReferrals yes

</LDAP>

<Authorization>
	BaseDN		"OU=department1,DC=my,DC=company,DC=com"
	SearchFilter	"(&(sAMAccountName=%u)(msNPAllowDialin=TRUE))"
	RequireGroup	false

	<Group>
		# Default is true. Match full user DN if true, uid only if false.
		# RFC2307bis   true

		# Default is true. Uncomment and set to false if you want to use a Search operation to determine group
		# membership instead of Compare. Lower performance, so Compare should generally be used, but Search is
		# required in certain LDAP environments.
		# UseCompareOperation   true
		BaseDN		"ou=Groups,dc=example,dc=com"
		SearchFilter	"(|(cn=developers)(cn=artists))"
		MemberAttribute	uniqueMember
		# Add group members to a PF table (disabled)
		#PFTable	ips_vpn_eng
	</Group>
</Authorization>

[Fadim]

The issue seems to be that the BaseDN in your auth-ldap.conf is too specific. It should be set to the root of your domain, rather than pointing to a specific OU. That way, the LDAP server can search all OUs for the user trying to authenticate.

So in your case, instead of "OU=department1,DC=my,DC=company,DC=com", it should be "DC=my,DC=company,DC=com". You should also ensure that the user specified by BindDN has sufficient permissions to search all OUs in the domain.

Give that a shot and see if it helps.

[ricodramp]

Hello Fadim,
thank you for the quick reply. This is exactly the problem. If I specify the domain root for the BaseDN ("DC=my,DC=company,DC=com") the authentication does not work at all. Only if I specify an OU (in my example departments), at least the users in that OU can log in. I have also tried other OUs. That always worked. But this does not help me, because the users are all in different OUs under the root domain. And yes: the bind user has full read rights in the whole domain. Do you have any other ideas?
Greetings, Rico

[Fadim]

Hmm, let's think outside the box for a sec. Have you considered using wildcards in the BaseDN? Like, instead of specifying a specific OU, you could try something like "OU=*,DC=my,DC=company,DC=com" to cover all the OUs under the root domain. Give it a shot and see if it helps!

[ricodramp]

It was worth a try.
Error message from service status:

LDAP search failed: No such object (0000208D: NameErr: DSID-0310028C, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=my,DC=company,DC=com'

So the wildcard seems to work in general, but authentication continues to fail.