Reset Search
 

 

Article

KB40232 - Sample LDAP auth file: Example of a flexible bind for Active Directory LDAP

« Go Back

Information

 
Last Modified Date1/31/2017 6:23 PM
Synopsis
This article contains a sample LDAP file that will allow user authentication to LDAP on Active Directory.  This functionality is only available in SBR Global Enterprise Edition.  Also, note that, in order to authenticate a user with LDAP on AD, SBR needs to receive the user password in an unencrypted format, such as PAP.
Problem or Goal
Cause
Solution
This functionality is only available in the Global Enterprise Edition.  Also, LDAP AD requires that SBR receive the user password in an unencrypted format, such as PAP.
 
The concept is to perform two searches, the first requires that SBR binds as a user with enough privileges to search the entire LDAP structure, and retrieve the DN of any particular object.  In this case, the DN of a user object that matches the username SBR received in the authentication request.

** Note: Some LDAP servers may allow anonymous users to perform this function.
 
Once the first search has retrieved the 'Users' DN SBR will move onto the second search, if the first search should fail to find a match this authentication method will reject the user.

The second search takes the DN retrieved in search 1, and attempts to bind to the LDAP server using the password SBR received in the authentication request.
If the search succeed the user is authenticated and SBR can, if configured, retrieve any attributes needed to complete authorization. If the search fails, the authentication method will reject the user.
 
[Bootstrap]
LibraryName=ldapauth.dll
Enable=1
InitializationString=LDAP_FlexBind
 
[Settings]
MaxConcurrent=1
Timeout=20
ConnectTimeout=25
QueryTimeout=10
WaitReconnect=2
MaxWaitReconnect=360
LogLevel = 2
UpperCaseName = 0
PasswordCase=original
PasswordFormat = 0
Search = DoLdapSearch
SSL = 0
;MaxScriptSteps = 10000
;ScriptTraceLevel = 0
;FilterSpecialCharacterHandling = 0
;ShutdownTimeout = 1
 
[NDS]
;Enable = 0
;AllowExpiredAccountsForUsers = 0
;ProfileForExpiredUsers = profile1
;AllowGraceLoginsForUsers = 1
;ProfileForGraceLoginUsers = profile2
 
[Server]
s1=
 
[Server/s1]
Host=172.18.65.82
Port = 389
 
[Failure]
;Accept=0
;Profile=xyz
;FullName=Remote User
 
[Request]
%UserName = User-Name
;Service-Type =
;%NASName = nameofnas
;%NASAddress =
 
[Response]
;Filter-Id =
;Session-Timeout =
;%FullName =
;%Password =
 
[Search/DoLdapSearch]
;Bind as a privileged user
bind=CN=Administrator,CN=Users,DC=pulsesecure,DC=local
Password=password
Base=CN=Users,DC=pulsesecure,DC=local
Scope = 2
Filter=sAMAccountName=<User-Name>
%DN = dn
;if the user is found perform search "AuthenticateUser"
onfound = AuthenticateUser
;else reject the user
onnotfound=$reject
 
[Search/AuthenticateUser]
; bind using the DN retrieved in doldapsearch
Bind = <dn>
;You do not have to supply the password. SBR knows to use the one received in the auth request.
;Setting the base to the DN saves time by going straight to the point.
Base =<dn>
Scope = 2
Filter = sAMAccountName=<User-Name>
Attributes = AttrList
Timeout = 20
onnotfound=$reject
 
[Attributes/AttrList]
;Filter-Id
;Session-Timeout
;thepasswordis

 
Related Links
Attachment 1 
Created ByAngelo Roma

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255