How To Find Bind Dn In Active Directory

Posted on admin

.cn.uid.mailIf an LDAP object is not found, the next authenticationmechanism is tried.If an LDAP object is found, SGD performs a bindusing the name of the LDAP object and the password typed by theuser. If the bind fails, the next authentication mechanism istried.If the authentication succeeds, SGD searches thelocal repository for the user profile, seefor details. If the Loginattribute of the user profile is not enabled, the user cannotlog in and no further authentication mechanisms are tried. Ifthe Login attribute of the user profile is enabled, the user islogged in. 2.4.1.1. User Identity and User ProfileThe user identity is the DN of the user's LDAP object.

In theSGD datastore, the user identity is in the LDAPnamespace. In the Administration Console, the text '(LDAP)' isdisplayed next to the user identity. On the command line, theuser identity is located in./service/sco/tta/ldapcache.SGD establishes the user profile by searching thelocal repository, allowing for differences between the LDAPand SGD naming systems.

So if you are okay to scan entire AD then your 'Base DN for LDAP Search' would be. And your 'distinguished name for LDAP bind' would. The bindDN DN is basically the credential you are using to authenticate against an LDAP. When using a bindDN it usually comes with a password associated with it. In other words when you specify a bindDN you are using that object security access to go through the LDAP tree.

Find distinguished name of user

Base Distinguished Name For Users

SGD searchesfor the following until a match is found. 2.4.3.2. Network Requirements for LDAP AuthenticationBefore you enable LDAP authentication, make sure all theSGD servers in the array can contact each LDAPdirectory server used for authentication.The ports used for connections to LDAP directory servers areTCP port 389 for standard connections and port TCP 636 forsecure ( ldaps://) connections. If yourdirectory servers use different ports, you can specify theport when you enable LDAP authentication.

You must make sureSGD can make LDAP connections using these ports.To be able to use secure ( ldaps://)connections, SGD must be able to validate the SSLcertificate presented by an LDAP directory server. You mighthave to import the CA certificates for your LDAP directoryservers into the SGD CA certificate truststore.See for details of howto check for supported CAs and how to import CA certificates.

2.4.3.3. LDAP Bind DN and Password ChangeBy default, SGD uses two LDAP bind DNs, anadministrator bind DN and a user bind DN.The administrator bind DN is the user name and passwordconfigured for LDAP authentication. The administrator bind DNis used only for querying the directory server and so thisuser must have privileges to search the directory. You mightwant to create a special LDAP user for use withSGD.

The administrator bind can be an anonymousbind. Active Directory does not support anonymous binds.The user bind DN is the user name and password provided when auser logs in. By default, the user bind DN is used forauthentication and password change operations.Once a user's password expires, they cannot log in toSGD and SGD cannot force them tochange their password. SGD can be configured towarn users that their password is about to expire, and toforce them to change their password before it expires, see. ForSGD to be able to do this, the following must betrue.Do not use the 'User must change password after reset'option either in the global password policy or for anindividual password policy. This causes the passwordchange to fail.The administrator bind DN must have administrativeprivileges.For Active Directory, password expiryincluding forcing the user to change their password at nextlogon, can only be handled if there is a secure connection( ldaps://) between the SGDserver and the Active Directory server.By default, Novell eDirectory requiresthat all simple LDAP binds that contain a password must use anSSL connection.