/build/static/layout/Breadcrumb_cap_w.png

Can anyone provide input on initial LDAP Authentication configuration?

I am new in using the KACE SMA and attempting to configure LDAP Authentication, but I continue to get the following errors. I have searched and read through similar questions, but haven't quite found the right answer.  Is what I am entering into the Advanced Search and Base DN boxes part of the issue? If so, what should it be to complete the authentication? 

Testing LDAP Authentication Settings...

Testing "LDAP User Import" connection to: hv-dc1 on Port: 389

OK: Connection Successful.

OK: Setting Protocol Version 3 Successful.

OK: Setting LDAP REFERRALS Option 0 Successful.

OK: Search Bind using LDAP supplied credentials Successful.

Applying search filter [ObjectGUID,SamAccountName,Display Name,Mail,* ]

Error: LDAP search (with filter [ObjectGUID,SamAccountName,Display Name,Mail,* ]) Failed.

Error: LDAP Test Failed. Closing connection.

Advanced Search:

ObjectGUID,SamAccountName,Display Name,Mail,KBOX_USER 

Base DN: 

OU=Executive,DC=hv-dc1,DC=com

OU=Finance,DC=hv-dc1,DC=com

OU=Human Resources,DC=hv-dc1,DC=com

OU=I T Staff,DC=hv-dc1,DC=com

OU=Maintenance,DC=hv-dc1,DC=com

OU=Operations,DC=hv-dc1,DC=com

OU=Public Affairs,DC=hv-dc1,DC=com

OU=Test GPO,DC=hv-dc1,DC=com


Thank you!


0 Comments   [ + ] Show comments

Answers (3)

Posted by: akmagnum 5 years ago
Red Belt
1

Try this as your "advanced search".....

(&(&(&(samaccountname=KBOX_USER)(samaccounttype=805306368))(mail=*))(!(userAccountControl:1.2.840.113556.1.4.803:=9)))


Comments:
  • It is still proving me with an error:

    Applying search filter [(&(&(&(samaccountname=*)(samaccounttype=805306368))(mail=*))(!(userAccountControl:1.2.840.113556.1.4.803:=9)))]
    Error: LDAP search (with filter [(&(&(&(samaccountname=*)(samaccounttype=805306368))(mail=*))(!(userAccountControl:1.2.840.113556.1.4.803:=9)))]) Failed.
    Error: LDAP Test Failed. Closing connection. - kperron 5 years ago
Posted by: sven.hain 5 years ago
Fourth Degree Green Belt
1

Good morning,


please try the following.


If you are in "Settings / Control Panel / User authentication", you can create a new LDAP authentication. After that you type your Domain Controller in the "Hostname or IP Address" field. The Port is at default 389. If you are using secure LDAP you need to set the port to 636. In the "Advanced search" field you must set a query for your needs. For example. If you want that every user can authenticate to the KACE user console you must set the following search:


(&(samAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(samaccountname=KBOX_USER))


The KBOX_USER variable will be set if a user tries to login to the SMA user console or you use the import scheduler. If you want to test this query, you must set a real username in there. For example "sven.hain". After the successfully testing you must replace it to the KBOX_USER variable. This query importing you every active user from your AD.


In the "Base DN" field you must set the base tree from where the SMA will search for any users. In my environment I had set the Base DN to "OU=Benutzer,OU=Contoso,DC=contoso,DC=local" because under this AD tree there are all my productive users.


For the login account i recommend that you create a SMA service account. Please do not user an administrator account for that. You only need read access to the AD.


Another example is my admin query. Here are my advanced search and the base DN:


Advanced Search:


(&(samAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(memberof:=CN=Kace Admins,OU=Gruppen,OU=Contoso,DC=contoso,DC=local)(samaccountname=KBOX_USER))


At "member of" you set the distinguished name of your Kace Admin group.


Base DN:


DC=contoso,DC=local.


This base DN is the root path because my admin accounts are in different OUs.


Hope that helps you.


Comments:
  • Thank you everyone. I have completed the import. I appreciate the help. - kperron 5 years ago
Posted by: Hobbsy 5 years ago
Red Belt
0

Why not simplify your approach, use the default searchbase dn and set the Base DN to the top of your AD tree, can you then authenticate?? If so you know you have an issue with your settings and not your AD??

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ