Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Authenticate users > Use Microsoft Active Directory for authentication


Authenticate users with LDAP registries in a Microsoft Active Directory forest


Overview

Authenticate a user across multiple repositories, or across a distributed LDAP repository, such as a Microsoft Active Directory forest will fail if there is more than one match at run time. The default unique ID in Microsoft AD is the sAMAccountName attribute of a user. User IDs are guaranteed to be unique within a single domain. However they are not guaranteed across a tree or a forest. For example, suppose the user ID, smith, is added in the forest and in each subdomain. The search for...

...returns three matches. WAS does not authenticate this user when there is more than one possible match in the registry.

We can mitigate this condition by changing the user filter to be based on the userPrincipalName attribute of the user, which is unique across the forest, instead of being based on their sAMAccountName attribute. However, users must then know to log in using their userPrincipalName, which they might not know.


Establish a userPrincipalName user filter

  1. On a stand-alone LDAP registry, to search for userPrincipalName instead of sAMAccountName, go to...

      Advanced Lightweight Access Protocol (LDAP) user registry settings

    ...and set something like...

      (&(objectClass=user)(userPrincipalName=%w))

    On a federated repositories registry, Change the log-in property to: uid;cn.

    1. Click...

      In a multiple security domain environment, click...

        Security domains | domain_name

      Under Security Attributes, expand User Realm, and click Customize for this domain. Select the Realm type as Federated repositories and then click Configure.

    2. Under Related items, click Manage repositories.

    3. Under General Properties, add the following information:

      Repository identifier forest
      Directory type Microsoft WIndows Server 2003 Active Directory
      Primary host name forest.acme.net
      Port 389
      Failover server used when primary is not available None
      Bind distinguished name cn=wasbind, CN=Users, DC=ib
      Bind password ********
      Login properties uid;cn

  2. Click OK and Save to save the changes to the master configuration.

  3. On the LDAP repository configuration page, under Additional properties, click LDAP attributes.

  4. Click Add > Supported.

  5. Set...

      Name userPrincipalName
      Property name cn
      Entity types PersonAccount

  6. Click OK and Save to save the changes to the master configuration.

  7. On the dmgr, edit...

      PROFILE_ROOT/conf/cells/<cell>/wim/config/wimconfig.xml

  8. Find the <config:attributeConfiguration> attribute

  9. Add the following lines: 
    <config:attributes name="userPrincipalName"
                   propertyName="cn">

    <config:entityTypes> PersonAccount </config:entityTypes>

</config:attributes>

  10. Save the wimconfig.xml file.

  11. On all of the nodes in the configuration, run...

      cd PROFILE_ROOT/bin/
      ./syncNode.sh

Groups spanning domains with Microsoft Active Directory
Microsoft Active Directory Global Catalog
Options for finding group membership within a Microsoft Active Directory forest
Locate user group memberships in a LDAP registry
Authenticate users with LDAP registries in a Microsoft Active Directory forest
Use Microsoft Active Directory for authentication

+

Search Tips   |   Advanced Search