LDAP Bind issue

Since your ldap is already bind. You have to use the network id and password.

Thanks Sam, but that's the issue. The user accounts are valid and I'm typing in the correct domain passwords but Portal still comes back with yellow boxes. Any other suggestions?

John, when you did the bind, did you select the "bind to multiple containers" option? I have found that if you *don't* select that option the bind doesn't work, even if you really only want to bind to a single container.

Also, you might want to try using an LDAP browser and login with the searchbase/username/password you specified for the bind and see if you can query against the users that aren't working. Since it sounds like the bind itself is working (since you can login for some of the users/identities), it sounds like you might have the wrong search base (i.e. is the 'lawson' user in a different tree than the portal users??)

Well, I tried deleting all identities for my test user and then deleting the RM record.  I then stepped through the "Add user" wizard in the Lawson Security Administrator, recreating the RM record and three identity records, one for the environment, one for employee self-service, and one for SSOP.  Still no go.

What is the DN for the user you specified to be able to do the search?

Does that account have access to search *all* of containers? I'm betting that it doesn't...

John,

The DN for user specified for searching AD is one of the service accounts created for me last week:

CN=LSF9_LDAP_SRV,OU=Service_Users**DO_NOT_DELETE**,DC=Pro1s,DC=Root,DC=ProtectionOne,DC=com

I have verfified that this user account has full read rights across my AD repository.  I confirmed this by using this account within my LDAP browser (Softerra LDAP Browser 2.5.3) and am able to browse all containers and classes.  I also tried using the same service account under ADAM adsiedit to see if I could browse AD that way, and I verified that I can access all containers and classes.

OK, I figured it out through trial and error.

I was trying to bind to the cn (common name) entry in my AD, making the false assumption that the value stored for each entry was equal to a user's domain user ID (first initial and last name).  This is not the case, at least not on my domain.

On my domain, the cn attribute for each user conists of a person's full first and last name.

What I had to do was re-run the LDAP bind.  When I got to the question asking what naming attribute to use when locating users in AD, I entered 'sAMAccountName' instead of using the default of 'cn'. 

Lo and behold, I'm able to login via the Portal now!

When you do the bind to AD, LDAP naming attribute should be [cn]: sAMAccountName LDAP structural object class [inetOrgPerson]: user Do you do it that way??

John,


Yes, I specified a naming attribute of 'sAMAccountName' and the structural object class of 'user'.  What I was using previously was a naming attribute of 'cn'.

So, you're saying you re-did the bind?

Yes, sir, exactly.

The document I referenced at the top of this thread suggested that for AD I was to use the user attribute of common name or 'cn' when doing my bind.  It was only after I took a closer look at the entries for my users in AD that I found the cn attribute did not contain the value I expected. It contained a full user first and last name when I was expecting to find a first initial and last name.  In other words, I expected the cn value to match the domain user ID of each user and this is what I wanted folks to use when logging into Portal.

Once I saw the cn attribute was not going to work, I started looking at what other attributes in AD might contain a user's network logon.  That's when I came across the 'sAMAccountName' attribute.

So all I did was re-run ldapbind, specify "sAMAccountName" for the lookup attribute, and I was good to go.

I appreciate your efforts in helping me try to resolve this issue.