Question
· May 7, 2019

LDAP Configuration "user...not found"

Hello All!

I'm brand new to HealthShare and trying to enable LDAP Authentication. When I run the authentication test, the base DN looks good and the search user is successfully authenticated. However, the user is still not found. We have a linux installation in Azure, and I'm connecting to a Windows AD server (provided both Azure and local hostnames). I'm using the full DN in the username field. For the "LDAP Unique search attribute" I've tried, CN, DN, and sAMAccountName. For now, I'm not using TLS and I've unchecked the "Use LDAP Groups for Roles/Routine/Namespace" and cleared out the user attribute fields for those defaults, though I will add them back and build those groups in AD once I get a successful test.

Advice on this or anything else is greatly appreciated and warmly accepted.

Version: Cache for UNIX (Red Hat Enterprise Linux for x86-64) 2018.1.2 (Build 309U)

Discussion (3)0
Log in or sign up to continue

There are a lot of possible reasons this search be failing, but they mostly boil down to not looking in the right place for the user or not being able to identify the user when you find it.  Here are a few things to try:

For a Windows AD server, you will almost certainly want sAMAccountName as the unique search attribute. 

Check to make sure your base DN includes the location of the user you're trying to authenticate.  You may want to test with a high-level or generic base DN to make sure it matches the user account.  For example, try DC=intersystems, DC=com instead of a longer base DN like: OU=Boston, OU=Users, DC=intersystems, DC=com  This will mean you search a larger part of the tree (which is slower) but will let you make sure you're searching an area which includes your user.

Take a look at exactly what DN the is being used for the failing user.  This should be in the detailed output of the test connection.  Is the base DN being appended to the full DN that you gave as the username?  If so, you may not want to use the full DN as the username, and instead just the value of the account name.

Thanks for responding!

Yes, I agree that it sounds like I'm just not looking in the correct place, but unfortunately, I'm already searching at the highest part of the tree just as you indicated (DC=company, DC=local). The based DN is not being appended to the full DN I gave as the username.

Because the search user authenticates, I don't believe it's a connection issue. I've searched using the full DN (CN, OU, DC), using uid=, using sAMAccountName=, and using just the actual username. I'm relatively new to Linux, so I was hoping it was some simple methodology that had to be used when connecting to a Windows AD server.

It can be tricky to get the exact form of the username right on a Linux client connecting to a Windows AD server.  If you're familiar with using an LDAP browser, you might be able to use one to manually look for the user object you're trying to find, and see what the account name shows up as.   That might let you check for any details you might not be exactly matching.

Unfortunately I don't know of a one size fits all solution, since each AD server is set up differently.