https://community.cisco.com/t5/network-access-control/external-identity-source-ldap-admin-dn-account/m-p/3575632#M524331 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I have a doubt about what information to put in the Admin DN filed when we are defining a LDAP external identity store.</P><P></P><P>For example: the objects in the identity store are in the route: CN=NAC,DC=ds,DC=corp</P><P></P><P>The Admin DN account that I should put to configure and bind the connection has to be mandatorily an admin accont of that domain, or I could put another account from another domain, but where the user defined on the server has read privileges at least to get the groups and subjects.</P><P></P><P><IMG alt="" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/108255_pastedImage_0.png" style="max-width: 1200px; max-height: 900px;" /></P><P></P><P>With this configuration, the bind is successful. The question</P><P></P><P>Thanks and kind regards</P></BODY></HTML> Tue, 13 Jun 2017 11:28:51 GMT palonso_3 2017-06-13T11:28:51Z https://community.cisco.com/t5/network-access-control/external-identity-source-ldap-admin-dn-account/m-p/3575632#M524331 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I have a doubt about what information to put in the Admin DN filed when we are defining a LDAP external identity store.</P><P></P><P>For example: the objects in the identity store are in the route: CN=NAC,DC=ds,DC=corp</P><P></P><P>The Admin DN account that I should put to configure and bind the connection has to be mandatorily an admin accont of that domain, or I could put another account from another domain, but where the user defined on the server has read privileges at least to get the groups and subjects.</P><P></P><P><IMG alt="" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/108255_pastedImage_0.png" style="max-width: 1200px; max-height: 900px;" /></P><P></P><P>With this configuration, the bind is successful. The question</P><P></P><P>Thanks and kind regards</P></BODY></HTML> Tue, 13 Jun 2017 11:28:51 GMT https://community.cisco.com/t5/network-access-control/external-identity-source-ldap-admin-dn-account/m-p/3575632#M524331 palonso_3 2017-06-13T11:28:51Z https://community.cisco.com/t5/network-access-control/external-identity-source-ldap-admin-dn-account/m-p/3575633#M524332 <HTML><HEAD></HEAD><BODY><P>It does not need to be an admin account. Since you're going against Active Directory, you don't need to spell out the full DN. You can specify domain\username as well.</P></BODY></HTML> Tue, 13 Jun 2017 13:56:22 GMT https://community.cisco.com/t5/network-access-control/external-identity-source-ldap-admin-dn-account/m-p/3575633#M524332 vibobrov 2017-06-13T13:56:22Z https://community.cisco.com/t5/network-access-control/external-identity-source-ldap-admin-dn-account/m-p/3575634#M524335 <HTML><HEAD></HEAD><BODY><P>Hi Viktor,</P><P></P><P>Thanks for your reply. So as far if I understand you, I could put a username from another domain (different from ds.corp), in the form DOMAIN\username, if this username is allowed to ask the LDAP server and get the information.</P><P></P><P>Is that correct?</P><P></P><P>Thanks and regards</P></BODY></HTML> Tue, 13 Jun 2017 14:03:28 GMT https://community.cisco.com/t5/network-access-control/external-identity-source-ldap-admin-dn-account/m-p/3575634#M524335 palonso_3 2017-06-13T14:03:28Z https://community.cisco.com/t5/network-access-control/external-identity-source-ldap-admin-dn-account/m-p/3575635#M524337 <HTML><HEAD></HEAD><BODY><P>Yes, that's correct. I've seen some instances when you need to specify the domain even when you're querying the domain controller from that domain, so it's safest to specify the domain.</P></BODY></HTML> Tue, 13 Jun 2017 14:22:35 GMT https://community.cisco.com/t5/network-access-control/external-identity-source-ldap-admin-dn-account/m-p/3575635#M524337 vibobrov 2017-06-13T14:22:35Z