cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

441
Views
0
Helpful
3
Replies
Highlighted
Beginner

External Identity Source - LDAP Admin DN account

Hi,

I have a doubt about what information to put in the Admin DN filed when we are defining a LDAP external identity store.

For example: the objects in the identity store are in the route: CN=NAC,DC=ds,DC=corp

The Admin DN account that I should put to configure and bind the connection has to be mandatorily an admin accont of that domain, or I could put another account from another domain, but where the user defined on the server has read privileges at least to get the groups and subjects.

With this configuration, the bind is successful. The question

Thanks and kind regards

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: External Identity Source - LDAP Admin DN account

Yes, that's correct. I've seen some instances when you need to specify the domain even when you're querying the domain controller from that domain, so it's safest to specify the domain.

3 REPLIES 3
Cisco Employee

Re: External Identity Source - LDAP Admin DN account

It does not need to be an admin account. Since you're going against Active Directory, you don't need to spell out the full DN. You can specify domain\username as well.

Beginner

Re: External Identity Source - LDAP Admin DN account

Hi Viktor,

Thanks for your reply. So as far if I understand you, I could put a username from another domain (different from ds.corp), in the form DOMAIN\username, if this username is allowed to ask the LDAP server and get the information.

Is that correct?

Thanks and regards

Cisco Employee

Re: External Identity Source - LDAP Admin DN account

Yes, that's correct. I've seen some instances when you need to specify the domain even when you're querying the domain controller from that domain, so it's safest to specify the domain.