Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1700
Views
5
Helpful
3
Replies

External Identity Source - LDAP Admin DN account

Go to solution
palonso_3
Level 1
Level 1

‎06-13-2017 04:28 AM

Hi,

I have a doubt about what information to put in the Admin DN filed when we are defining a LDAP external identity store.

For example: the objects in the identity store are in the route: CN=NAC,DC=ds,DC=corp

The Admin DN account that I should put to configure and bind the connection has to be mandatorily an admin accont of that domain, or I could put another account from another domain, but where the user defined on the server has read privileges at least to get the groups and subjects.

With this configuration, the bind is successful. The question

Thanks and kind regards

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
vibobrov
Cisco Employee
Cisco Employee
In response to palonso_3

‎06-13-2017 07:22 AM

Yes, that's correct. I've seen some instances when you need to specify the domain even when you're querying the domain controller from that domain, so it's safest to specify the domain.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
vibobrov
Cisco Employee
Cisco Employee

‎06-13-2017 06:56 AM

It does not need to be an admin account. Since you're going against Active Directory, you don't need to spell out the full DN. You can specify domain\username as well.

Go to solution
palonso_3
Level 1
Level 1
In response to vibobrov

‎06-13-2017 07:03 AM

Hi Viktor,

Thanks for your reply. So as far if I understand you, I could put a username from another domain (different from ds.corp), in the form DOMAIN\username, if this username is allowed to ask the LDAP server and get the information.

Is that correct?

Thanks and regards

0 Helpful

Go to solution
vibobrov
Cisco Employee
Cisco Employee
In response to palonso_3

‎06-13-2017 07:22 AM

Yes, that's correct. I've seen some instances when you need to specify the domain even when you're querying the domain controller from that domain, so it's safest to specify the domain.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents