TMS Active Directory VS. LDAP Search Filters

ckelson · ‎12-03-2013

In this enviroment secured communications with the directory server is requried. There is also a load balancer involved when communicating with Active Directory servers so using Kerberos with Active Directory Fails when pointing to AD through the load balancer. It works fine when we bypass the load balancer. The Search Filter used is able to pull all the desired user from a specific group I've set up.

Example that works when using AD with or w/o Kerberos Authentications:

Base DN: nvolab.net

Relative Search DN:

Search Filter: (&(objectCategory=person)(memberOf=CN=Jabber,OU=GROUPS,DC=nvolab,DC=net))

This works fine. But when switching to LDAP it is able to communicate but the search filter doesn't pull any users.

I've tried variations on the search string of

(memberof:1.2.840.113556.1.4.1941:=(cn=Jabber,OU=GROUPS,DC=nvolab,DC=NET))

(&(objectClass=user)(memberOf=CN=Jabber,OU=GROUPS,DC=nvolab,DC=NET))

etc...

None of them seem to be able to pull the user informaiton when using LDAP

Anyone know how this should be configured on TMS to properly pull the users that are members of the Jabber group in AD when using LDAP?

Martin Koch · ‎12-03-2013

Ask your admins if its possible to use a specific ad server for this task.

Also consider aksing the load balancer vendor if he knows such an issue and

possibly has a workaround.

Did you try it with some other ldap tool if you succeed? If its unencrypted, maybe

a wireshark can tell you more.

If you do not get a better answer here consider asking TAC, though I would say

this sounds like a 3rd party issue, so not sure what they would say, ...

Please remember to rate helpful responses and identify helpful or correct answers.

Please remember to rate helpful responses and identify

ckelson · ‎12-03-2013

They simply need to be able to use LDAP over SSL. Since LDAP with SSL works through the load balancer and we know the load balancer breaks AD Kerberos but does not break Unsecure AD the only option for them is to LDAP with SSL. This achieves the secure connection to AD through the load balancer. The only thing I need to figure out is the proper search string configuration to pull the users as stated above.

When using unsecure LDAP and grabbing the packets I see the LDAP queries going to the DC and the DC returning a response. But no user information is contained but 0 matches. So any help with the TMS configuration of LDAP will help immensly. This is mocked up in my lab for easy comparison.

Martin Koch · ‎12-03-2013

Btw, is this a phonebook for your Jabber or JabberVideo users, if the second, I would handle it within the TMS ;-)

Please remember to rate helpful responses and identify helpful or correct answers.

Please remember to rate helpful responses and identify

ckelson · ‎12-03-2013

Jabber Video Users in the Provisioning Directory User Import.

Martin Koch · ‎12-03-2013

Ah, ok, hehe yea, thought it was about phonebook imports, but then its your JabberVideo users itself.

What versions of TMS and Provisioning do you use anyhow?

Please remember to rate helpful responses and identify helpful or correct answers.

Please remember to rate helpful responses and identify

ckelson · ‎12-03-2013

TMS 14.3 TMSPE 1.1