Lightweight Directory Access Protocol is ued to access directory servers. A directory server is a hierarchical, object oriented database (DB) (try to stay awake!). A simple example is the telephone directory, which consists of a list of names (of either persons or organizations) organized alphabetically, with each name having an address and phone number associated with it. Objects contain data comprised of attributes which are a set of key/value pairs. Refer to a DB as a tree. Distinguished Name (DN) is a unique name used to refer to a particular object in the DB tree. A DN is not an object!
A base DN is the base of the DB and is most commonly a DNS domain.
cn - Common Name
ou - Organizational Unit
dc - Domain Component
Containers – containers, OU’s, or domains and can “contain” other objects like user objects, group objects, and computer objects.
So for a user named John Smith…
cn=John Smith,ou=East,dc=company,dc=com - Distinguished Name for the user .
cn=John Smith - Relative Distinguished Name
dc=company,dc=com - DNS domain name (company.com)
ou=East - Organizational Unit where user "John Smith" resides
Default MS Containers
The default CN=Users and CN=Computers containers that are created when Active Directory is installed are not organizational units (OUs). Objects in the default containers are more difficult to manage because Group Policy cannot be applied directly to them. New user accounts, computer accounts, and security groups that are created by using earlier versions of user interface and command-line management tools, such as the net user and net computer commands, the net group command, the netdom add command where the /ou command is either not specified or supported, or Windows NT 4.0 tools such as User Manager for Domains, do not allow administrators to specify a target organizational unit and therefore create these objects in either the CN=Computers container or the CN=User container by default.
So if all of the users are in the “Users” Container, be aware that it would be CN=Users (the common name for the container Users) and not OU=Users.
How do I know what to query for?
The hardest part of this is configuring the LDAP server parameters correctly on the WLC. Our documents make a lot of assumptions that someone not familiar with LDAP will not understand right away. Use an LDAP browsing tool to get this information
It is important to have some sort of LDAP browsing tool. You can download lots of free LDAP browsers from the Internet. Examples include LDP which is included on the MS Server CD in the support\tools dir (or just Google it) as well as LDAP Admin by SourceForce http://ldapadmin.sourceforge.net/download/ldapadmin.html (AAA uses this one a lot).
You can also do an anonymous bind, but almost no one does that.
Most want authenticated bind so that is what we are going to do! Once LDP is installed, you can just go to START>Run and type ‘ldp’.
You then want to select Connection>Bind
Have the customer bind using domain admin account credentials.
Once they have done that, you should see a screen similar to the following
Then select View>Tree and enter the correct Base DN and click OK.
In this example, the Base DN is DC=leesdeck, DC=com.
So if the customer’s AD setup is ‘company.com’ then the Base DN would be DC=company, DC=com.
Once you have done that, you should see the Base DN in the upper left-hand side of LDP and be able to expand it out to find where the account you are going to use to bind to the LDAP server on the WLC.
In this example, we are using an account called ‘ldap’.
From this, we can see that the account resides under Users. Again, notice that Users is a CN and not an OU.
We know the base DN for the users is CN=Users,DC=leesdesk,DC=com.
A common user attribute is the sAMAccountName. Case Sensitive!!!!
Object type is Person (notice in the ldp output is says objectClass.
You could use other attributes and object types, but these work.
What if I want to bind with an account that is not in the same container as my users?
You need to modify the bind username to reflect the location of the binding account
What if I have users in different containers? Do I have to have all of my wireless LDAP users in the same container?
I just got my hands of an Cisco Aironet LAP1142N-E-K9 and want to convert it from Lightweight to Autonomous. For that I need the imagefile "c1140-k9w7-tar.153-3.JD17.tar" I cant download it from here, nor find it elsewhere. So how do I get the imagef...
This should be a question with an obvious answer but the Google Gods haven't been clear. I'm trying to determine which image I need for a 3702i access poing with the master controller AP (mobility express) running 8.8.125 but can't seem to find anything o...
Here is the complete boot capture: If I interrupt the boot, I can tftpboot at the (RNAQ-C7) # prompt a new ap1g4 file as part.bin to the device with no change. #====================== Connected 6:07 PM 10/18/2019 ====================...
Hello,Since we upgraded connections between our buildings we will use central WLC (5520) on our central location. There is around 1500APs on all locations which will be adopted to that WLC.My concern is that when I use local mode, I got my traffic do...
I have a guest network set up that is completely isolated from production, the intent being that visitors are issued a username and can go out to the Internet while they are visiting. I'd like to fix one thing: The visitor connects to the wireless network...