cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
693
Views
5
Helpful
10
Replies

WLC 9800 dont find users on AD tree for LDAP Authentication

Dear Community,

We have configuration problem on WLC 9800 LDAP servers.

Configuration LDAP servers it is:

Server Information for DCxx
================================
Server name :DCxx
Server Address :x.x.x.x
Server listening Port :389
Bind Root-dn :bot0024@domain.com
Server mode :Non-Secure
Cipher Suite :0x00
Authentication Seq :Search first. Then Bind/Compare password next
Authentication Procedure:Bind with user password
Base-Dn :DC=xxxx,DC=xx
Object Class :UserPrincipalName
Object Class :Person
Object Class :sAMAccountName
Request timeout :30
Deadtime in Mins :0
State :ALIVE

The user arrives to AD tree but the query on this doesn´t find anything...

Please Help.

 

10 REPLIES 10
MHM Cisco World
Collaborator

there are two search one is 
CN 

other is 
SAMAccountName

here you search for SAMAccountName but I think the LDAP is config with CN only.

Dear MHM

I´m trying with differents objects. Now I have in Base-Dn -> CN=Users,DC=xxx,DC=xx

And Oject class -> UserPrinciapName

but It isn´t work anyway...

Do you have some suggest?

Thanks for your Help

 

...

MHM Cisco World
Collaborator

tn_FD37516-1.jpg
Base DN like example above is 
CN:User,DC:TAC,DC:ottawa,DC:forwent,DC:com
so depend on your AD if you user CN:User you can use it with DN base

MHM Cisco World
Collaborator

tn_FD37516-2.jpg
there is two different 
CN 

and 
sAMAccountName 
this depend on the AD.
I share the photo of where we use CN or sAMAccountName

Dear,

Your help is being so usefull. Thanks a lot.

I shared with you how is the LDAP Server configuration now:

Server Information for DC01
================================
Server name :DC01
Server Address :xx.x.xx.xxx
Server listening Port :389
Bind Root-dn :bot0024
Server mode :Non-Secure
Cipher Suite :0x00
Authentication Seq :Search first. Then Bind/Compare password next
Authentication Procedure:Bind with user password
Base-Dn :DC=xxxx,DC=xx
Object Class :Person
Attribute map :AttName
Request timeout :30
Deadtime in Mins :0
State :ALIVE
No. of active connections :0

where "attName" is: Map: AttName
sAMAccountName String username

 

but doesn´t work... 

I attach Photo with GUI configuration for more help.

Thanks for your help

 

bind username have to do privilege permissions or only Read permissions?

Regards

gkgkgk.pngBind user name is full as it enter in AD.

Dear MHM,

The problem is more difficult like we thounght. Is relationed with: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv11813

As Cisco Engineer mentioned to us. WLC search the user by cn=Name. Not by sAMAccountName or UserPrincipalName

an example with Wireshark Capture:

48420 259.244042 xx.x.xxx.xx xx.x.xxx.xx LDAP xxx searchResEntry(3) "CN=Pepe Rodriguez Cisco,OU=Partner,OU=PROVEEDORES,OU=Usuarios,DC=LABCISCO,DC=COM" | searchResDone(3) success [2 results]

Our Bind User arrvies to AD tree but with this bug cannot validate well the users... We wait to solve this bug ASAP

Thanks for all

As I mention before, WLC use CN not sAMAccountName.
But 
we can make it work even with sAMAccountName by config AD with login Name and make User use this login Name.

Create
Recognize Your Peers
Content for Community-Ad