Forum Discussion

gavin84_31753's avatar
gavin84_31753
Icon for Nimbostratus rankNimbostratus
Feb 28, 2017

AD LDAP Authentication fails with mail as username

We are migrating from OID to AD LDAP. Oracle password works fine. Tried to replicate the configuration for AD LDAP. All is the same with the exceptions of a query at the beginning. The LDAP team is telling me they use userpassword attribute...I have also configured it to look for that attribute but it failed with invalid credentials.

 

Oracle LDAP Auth OBJECT

 

Search FIlter

 

mail=%{session.logon.last.username}

 

Variable Assign session.custom.uid = expr { [ mcget {session.logon.last.username}]}

 

IF AUTH PASSES Variable Assign session.custom.mechanism = expr { "password" }

 

AD LDAP Query OJBECT

 

Search FIlter mail=%{session.logon.last.username}

 

require attribute mail Variable Assign session.custom.uid = expr { [ mcget {session.logon.last.username}]}

 

AD LDAP Auth OJBECT

 

Search FIlter mail=%{session.logon.last.username}

 

IF AUTH PASSES Variable Assign session.custom.mechanism = expr { "password" }

 

It will fail auth, so the variable assign password never triggers.

 

Thank you for any assistance

 

APM
application delivery
ldap authentication

2 Replies

Sort By
  • gavin84_31753's avatar
    gavin84_31753
    Icon for Nimbostratus rankNimbostratus
    Mar 02, 2017

    To add a little more info. We now have the same search criteria, however, we removed the Auth and are only doing LDAP Query requiring mail and userPassword attributes. We then will do a comparison using expr { [mcget -secure {session.logon.last.password}] equals { [mcget {session.ldap.last.attr.userPassword}]} . The userPassword attribute has the password we are looking to authenticate against.

     

    The APM log does not like the comparison string. I get a rule evaluation missing close brace on it after the query is successful.

     

  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Icon for MVP rankMVP
    Mar 02, 2017

    It seems you have a curly brace too many.

    Instead of:

    expr { [mcget -secure {session.logon.last.password}] equals { [mcget {session.ldap.last.attr.userPassword}]}

    Try:

    expr { [mcget -secure {session.logon.last.password}] equals [mcget {session.ldap.last.attr.userPassword}]}