LDAP Module Errors in 5.X

0
My LDAP module and config on Mx4 was working fine. I upgrade to Mx5 and also upgraded the module. I'm able to successfully test the connection and browse my root directory, but my users are not able to get authenticated. I'm thinking its an issue with the search filter config or AD login name field config. My config is set up to only 'Only authenticate users based on their pre-suplied credentials' Has any one had issues connection or can you provide some sample config?
asked
3 answers
2

I worked through this with a client on 5.15 last week and ultimately found a solution. We had the exact same issue - the test authentication worked but actually logging in failed. This is with the LDAP Synchronization Module.

Short answer: change your search filter from:

(&(objectclass=user)(mail="[%Username%]"))

to:

(&(objectclass=user)(userPrincipalName="[%Username%]"))

Long answer (if that doesn't work for you): we changed the search filter. We found that, upon login, the LDAP module takes the username you entered (which we had configured to sAMAccountName), appends the domain suffix you configured, and searches for that concatenated string based on the search filter.

For example, if my username was "eti" and my domain suffix was "@mendix.local", the LDAP module looks for "eti@mendix.local" on the active directory based on your search string.

Perhaps this behavior should be changed in the LDAP module, but here's how we worked around the issue.

We downloaded Active Directory Explorer (usually you can log into it without entering any connection details) and found that there was an attribute called userPrincipalName that matched this concatenated format (sAMAccountName + domain suffix). Upon changing the search string (as above), we were able to authenticate and log in successfully!

Good luck!

answered
1

Julio, I would check with Mendix if the new LDAP module ( https://appstore.home.mendix.com/link/app/1218/Mendix/LDAP-Provisioning-Agent) also does the authentication. The documentation is not clear at that point. From my memory this module was a complete rewrite of the old module but I am not completly sure because both ldap modules are on Mx 5. Maybe Roeland Salij could answer this question and give some details about the differences of these modules.

Regards,

Ronald

answered
0

Not clear indeed. We had problems with LDAP Synchronization module in Mx5.11, So my customer is still running on 5.9.0. Now we like to update to 5.16 or higher, but which module is now the best option?

LDAP Provisioning Agent or LDAP Synchronization module

answered