How do I get this to work with AD LDAP?

[GryphonWorx]

I have spent a few hours fiddling with this to get it to work with my AD LDAP and I have gotten to a certain point. With these settings:

UserDN: [username]@ad.domain.com Search DN: CN=Users,DC=ad,DC=domain,DC=com

I can get it to authenticate but it still says "Login failed...". However, with some fiddling in the plugin code to add extra log messages it actually gets as far as setting:

        $event->setStatus($event::AUTHENTICATION_SUCCESS);

But I think that since it fails to get group information the underlying system doesn't consider it authenticated or something to that extent? I'm not sure what to put in Group Query or Identifier. With a Group Query it can't find anything on sAMAccountName=[username] which should be possible. I know you made this for a client, but you would get a ton of users if it worked with AD :o!

[dandantheflyingman]

Hi,

Did you get any luck in making your AD LDAP auth work?

I've been struggling with it for the last few days as well...

[dandantheflyingman]

Answering my own question.. Following from first post:

User DN:  [username]@ad.domain.com
Group Query:  (&(cn=*)(member=[dn]))
Username Mapping: sAMAccountName

I looked at line 174/175 of login-ldap.php where it is forming the group_dn query:

$group_query = str_replace('[username]', $credentials['username'], $group_query);
$group_query = str_replace('[dn]', $userdata['dn'], $group_query);

There is an earlier function (getLDAPMappedItem) that should get the user DN from search user query.

So rather than using the '[username]' portion, you can format the Group Query to use the user distinguished name mapping to search for what groups the user is in.

I am an AD pleb, so there is probably a "right" way to do this that I am unaware of...