I’m completely new to AD stuff and having a hard time getting LDAP auth to work.
I have a service account for active directory and know our LDAP servers, and have tested a filter but I keep getting the error “did not match stored password”.
In windows active directory if I use this search query with a good email it works just fine.
(&(objectClass=user)(mail={login}))
Is there something else that’s required that I’m missing?
Was this guide helpful?
Here’s the (anonymized) configuration we’re using where I work:
LDAP Host: dc.example.org
LDAP Port (defaulted): 389
LDAP Security: None
Username: DOMAIN\ldap_user
User Search Base: OU=Accounts,DC=example,DC=org
User Filter: (&(|(sAMAccountName={login})(userPrincipalName={login}))(memberOf:1.2.840.113556.1.4.1941:=cn=Metabase,ou=Services,dc=example,dc=org))
Email Attribute: userPrincipalName
I think we had a problem using mail as the Email Attribute; not all users have it defined, and I think that was causing lookups to fail – but I don’t recall exactly. The weirdness with memberOf enables a recursive search for a group that is a member of another group. We’re using sAMAccountName and userPrincipalName to allow logging in with either user.name@example.org or user.name.
Turns out I just needed to click the enable LDAP button. RTFM folks.
Yeah, I was worried this was going to happen:
…right now it's a bit confusing that you can fill in all the settings and hit save, and if you forgot to hit the toggle you might think LDAP is enabled. You might also have filled in the settings, then scroll back to the top and flip the toggle, not realizing you needed to hit Save Changes, then navigate away and unknowingly lose your changes.
Yeah that’s exactly what happened. I felt like an idiot after troubleshooting my configuration for an hour, but it isn’t very intuitive to start filling out forms, hit save, and then not have anything working.