Hi all !
I’ve spent a few hours this week trying to find a working configuration for an Active Directory LDAP backend.
Basically, only these two configuration directives needs to differ from the documentation’s example ;
user_id_attribute: "sAMAccountName"
unique_member_attribute: "member"
This will allow users to login using their account name. No DOMAIN\user or user@DOMAIN.com required, simply user will work.
If you want to enable SSL;
host: "dc01.domain.com"
port: 3269
ssl_enabled: true
ssl_trust_all_certs: true
3269 is the Global Catalog LDAPS port. I prefer it over the non-GC port, 636, to avoid referrals. Use case may differ according to your own environment, especially if you have multiple domains within a forest.
ssl_trust_all_certs is necessary unless you prefer importing your Active Directory’s domain root CA into the java keystore.