Configuring LDAP with Active Directory

This topic describes the steps that you must perform to use Microsoft Active Directory. Active Directory does not allow anonymous connections. Consequently, you must define a default LDAP user name and password so that LDAP session credentials can be refreshed. (See Configuring the Authentication Server to refresh LDAP session credentials for more information about setting up a default user.)

The status of a user account is controlled by the userAccountControl attribute, which indicates whether the account is locked or disabled. The following user validation filter can be used with Active Directory deployments. It ensures that the user account is not disabled or locked.

(&(userAccountControl:1.2.840.113556.1.4.803:=512)
  (!(userAccountControl:1.2.840.113556.1.4.803:=2))
  (!(userAccountControl:1.2.840.113556.1.4.803:=16)))

By default, Authentication Service of the Active Directory does not support TLS connections. To enable them, you must install an X.509 certificate that can be used for authenticating the LDAP server. Because Active Directory requires the server certificate to contain the fully-qualified domain name (FQDN) of the server in its common name or in one of its alternative names, BMC recommends you always enable FQDN checking on the Authentication Service. To enable FQDN checking, use the following blasadmin command:

set Ldap IsHostValidationEnabled true