Unsupported content This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Configuring LDAP with Microsoft Active Directory

This topic describes the steps that you must perform to use Active Directory. Active Directory does not allow anonymous connections. Consequently, you must define a default LDAP user name and password so that LDAP session credentials can be refreshed. (See Refreshing LDAP session credentials for more information about setting up a default user.)

The status of a user account is controlled by the userAccountControl attribute, which indicates whether the account is locked or disabled. The following user validation filter can be used with Active Directory deployments. It ensures that the user account is not disabled or locked.

(&(userAccountControl:1.2.840.113556.1.4.803:=512)
  (!(userAccountControl:1.2.840.113556.1.4.803:=2))
  (!(userAccountControl:1.2.840.113556.1.4.803:=16)))

By default, Authentication Service of the Active Directory does not support TLS connections. To enable them, you must install an X.509 certificate that can be used for authenticating the LDAP server. Because Active Directory requires the server certificate to contain fully qualified domain name (FQDN) of the server in its common name or in one of its alternative names, 

The macro unmigrated-inline-wiki-markup from Confluence is no longer available.

recommends you always enable FQDN checking on the Authentication Service. To accomplish this, use the following blasadmin command:

set Ldap IsHostValidationEnabled true

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*