LDAP Group Authorization in Active Directory

HCL Domino Domino Forum
1

There is no problem with the Authentication and if the user is in the ACL all works fine.

The problem occur with group authorization in AD. When a user try to log in the authentication works, but the authorisation fails.

As we can se the problem causes by the commonname in AD when it contains a comma.

Look att this

Scenarie 1, DO NOT WORK

CN name in AD = Doe, John (include comma)

Authorization Filter is:

(&(objectclass=group)(Member=%*))

Result, shows the following search filter in the ldap log file:

(&(objectclass=group)(Member=CN=Doe, John,OU=XX,OU=Users,OU=XXX,DC=eu,DC=XXXXXXX,DC=com))

Scenarie 2, WORKS FINE

CN name in AD = Doe John (NO comma)

Same Authorization Filter

Result, shows the following search filter in the ldap log file:

(&(objectclass=group)(Member=Doe John))

Why do domino create a DN name when there is a comma in the common name in the %*

Why do domino create a only CN name when ist not?

Any knowledge about this issue? Is there a work around?

We have an AD with a lot of commas and we are not allowed to change the commonname and remove commas, wish would be the easiest way to manange this…

2

Subject: LDAP Group Authorization in Active Directory

Scenarie 1, DO NOT WORK

CN name in AD = Doe, John (include comma)

Authorization Filter is:

(&(objectclass=group)(Member=%*))

Result, shows the following search filter in the ldap log file:

(&(objectclass=group)(Member=CN=Doe, John,OU=XX,OU=Users,OU=XXX,DC=eu,DC=XXXXXXX,DC=com))

What is the actual LDAP DN name of the target person in your AD? The query filter above is assuming it is

CN=Doe, John,OU=XX,OU=Users,OU=XXX,DC=eu,DC=XXXXXXX,DC=com

“OU=Users,OU=XXX,DC=eu,DC=XXXXXXX,DC=com” is the container where AD places users

“,” is how “,” is escaped in LDAP.

Scenarie 2, WORKS FINE

CN name in AD = Doe John (NO comma)

Same Authorization Filter

Result, shows the following search filter in the ldap log file:

(&(objectclass=group)(Member=Doe John))

The values of the member attribute must be LDAP DNs. “Doe John” is not an LDAP DN. Did you really mean to type “(&(objectclass=group)(Member=CN=Doe John,OU=XX,OU=Users,OU=XXX,DC=eu,DC=XXXXXXX,DC=com))”?

3

Subject: RE: LDAP Group Authorization in Active Directory

That is the result we can read in the log file, but there i somthing strange and Rolf P say the same as you.

The user we tested at first was in both domino and AD maybe that cause the problem, by the way and thats more confusing - it works!

Now we have made several tests with at user only exist in AD and the result is in this thread

4

Subject: LDAP Group Authorization in Active Directory

Thomas,You have to be aware that there are two (common) forms of identification in LDAP.

One is via the Common Name (CN), and the other is via the distinguishing name (DN). Each of these has unique characteristics. The CN may contain a space. The DN may NOT contain a space.

The Active Directory (AD) does not use CN for identification, it does however use DN.

Domino on the other hand, uses CN (or DN) for identification, but primary is CN.

In your case, the CN in AD is not used to identify the person, while it is used in Domino.

I assume that the words “Doe John” actually refers to a person named “John Doe”. Is that right?

Regards

Rolf Pfotenhauer

5

Subject: RE: LDAP Group Authorization in Active Directory

Vefry interesting infromation, we will do some more tests and come back

6

Subject: LDAP Group Authorization in Active Directory

Rolf

Confusing for us. You have perfectly right - my previous example seems to autorize with CN in domino. Now we have a user only existing in AD and we dont understand the results

Test 1 No comma in CN and successfully login

Filter=(&(objectclass=group)

(Member=CN=Alenback Lars-Erik,OU=MfgTech,OU=Users,OU=XXX,DC=XX,DC=XXXXX,DC=com))

Test 2 comma in CN and failure login

Filter=(&(objectclass=group)

Member=CN=Alenback, Lars-Erik,OU=MfgTech,OU=Users,OU=XXX,DC=XX,DC=XXXXX,DC=com))

  1. Why does it not work with a comma - is there any workarround?

  2. What do you mean with DN may not contain a space? As you kan se there is space i the part CN of DN i both cases.

Still there is only problem authorization - authentication is ok i all tests. There is also only problem with groups. If the user exist i ACL he can login regardless of comma or not in the CN.