ACS can not access ADS-LDAP starting from "DC=..."

Unanswered Question
Jan 6th, 2009
User Badges:


I have an ACS v4.2 from which I try to access an ADS LDAP directory. When I use "CN=Users,DC=Domain,DC=com" as the baseDN for the users and the groups everything works as it should. When I change the base DN to "DC=Domain,DC=com" only, then the ACS is not able to find any users or groups. Even when trying to configure the group mappings he claims: "LDAP Server NOT reachable. Please check the configuration.". Using an LDAP browser I don't have any issues accessing the directory from the shorter baseDN.

Is this a v4.2 related problem or a general ACS problem?

The point is that I need to find users in different OU's, which are based directly under the domain name, so that I need to search for them starting from "DC=Domain,DC=com". I know that with "Generic LDAP" I can make severeal "Databsae Configurations" to resolve the issue with the OU's. But not with a "RSA SecurID Token and LDAP Group Mapping" setup. There is only possible to have one LDAP group mapping configuration.

Any input would be greatly appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jhillend Wed, 01/07/2009 - 08:56
User Badges:
  • Bronze, 100 points or more

Do you see any error messages in either ACS or the LDAP server? This configuration is supported and there are no known issues with ACS 4.2. We often see that there is a configuration issue either in ACS or the LDAP structure.

Please contact the TAC if there aren't any obvious error messages available.

ROBERTO GIANA Thu, 01/08/2009 - 04:11
User Badges:

I don't see any reasonable log entries. Not in the ACS logs, not in the domaincontroller, which im accessing. Logs do look the same, when accessing both ways.

The parameters are correct, as the access works without any problems when using the longer baseDN. It doesn't when using the shorter baseDN. But it does again when using again the longer baseDN.

I will ask TAC. Let's see what they find out.

kerklaanm Tue, 06/01/2010 - 02:34
User Badges:


did you ever resolve this problem? We are experiencing a similair problem.

ROBERTO GIANA Tue, 06/01/2010 - 05:35
User Badges:


We invested a lot of time together with TAC and development. Short answer: No it's not solved. It was an ACS bug. But development didn't realy understand the problem. We went ahead and restructured the ADS.

The problem we had, is that a LDAP directory of a Windows is not fully accessible. Even if you connect as a Domain Administrator or to the Global Catalog. :-) And that's where the ACS fails. LDAP browsers just read over the unaccessible parts of a LDAP directory and show you all the accessible part. ACS doesn't. He stops and reports the failure. You can see that clearly when sniffing the access of the ACS and the LDAP browser to the directory. Unfortunately the unaccessible part is at the beginning of the ADS LDAP directory. :-(

Maybe they resolved the problem nowadays. Or if you have a Windows Guru who can help you in making the directory fully accessible I would be interessted in the How-To.

I wish you best luck with your issue.

Kind regards



This Discussion