- Gold, 750 points or more
What is LDAP?
Lightweight Directory Access Protocol is ued to access directory servers. A directory server is a hierarchical, object oriented database (DB) (try to stay awake!). A simple example is the telephone directory, which consists of a list of names (of either persons or organizations) organized alphabetically, with each name having an address and phone number associated with it. Objects contain data comprised of attributes which are a set of key/value pairs. Refer to a DB as a tree. Distinguished Name (DN) is a unique name used to refer to a particular object in the DB tree. A DN is not an object!
A base DN is the base of the DB and is most commonly a DNS domain.
cn - Common Name
ou - Organizational Unit
dc - Domain Component
Containers – containers, OU’s, or domains and can “contain” other objects like user objects, group objects, and computer objects.
So for a user named John Smith…
cn=John Smith,ou=East,dc=company,dc=com - Distinguished Name for the user .
cn=John Smith - Relative Distinguished Name
dc=company,dc=com - DNS domain name (company.com)
ou=East - Organizational Unit where user "John Smith" resides
Default MS Containers
The default CN=Users and CN=Computers containers that are created when Active Directory is installed are not organizational units (OUs). Objects in the default containers are more difficult to manage because Group Policy cannot be applied directly to them. New user accounts, computer accounts, and security groups that are created by using earlier versions of user interface and command-line management tools, such as the net user and net computer commands, the net group command, the netdom add command where the /ou command is either not specified or supported, or Windows NT 4.0 tools such as User Manager for Domains, do not allow administrators to specify a target organizational unit and therefore create these objects in either the CN=Computers container or the CN=User container by default.
So if all of the users are in the “Users” Container, be aware that it would be CN=Users (the common name for the container Users) and not OU=Users.
How do I know what to query for?
The hardest part of this is configuring the LDAP server parameters correctly on the WLC. Our documents make a lot of assumptions that someone not familiar with LDAP will not understand right away. Use an LDAP browsing tool to get this information
It is important to have some sort of LDAP browsing tool. You can download lots of free LDAP browsers from the Internet. Examples include LDP which is included on the MS Server CD in the support\tools dir (or just Google it) as well as LDAP Admin by SourceForce http://ldapadmin.sourceforge.net/download/ldapadmin.html (AAA uses this one a lot).
You can also do an anonymous bind, but almost no one does that.
Most want authenticated bind so that is what we are going to do! Once LDP is installed, you can just go to START>Run and type ‘ldp’.
You then want to select Connection>Bind
Have the customer bind using domain admin account credentials.
Once they have done that, you should see a screen similar to the following
Then select View>Tree and enter the correct Base DN and click OK.
In this example, the Base DN is DC=leesdeck, DC=com.
So if the customer’s AD setup is ‘company.com’ then the Base DN would be DC=company, DC=com.
Once you have done that, you should see the Base DN in the upper left-hand side of LDP and be able to expand it out to find where the account you are going to use to bind to the LDAP server on the WLC.
In this example, we are using an account called ‘ldap’.
From this, we can see that the account resides under Users. Again, notice that Users is a CN and not an OU.
We know the base DN for the users is CN=Users,DC=leesdesk,DC=com.
A common user attribute is the sAMAccountName. Case Sensitive!!!!
Object type is Person (notice in the ldp output is says objectClass.
You could use other attributes and object types, but these work.
What if I want to bind with an account that is not in the same container as my users?
You need to modify the bind username to reflect the location of the binding account
What if I have users in different containers? Do I have to have all of my wireless LDAP users in the same container?
No, you can search the base DN