Using Web Server 7 with Microsoft Active Directory

Among the many new security-related features in Web Server 7 are a few new configuration elements for the LDAP auth-db (authentication database).

Here is a summary:

search-filter [optional] The search filter to use to find the user. The default is uid.
group-search-filter [optional] The search filter to find group memberships for the user. The default is uniquemember.
group-target-attr [optional] The LDAP attribute name that contains group name entries. The default is CN.

One use case for these configurable search options is to interoperate with Microsoft Active Directory (MSAD). The problem with MSAD is that user ids are not kept (by default) in the usual uid attribute. For this reason, when the LDAP auth-db attempts to search a MSAD directory to find a user, it will never be able to obtain a match since it is attempting to match on the uid attribute.

In 7.0 we can now set the search-filter attribute to override the usual default. In MSAD the user is kept in an attribute called samAccountName. Here is a sample LDAP auth-db configuration for MSAD (showing a minimal configuration, other options can of course be specified as usual):


P.S. Of course, I should probably point out that a better solution is to simply upgrade to Sun’s own Directory Server instead!