LDAP Active Directory setup on SLP
What parameters do I need to set on the SLP to work with Windows Active Directory?
The minimum setup for LDAP on the SLP includes:
- Primary host - IP address or host name of the AD server
- At least one DNS server configured on the SLP that can resolve the LDAP/AD server's IP address
- Search Bind DN
- Search Bind Password
- User Search Base DN
- User Search Filter
- Group Membership Attribute
- At least one LDAP group configured on the SLP that matches an AD group
- Authenticated users on the AD server that are members of that group
This configuration example assumes that the following is true of the AD environment:
- IP address = 192.168.10.10
- DNS server = 192.168.10.10
- Domain = support.mycompany.com
- User container = Users
- You will use an account called "test" with a password of "testpasswd" for binds
- Usernames that I want to authenticate to SLP = slpuser01, slpuser02, slpadmin01
- Passwords for the above users = slpuser01passwd, slpuser02passwd, slpadmin01passwd
- Group that the above users belong to = slpgroup
The following actions are required:
On the AD server:
- Create the users listed above with the passwords listed above
- Create a group called slpgroup
- Add the above users as members of that group (except the user called test)
On the SLP (web interface):
- Under Configuration/Network, configure the DNS server as 192.168.10.10
- Under Configuration/LDAP
- Set LDAP to "Enabled"
- Set Primary Host to: 192.168.10.10 or the host name of the AD server
- Leave the port as 389 for simple binds
- Leave the bind type as simple
- Set the Search Bind DN to: cn=test,cn=Users,dc=support,dc=mycompany,dc=com
- Set the Search Bind Password to: testpasswd
- Set the User Search Base DN to: dc=support,dc=mycompany,dc=com
- Set the User Search Filter to: (samaccountname=%s)
- Set the Group Membership Attribute to: memberof
- Leave the Group Membership Value Type as: DN
- Leave the Authentication Order as: Remote->Local (at least until you confirm LDAP functions)
- Click on the LDAP Groups link
- Type in the group name: slpgroup
- Click on Apply
- Edit access rights for Outlets, Groups (outlet groups, not LDAP groups), and Ports by clicking on each link
- Edit Environmental Monitor access and User Access level by clicking on the Edit link
You should now be able to log into the SLP using one of the group member accounts. You will be given rights defined by the LDAP group configured on the SLP.
[Originally Published On: 08/19/2009 11:57 AM]