SOTI Pulse Logo

Devices enrollment with LDAP authentication

C
C.Soft
asconauto

Hi,

I'm trying to configure an enrollment rule with LDAP user authentication, and it seems something went wrong.

I've installed an LDAP Server (Windows Server 2012 R2) ONLY with AD LDS feature! I can't join this server to a domain, so I need to configure an AD LDS standalone service.

I've configured everything as manual and I can connect and bind to LDAP server with ADSIEdit, create Group, Users, etc.

With ldp.exe I'm able to bind with Windows security principal (Local Windows account) and even with AD LDS security principal (Simple), so it seems everything works fine.

But, when I try to enroll a device and it asks me the user credential, I can't bind with AD LDS user (Simple) and always return Error: Wrong username or password!

What am I missing? What can I do?

Thanks.

7 years ago
Android
ANSWERS
C
C.Soft
7 years ago (edited 7 years ago)

After many days of tries, I finally found a solution by myself!

The issue was that if you have AD LDS without a domain, you CAN'T setup LDAP in Mobicontrol with:

- Authentication Type : Negotiate

- LDAP Server : Active Directory

because in this way Mobicontrol tries to authenticate all users with Windows authentication and it fails!

The solution is:

1) Create in AD LDS an user with admin rights. To do so, you have to add it to Administrators group under Roles;

2) Setup LDAP in Mobicontrol with:

- Authentication Type : Basic

- Username and Password of the new admin AD LDS account in full DN format, for example CN=Admin,CN=Users,DC=LDAPServer

- LDAP Server : Other LDAP

- Change Values of Group and User Attributes to meet all your requirements. In my case, I can't use uid for Identifier because it's empty. You can use, for example, name or cn.

Save and authentication works :)

Hope it helps!

Similar Discussions