LDAP/AD Ignition gateway

My controls network is isolated on a separate network and i am using Univention (UCS) for my AD server. All of the windows and Linux computers have joined the domain without issue but i have been trying for the last 2 months to us the AD server as a user source and have yet to accomplish this. My log just states : java.lang.Exception:Failed connecting to LDAP server.
Does anyone have any ideas about what i am doing wrong. i have to get this working before i enable a one way trust with the main company DC

Can you post the User Sources/AD settings on your Ignition Gateway? We may be able to point out the issue that way.


I figured it out.
For anyone else that is trying to use a linux ad server (i.e. Univention, Zentyal) you have to use the prefix and suffix.
prefix “uid=”
suffix “,cn=xxx,dc=xxx,dc=xxx”
All of this time it was the comma in front of the cn that tripped me up.

Now that i am able to login using ad. No users show up when i select manage users. log says error 32 no such object. Here is what i get with a s4 search on the server.

This is for anyone else trying to accomplish this. I was fully able to get this working by disabling :“ldap server require strong auth” in samba 4 thus not requiring an ssl which is not a problem on my isolated vlan.

  1. Ensure user has read auth in samba or use admin account for browse
  2. Disable “ldap server require strong auth” to allow simple auth on port 389
    3.User listing base according to DN (CN=xxx,DC=yyy,DC=zzzz
  3. Samba 4 or Samba 4 with LDAP bridge can use default user list search filter and user name attribute
    5.User name prefix in samba cn=
  4. User name suffix in samba ",cn=user,dc=yyy,dc=zzz
    With this i was able to test with Zentyal, Univention and Straight samba 4 including the turnkey DC lxc.
    Any questions about DN just use a ldap browser ie. Apache Directory studio to find the Distinguished Name needed.