[DOCS-8791] LDAP settings for Active Directory do not work Created: 08/Sep/16  Updated: 30/Oct/23  Resolved: 17/Mar/23

Status: Closed
Project: Documentation
Component/s: manual
Affects Version/s: None
Fix Version/s: Server_Docs_20231030

Type: Task Priority: Major - P3
Reporter: Joshua Maag Assignee: Ravind Kumar (Inactive)
Resolution: Won't Do Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Participants:
Days since reply: 46 weeks, 6 days ago
Story Points: 2

 Description   

The settings for Configuring LDAP Options with ActiveDirectory would never work in the current version of ActiveDirectory. See: https://docs.mongodb.com/manual/tutorial/configure-ldap-sasl-activedirectory/

The /etc/saslauthd.conf says use the following settings:

ldap_servers: <ldap uri>
ldap_use_sasl: yes
ldap_mech: DIGEST-MD5
ldap_auth_method: fastbind

MD5 does not work in ActiveDirectory by default. In order to make this work, a user would literally have to go through each user in ActiveDirectory, select a checkbox to enable MD5 and then reset the users password.

Currently, we use the following configuration which may not be ideal, but allows users to connect LDAP to ActiveDirectory

ldap_servers: <ldap uri>
    ldap_use_sasl: no
    ldap_match: DIGEST-MD5
    ldap_auth_method: bind
 
    ldap_search_base: <DC=example,DC=domain,DC=com>
    ldap_bind_dn: <CN=Test User,CN=Users,DC=example,DC=domain,DC=com>
    ldap_password:<password>

We do need to do some further research here to provide a better configuration, but as of now, this configuration works better than the current suggestion.



 Comments   
Comment by Sarah Olson [ 17/Mar/23 ]

Closing this out on the grounds that:

  • Details of this request are significantly outdated. 
  • Our documentation has evolved substantially since this request was made. 

Based on this, closing as WON'T DO. Please don't hesitate to give me a shout or to reopen if you disagree.

Comment by Ravind Kumar (Inactive) [ 12/Jun/18 ]

cc spencer.jackson davi.ottenheimer can either of you good folks comment on this? Ticket's been stuck in backlog for a while, but I'd like to resolve.

 

From the AD docs DIGEST-MD5 is supported, but if it's not a standard default, I can adjust the docs.

Generated at Thu Feb 08 07:56:59 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.