4 Replies Latest reply on Jul 18, 2012 2:12 PM by Chip Sturdevant

    AD-user synchronization using an LDAP Connection

    R V

      Hi all,


      we want to setup our environment so user-data is automatically synchronized with ad via LDAP mechanism. We have an "LDAP Connection" object and two "LDAP Query" objects and we have an automation principle. When we try to add a new "Group Mapping" we get an error:


      javax.naming.InvalidNameException: Invalid name: user007


      Now I found in some Communities-thread regarding some LDAP-topic that one has to use the form


      cn=user007, cn=Users


      Doing this the error message is different:


      Could not authenticate as cn=user007, cn=Users


      Now I'm not sure about this syntax: it seems to bring us a bit further, but I could not find any hint in the BL-docs about using this.


      Does anybody has an advice for us how we could proceed? And what is the "real" right syntax for a "Principal ID"-field?


      Thanks and regards,


        • 1. AD-user synchronization using an LDAP Connection
          Joshua Skirde

          Hi Reinhard,


          Which version of BBSA are you doing this in? It looks to be 8.2, is that correct?

          Where are you seeing "Principal ID"?


          Can you provide screenshots of your user query and group query and I'll have a look?

          Kind regards,


          • 2. AD-user synchronization using an LDAP Connection
            R V

            Hi Joshua,


            just back from vacation I answer your message "a bit late".


            So, yes, we are on 8.2. As I'm currently not onsite, I will ask the customer for sending some screenshot. The "Principal ID" is a field in the "add group mapping"-dialog if I remember right. Will clearify that tomorrow.


            Thanks so far,



            • 3. AD-user synchronization using an LDAP Connection

              Principle ID is the distinguished name for the user which you are wishing to use for your automation principal user.  The one that should have read perms to all AD groups where you want to sync


              ...or so I believe

              • 4. AD-user synchronization using an LDAP Connection

                Were you able to get this to work, and did you use ssl authentication?

                I'm doing a new POC on 8.2.01 running on OEL 5.7 VMs and I have setup domain authentication, my automation principle, imported the root ca cert to the ldap connection and created the group and user queries.  when I pull the query on 389, I get 0 results - but my dn is in the form cn=name, ou=group - so I'll try the other syntax.


                My bigger issue is that we have to use SSL in production and when I change it to use ldaps on port 636 or 3269, the query errors out and tells me that startTLS protocol is not supported and that LDAP v3 is not supported on my domain controller - however, it is supported and works fine when I use the LdapAdmin tool from   

                http://www.ldapadmin.org  it works fine using the LDAP v3 and my query returns the right users


                I think the issue may be in the fact that we require multiple certs for the domain authentication (we needed all 6 for our bbna implementation)-

                does anyone know if there is a way to attach multiple certs to the LDAP connection?