Are there any limitations on using Active Directory as the LDAP server when configuring LDAP authentication?

Document ID : KB000054150
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

CA Business Intelligence provides both Active Directory authentication and LDAP authentication separately. This document explains the limitations of using Active Directory as a LDAP server instead of using Active Directory authentication.

Solution:

The following limitations apply, if LDAP is configured against Active Directory:

  1. You will be able to map your users, however, you will not be able to configure either single sign-on or single sign-on to the database.

  2. Users who are only members of a default groups from AD will not be able to log in successfully. Users must also be a member of another explicitly created group in AD and, in addition, this group must be mapped. An example of such a group is the "domain users" group.

  3. If a mapped domain local group contains a user from a different domain in the forest, the user from a different domain in the forest will not be able to log in successfully.

  4. Users from universal group from a domain different than the DC specified as the LDAP host will not be able to log in successfully.

It is recommended that Active Directory authentication be used separately to configuring AD with LDAP authentication.