Windows Authentication Scheme User DN Lookup Formats

Document ID : KB000010245
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

User DN Lookup Formats for Windows Authentication Schemes

Environment:
All supported releases
Instructions:

The User DN Lookup field for a Windows Authentication scheme for Active Directory or LDAP namespaces must contain a string in one of the following formats:

 

AD/LDAP Lookup

 

The User DN Lookup syntax is in the form of a fully qualified Distinguished Name. Consider a user named John Smith with the following attributes in the Active Directory:

cn: jsmith

distinguishedName: CN=jsmith,CN=Users,DC=MYCOMPANY,DC=com

sAMAccountName: jsmith

 

The user credentials passed by the web browser will have the user name in the format:

 

MYCOMPANY\jsmith

 

To map this username to an LDAP Lookup filter, the Windows Authentication scheme will be configured with the following User DN Filter:

 

CN=%{UID},CN=Users,DC=%{DOMAIN},DC=com

 

The Authentication Scheme will substitute %{UID} and %{DOMAIN} with the respective values to form the processed lookup filter.

 

AD/LDAP Search

 

In this scenario, the Siteminder Domain has additional user directories associated with it. One is the Active Directory associated with the Primary Domain Controller and the additional user directories can be either LDAP or AD user directories. This may occur when one realm is using Basic authentication and another is using Windows Authentication. Consider the same user as in the previous use case:

 

cn: jsmith

distinguishedName: CN=jsmith,CN=Users,DC=MYCOMPANY,DC=com

sAMAccountName: jsmith

 

In addition, another user exists in the secondary User directory with the following attributes:

 

cn: jsmith

distinguishedName: CN=jsmith,CN=Users,DC=NOTMYCOMPANY,DC=com

sAMAccountName: jsmith

 

The User DN Filter for the Windows Authentication scheme can be the following:

 

(sAMAccountName=%{UID})

 

SiteMinder authenticates against the DN that satisfies the search criteria based on the directory search order. The domain name value in this case is ignored.

 

In addition to these formats, you can use any combination of variables UID and DOMAIN without any supporting attribute names. If you use this format for User DN Lookup, CA SiteMinder® considers the configuration provided for User DN Lookup Start and User DN Lookup End values while constructing the search filter. The start and end values are defined in the user directory object associated with the Active Directory. For example:

 

%{UID}

%{UID}@{DOMAIN}