Hi all,
Trying to set up AD LDAP Connector for a customer of ours, who is using Auth0.
Our AD is multi-tenant, so we have a large hierarchy of OU’s. When I set the LDAP Base in the configuration to the OU of the customer, and do a test using troubleshooting.cmd, it fails. See the log:
Troubleshooting AD LDAP connector
Reading CA certificates from Windows Store
Adding 40 certificates
20:33:57 - info: No proxy server configured.
20:33:57 - info: * Testing connectivity to Auth0...
20:33:57 - info: > Test endpoint: https://xxxxxxxxx.eu.auth0.com/test
20:33:57 - info: √ Connection to test endpoint succeeded.
20:33:57 - info: * Testing hub connectivity (WS).
20:33:57 - info: √ Connection to hub succeeded.
20:33:57 - info: * Testing clock skew...
20:33:57 - info: √ Everything OK. No clock skew detected.
20:33:57 - info: * Testing certificates...
20:33:57 - info: > Local thumbprint: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
20:33:57 - info: > Server thumbprint: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
20:33:57 - info: √ Local and server certificates match.
20:33:57 - info: * Running NLTEST...
20:33:57 - info: > DC: \\adcxxx.aaaaa.com
20:33:57 - info: > Address: \\x.x.x.x
20:33:57 - info: > Dom Guid: xxxx-xxxx-xxxx-xxxx
20:33:57 - info: > Dom Name: xxxxx.com
20:33:57 - info: > Forest Name: xxxxx.com
20:33:57 - info: > Dc Site Name: xxxxx
20:33:57 - info: > Our Site Name: xxxxx
20:33:57 - info: > Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE FULL_SECRET WS DS_8 DS_9 DS_10
20:33:57 - info: > The command completed successfully
20:33:57 - info: * Testing LDAP connectivity.
20:33:57 - info: > LDAP BASE: OU=User Structure,OU=xxxxxx,OU=yyyyyy,OU=zzzzzz,DC=aaaaaa,DC=com
20:33:57 - error: × Connection to LDAP failed.
20:33:57 - error: > Error: 0000208D: NameErr: DSID-031529DD, problem 2001 (NO_OBJECT), data 0, best match of: 'OU=yyyyyy,OU=zzzzzz,DC=aaaaa,DC=com'
20:33:57 - info: Done!
It seems like Auth0 doesn’t like a very deep LDAP base DN path. The error message lists a ‘best match’, which is part of my LDAP Base DN.
When I change the configuration to that ‘best match’ LDAP Base DN, I’m getting a different error:
20:32:16 - error: > Error: Unable to find users. Verify the permissions for the current user.
But that isn’t correct, the search user has enough rights, as - by default - each user in AD has read rights on the whole AD.
If I set the LDAP Base DN to DC=aaaaa,DC=com, then I don’t get an error message, but I also can’t find the users that need to be able to authenticate using Auth0, as I’m not in the correct OU:
21:01:47 - info: * Testing LDAP connectivity.
21:01:47 - info: > LDAP BASE: DC=aaaaa,DC=com
21:01:47 - info: > Found user: krbtgt
21:01:47 - info: > Found user: Guest
21:01:47 - info: > Found user: Administrator
21:01:47 - info: > Found user: xxxxxx
21:01:47 - info: > Found user: xxxxxx
21:01:47 - info: √ Connection to LDAP succeeded.
21:01:47 - info: Done!
Any ideas on how to solve this?
Thanks,
Koenraad