SPS LDAP authentication Error

Hi,

If you go to User & Access Control > Login Options > Manager AD\LDAP Servers and select the three dots then click Test, does this work ok?

If that fails then the configuration is likely not correct

Check if you are using the correct port for example: 389 or (if using 636 then encryption can be set to TLS)

You can try to use the User Base DN and the Group Base DN as the root of the domain for example if your domain is domain.lab then use : DC=domain,DC=lab

For the bind DN, I was able to use the UPN: username@domain.lab and add the password in secret then save and you also need to commit before you can Test

If that succeeds, you should get a message with a green check mark saying LDAP Server is available

Reference from Admin guide:

https://support.oneidentity.com/technical-documents/one-identity-safeguard-for-privileged-sessions/7.0.2%20lts/administration-guide/35#TOPIC-1950750

Thanks!

Dear Tawfiq,

which choice in AD settings to select?

Enable checking for group DNs in user objects 

(OR)

Enable AD group membership check

(OR)

Enable Checking Groups

Hi Memad,

As per the guide:

--------------
- Configure AD settings.

To also check group membership based on group Distinguished Names (DNs) in a user attribute, select Enable checking for group DNs in user objects and enter the name of the user attribute, for example, memberOf in the User attribute of group DNs field.

CAUTION:
If you have too many groups, using this option significantly slows down logging in to the SPS web interface.

Use this option only if you have an LDAP schema where the user groups can only be determined from a user attribute that contains the group DNs.

To enable nested groups, select Enable AD group membership check, then Enable nested groups.

CAUTION:
Nested groups can slow down the query and cause the connection to timeout if the LDAP tree is very large. In this case, disable the Enable nested groups option.

To check for group membership based on user DNs in group attributes, use the Check the user DN in these groups option.
-------------

You can try the default which is Enable AD group membership check and see if that works otherwise, also Enable nested groups and test further. 

Thanks!

thank you for your reply tawfiq,

but i have applied above configuration:

• tested the configuration and connected successfully 
• enabled AD group membership check
• added full root in User Base DN and the Group Base DN
• tried as well with defined OU DN in User Base DN and the Group Base DN

still got error: Unable to authenticate the user with the given credentials

i'm trying to login with user@domain.com / password

thank you for your reply tawfiq,

but i have applied above configuration:

• tested the configuration and connected successfully 
• enabled AD group membership check
• added full root in User Base DN and the Group Base DN
• tried as well with defined OU DN in User Base DN and the Group Base DN

still got error: Unable to authenticate the user with the given credentials

i'm trying to login with user@domain.com / password

Hi,

You may also need to check if an AD group was not configured under User & Access Control / Appliance Access. Without group information SPS does not know which permissions your AD account should own.

Reference:
https://support.oneidentity.com/technical-documents/one-identity-safeguard-for-privileged-sessions/7.2/administration-guide/41#TOPIC-1949619

Thanks!

Many thanks tawfiq, it is working.