Network Management

Going to ask what might be considered a silly question...

Why does the AD LDAP userPassword attribute not appear in the list of LDAP Sync attributes? What am i supposed to map the sync'd password field to in order to use the AD User Password with UAM?

Hi,

Some LDAP servers store the user password in the password field (I know, that sounds obvious :) ), so external authorized users (admin/service accounts) could read the password and sync it for example.

The Microsoft AD (MS LDAP server), stores the password with a 1way algoritm, so a password can be validated, but not reverse de-crypted. Due to this (good) decision, any external system can sync all the ldap objects and their attributes, but not the password.

So IMC UAM can sync the new/existing users and their attributes, but not the password. This is why the AD LDAP sync does not allow the ldap password sync.

For IMC UAM to authenticate users with their password, the IMC UAM server must be joined to the domain, (see domain controller assisted PEAP auth), so it can validate the user pass at the moment the user actually logs in.

Best regards,Peter.

Thanks Peter, very helpful. I'll move onto to the domain assisted section and keep reading. 

Hi,

Did you get this resolved? We have v7.2 and I have the same issue. It says :

Failure Reason: Incorrect Password.

It syncs no problem with AD.

Did you set up the virtual computer?

The user synch with AD, which uses a credential configured in the LDAP server setup, gets user information from the domain controller and set up user accounts. 

But as Peter describes above the user credentials do not come across from the domain controller.

The virtual computer is used by UAM to proxy the authentication request to the domain controller when a user logs in. You have to add the virtual computer to the domain so it is trusted for this purpose.