LDAP Authentication with Active Directory

Minimum version required

The options described in this document require EZproxy 3.2a GA (2005-03-28) or later.

Configuring EZproxy for use with Active Directory

EZproxy has a built-in tool for developing your LDAP configuration. To access this tool, start with EZproxy Administration for information on how to login as an administrator. Once you are at the EZproxy administration page, select "Test LDAP" then use the following procedure to determine the needed configuration.

1. In the Host field, enter the name of your Active Directory server. If you have a forest with multiple domains, enter the name of one of the domain controllers that holds the user information against which you want to authenticate.

   Do not place ldap:// or ldaps:// in front of the host.

   If your server is on a non-standard port, add a colon (:) and the port number at the end of the name.

   Check "Disable Referral Chasing."

   Click "find search base".

2. At the bottom of the page, you should see at least one search domain. You may see choices that start DC=ForestDnsZones or DC=DomainDnsZones, either of which should normally be ignored. Click on the most appropriate search domain, which should move it up into the "Search Base" box.

3. In the majority of Active Directory installations, anonymous search is disabled. For production use, you will need to create an account and assign it to EZproxy to use for searching the directory. The account does not require special privileges, but only the ability to search the directory and read attributes you want to test.

   For initial testing, you can use your own Active Directory account. If you know your accounts complete, distinguished name (e.g., cn=someuser,cn=Users,dc=yourlib,dc=org), you can use this format. If you do not know the complete form, you can look up your account in Active Directory Users and Computers. Right click your account and select properties. Click on the Account tab. For the Bind User, enter the username that appears under the "User logon name" , followed by @ and the domain name that appears to its right (e.g., someuser@somedomain.edu). For the Bind Password, enter your password.

   Leave the Search Filter as "(objectClass=person)".

   In the Search Attribute box, the most common choice for Active Directory is sAMAccountName.

   In Test User, enter just the user part of your account (e.g., someuser).

   Click Search.

4. If you get an Invalid Credentials error, then the Bind User or Bind Password is likely incorrect. Verify these values and try to search again.
5. If you get an Operations Error, check to see if "Disable Referral Chasing" is checked. If it is not checked, check it and try to search again.
6. If you receive no errors, but the search returns no results, you may have the Test User or Search Attribute wrong. Try clearing the Test User box and search again. If the search still returns no results, you check the Filter. If these check out, try clicking "find search base" to see if you have any other search bases to try.
7. If your search is successful, you should see extended detail from your account. If this is the case, try entering your password in the Test Password box and try to search again. The DN section of the search results should indicate that the password is correct. At this point, if you scroll to the bottom of the page, you will find a sample of the entry you should use in user.txt/ezproxy.usr.
8. For production use, you should create an Active Directory account for EZproxy to use for searching and substitute this account in your configuration.

Once you have the basic entry working, refer to LDAP Authentication for information on additional tests based on group membership and attributes assigned to accounts.