EZproxy has a built-in tool for developing your LDAP with Active Directory configuration. To access this tool, start with EZproxy Administration for information on how to login as an administrator. Once you are at the EZproxy administration page, select Test LDAP then use the following procedure to determine the needed configuration.
In the Host field, enter the name of your Active Directory server. If you have a forest with multiple domains, enter the name of one of the domain controllers that holds the user information against which you want to authenticate.
- Do not place ldap:// or ldaps:// in front of the host.
- If your server is on a non-standard port, add a colon (:) and the port number at the end of the name.
- If a default secure port is being used, check the SSL box.
Select Disable referral chasing, and click find search base. This allows you to confirm that EZproxy is conecting to the LDAP server. It is is unable to connect, check the following:
- Is the information entered above correct?
- Is there a firewall issue between the EZproxy server and the LDAP server? Try connecting to the LDAP server on that port
- If the LDAP server is in a different network, it is setup to be seen from the EZproxy network? Try an nslookup for the LDAP server from the EZptoxy server or network.
- Does the LDAP server need to whitelist the EZproxy server to allow connections?
- When the search base has been found, at the bottom of the page, you should see at least one search domain. You may see choices that start DC=ForestDnsZones or DC=DomainDnsZones, either of which should normally be ignored. Click on the most appropriate search domain, which should move it up into the Search Base box.
In the majority of Active Directory installations, anonymous search is disabled. For production use, you will need to create an account and assign it to EZproxy to use for searching the directory. The account does not require special privileges, but only the ability to search the directory and read attributes you want to test.
- For initial testing, you can use your own Active Directory account. If you know your account's complete, distinguished name (e.g., cn=someuser,cn=Users,dc=yourlib,dc=org), you can use this format. If you do not know the complete form, you can look up your account in Active Directory Users and Computers. Right click your account and select properties. Click on the Account tab. For the Bind User, enter the username that appears under the "User logon name," followed by @ and the domain name that appears to its right (e.g., firstname.lastname@example.org).
- For the Bind Password, enter your password. If you do not know your password and you are using EZproxy V6.1 or later, you can retrieve the obscured password from your user.txt and enter it here. Look for the following line in user.txt:
and copy and paste the obscured password following -Obscure into the Bind Password field on the Test LDAP page.
BindPassword -Obscure MeLWS4Pw9Tz7D2Y954HOloi8er
- Leave the Search Filter as "(objectClass=person)".
- In the Search Attribute box, the most common choice for Active Directory is sAMAccountName.
- In Test User, enter just the user part of your account (e.g., someuser).
- If you get an Invalid Credentials error, then the Bind User or Bind Password is likely incorrect. Verify these values and try to search again.
- If you get an Operations Error, check to see if Disable Referral Chasing is selected. If it is not selected, select it and search again.
- If you receive no errors, but the search returns no results, you may have the Test User or Search Attribute wrong. Try clearing the Test User box and search again. If the search still returns no results, select the Filter. If these check out, try clicking find search base to see if you have any other search bases to try.
- If your search is successful, you should see extended detail from your account. If this is the case, try entering your password in the Test Password box and try to search again. The DN section of the search results should indicate that the password is correct. At this point, if you scroll to the bottom of the page, you will find a sample of the entry you should copy and paste in user.txt.
Note: For production use, you should create an Active Directory account for EZproxy to use for searching and substitute this account in your configuration.
Once you have the basic entry working, refer to LDAP Authentication for information on additional tests based on group membership and attributes assigned to accounts.
This page last revised: September 23, 2015.