0

I'm testing Azure AD and Azure AD DS and I have some issues to bind to Azure DS using LDAP. I used the default AD tenant in my subscription, so i get a domain foo.onmicrosoft.com. Then I create a ADDS synchronized with this directory.

From a Linux VM, I tried to bind to the AD using ldapsearch and I got "invalid credentials" with the following command

ldapsearch -h <ip> -p 389 -b "dc=foo,dc=onmicrosoft,dc=com" -s sub "(objectclass=)" -D user@foo.onmicrosoft.com*

Then I follow the tutorial to activate LDAPS with an autosigned certificate. With the following ldapsearch command, I got the error "ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)"

ldapsearch -H ldaps://foo.onmicrosoft.com -b "dc=foo,dc=onmicrosoft,dc=com" -D user@foo.onmicrosoft.com

Am I using the good base DN ? And the good bind user syntax ? It doesn't work either when using cn=user,dc=foo,dc=onmicrosoft,dc=com

Is LDAPS mandatory ? Should I use the AD DS IP addresses (10.x.x.x) or the Secure LDAP external IP addresses (20.x.x.x) ?

Thanks

rubymiaou
  • 1

1 Answers1

1

From a Linux VM, I tried to bind to the AD using ldapsearch and I got "invalid credentials" with the following command

Most likely the account you tested with does not have the correct password hash synced from AAD to AAD DS yet: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance#enable-user-accounts-for-azure-ad-ds

To confirm, can you install a jump server and try to use the credentials to join the VM to the AAD DS domain? https://docs.microsoft.com/en-us/azure/active-directory-domain-services/join-windows-vm

If the account/password fails here too, then reset the user password on AAD and try again after 20 minutes.

Then I follow the tutorial to activate LDAPS with an autosigned certificate. With the following ldapsearch command, I got the error "ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)"

Do you have the NSG ports open for LDAP? is there actual connectivity between your test server and the LDAP endpoints? TCP port 636 from the internet is what you need to enable.

Is LDAPS mandatory?

No, but it's highly recommended to have it in place.

Should I use the AD DS IP addresses (10.x.x.x) or the Secure LDAP external IP addresses (20.x.x.x)?

That's totally up to you, but usually, if you're only using internal communication, then go with the internal IP addresses. use LDAPS if you have clients connecting over the internet.

Some more guidance here: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-ldaps#configure-dns-zone-for-external-access

Noor Khaldi
  • 3,829
  • 3
  • 18
  • 28
  • Thanks for your answer. I installed a Windows VM to test joining the domain. It didn't work but I manage to make it work by setting the DNS of the VM to the ADDS IP and reseting the password's account. Then it's working also for my ldapsearch commands. Thanks for your help! – rubymiaou Oct 07 '21 at 08:29