Server 2003 - LDAP Query to Firewall Box for Web Filtering

Posted on 2009-04-20
Last Modified: 2013-12-24
If you view the file attached you'll get a better view of what im trying to do.

Anyways i have a new firewall box that i can enter in LDAP settings for authenticating AD users when they browse the net.  I need some basic questions answered or if you can point me in the right direction as at the moment its not working!

Use these examples as a guide:

Domain = abc.local
Users are in an OU - Terminal Users which is under the OU - ABC Ltd which is under the domain of Kaipara.local (AD tree)
All users are members of domain users

I have entered in the following: (look at the LDAP.jpg for a guide here)

IP Address :
Port : 389
Admin Username:  CN=Administrator,CN=Users,DC=abc,DC=local
Password: Password
Password: Password
Root DN: CN=Domain Users,CN=Users,DC=abc,DC=local
Search Query: (&(objectClass=user)(cn=%s))
Group Attribute: memberOf

Please help!
Question by:msha094
    LVL 4

    Expert Comment

    If your talking to a DC the port is different(or is GC's only?). Try port 3268

    Author Comment

    It is a single server so ill try 3268.  Does the rest look right?
    LVL 57

    Expert Comment

    by:Mike Kline
    What are you trying to search for in your query?
    I'm not following the %s there
    also you will want to replace objectclass=user with (objectcategory=person)(objectclass=user)

    Author Comment

    According to the firewall box - this is what they state for the search query field:

    %s is used as a placeholder for username.

    Im assuming the firewall needs to query AD for the group membership from the username passed in order to apply firewall rules.

    The (&(objectClass=user)(cn=%s)) was by default already entered in.  I havent changed anything there.

    Author Comment

    Would (&(objectcategory=person)(objectclass=user)(cn=%s)) return the username of a user?

    I think thats what i need?

    Author Comment

    The firewall box states that the "Search Query" needs to return a given user.

    The firewall box states the "Group Attribute" is the name of the attribute of a user record that defines what groups that user belongs to.
    LVL 70

    Accepted Solution


    Group Attribute is correct (memberOf).

    For your filter, it depends what %s is on the Firewall. If it's the users logon name, e.g. cdent for Chris Dent then your filter would be:


    CN on the other hand is the name as you see it for the account in AD Users and Computers. In my case that's much more likely to be "Chris Dent". I'd say that's the most likely area that will need changing.


    Author Closing Comment

    Thanks very much - worked like a charm!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    Video by: Steve
    Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now