Server 2003 - LDAP Query to Firewall Box for Web Filtering

Posted on 2009-04-20
Medium Priority
Last Modified: 2013-12-24
If you view the file attached you'll get a better view of what im trying to do.

Anyways i have a new firewall box that i can enter in LDAP settings for authenticating AD users when they browse the net.  I need some basic questions answered or if you can point me in the right direction as at the moment its not working!

Use these examples as a guide:

Domain = abc.local
Users are in an OU - Terminal Users which is under the OU - ABC Ltd which is under the domain of Kaipara.local (AD tree)
All users are members of domain users

I have entered in the following: (look at the LDAP.jpg for a guide here)

IP Address :
Port : 389
Admin Username:  CN=Administrator,CN=Users,DC=abc,DC=local
Password: Password
Password: Password
Root DN: CN=Domain Users,CN=Users,DC=abc,DC=local
Search Query: (&(objectClass=user)(cn=%s))
Group Attribute: memberOf

Please help!
Question by:msha094

Expert Comment

ID: 24191224
If your talking to a DC the port is different(or is GC's only?). Try port 3268

Author Comment

ID: 24191365
It is a single server so ill try 3268.  Does the rest look right?
LVL 57

Expert Comment

by:Mike Kline
ID: 24191497
What are you trying to search for in your query?
I'm not following the %s there
also you will want to replace objectclass=user with (objectcategory=person)(objectclass=user)
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.


Author Comment

ID: 24191590
According to the firewall box - this is what they state for the search query field:

%s is used as a placeholder for username.

Im assuming the firewall needs to query AD for the group membership from the username passed in order to apply firewall rules.

The (&(objectClass=user)(cn=%s)) was by default already entered in.  I havent changed anything there.

Author Comment

ID: 24191785
Would (&(objectcategory=person)(objectclass=user)(cn=%s)) return the username of a user?

I think thats what i need?

Author Comment

ID: 24191862
The firewall box states that the "Search Query" needs to return a given user.

The firewall box states the "Group Attribute" is the name of the attribute of a user record that defines what groups that user belongs to.
LVL 71

Accepted Solution

Chris Dent earned 2000 total points
ID: 24192689

Group Attribute is correct (memberOf).

For your filter, it depends what %s is on the Firewall. If it's the users logon name, e.g. cdent for Chris Dent then your filter would be:


CN on the other hand is the name as you see it for the account in AD Users and Computers. In my case that's much more likely to be "Chris Dent". I'd say that's the most likely area that will need changing.


Author Closing Comment

ID: 31572584
Thanks very much - worked like a charm!

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question