Score:0

LDAP bind to Azure Domain Services

sx flag

I'm testing Azure AD and Azure AD DS and I have some issues to bind to Azure DS using LDAP. I used the default AD tenant in my subscription, so i get a domain foo.onmicrosoft.com. Then I create a ADDS synchronized with this directory.

From a Linux VM, I tried to bind to the AD using ldapsearch and I got "invalid credentials" with the following command

ldapsearch -h <ip> -p 389 -b "dc=foo,dc=onmicrosoft,dc=com" -s sub "(objectclass=)" -D [email protected]*

Then I follow the tutorial to activate LDAPS with an autosigned certificate. With the following ldapsearch command, I got the error "ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)"

ldapsearch -H ldaps://foo.onmicrosoft.com -b "dc=foo,dc=onmicrosoft,dc=com" -D [email protected]

Am I using the good base DN ? And the good bind user syntax ? It doesn't work either when using cn=user,dc=foo,dc=onmicrosoft,dc=com

Is LDAPS mandatory ? Should I use the AD DS IP addresses (10.x.x.x) or the Secure LDAP external IP addresses (20.x.x.x) ?

Thanks

Score:1
br flag

From a Linux VM, I tried to bind to the AD using ldapsearch and I got "invalid credentials" with the following command

Most likely the account you tested with does not have the correct password hash synced from AAD to AAD DS yet: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance#enable-user-accounts-for-azure-ad-ds

To confirm, can you install a jump server and try to use the credentials to join the VM to the AAD DS domain? https://docs.microsoft.com/en-us/azure/active-directory-domain-services/join-windows-vm

If the account/password fails here too, then reset the user password on AAD and try again after 20 minutes.

Then I follow the tutorial to activate LDAPS with an autosigned certificate. With the following ldapsearch command, I got the error "ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)"

Do you have the NSG ports open for LDAP? is there actual connectivity between your test server and the LDAP endpoints? TCP port 636 from the internet is what you need to enable.

Is LDAPS mandatory?

No, but it's highly recommended to have it in place.

Should I use the AD DS IP addresses (10.x.x.x) or the Secure LDAP external IP addresses (20.x.x.x)?

That's totally up to you, but usually, if you're only using internal communication, then go with the internal IP addresses. use LDAPS if you have clients connecting over the internet.

Some more guidance here: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-ldaps#configure-dns-zone-for-external-access

us flag
Thanks for your answer. I installed a Windows VM to test joining the domain. It didn't work but I manage to make it work by setting the DNS of the VM to the ADDS IP and reseting the password's account. Then it's working also for my ldapsearch commands. Thanks for your help!
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.