When the LDAP PHP module passes the credentials from the AD Connector system parameters to the LDAP server, the connection is unsuccessful.  Several observations are made in the connection binding failure, including a possible reversal of the credentials.  One might see in the network trace:

 Name: (value of “ldap_connect_param_set_AD_bind_search_password”) 
 UserName: (value of “ldap_connect_param_set_AD_bind_search_dn”) 

 

CA SAM 4.x, Active Directory with additional security requirements.

Depending on system requirements, if the AD has security in place, SSL (ldaps) and TLS configurations are mutually exclusive LDAP configurations and are separate functionalities.  This article assumes you have SSL (ldaps) in place.

* If there is a load balancer in play, try using a specific LDAP Server instead of a load balancer

* Under the Admin -> Configuration -> Browse Configuration:

- ldap_connect_param_set_XXXX_hostname should have a value set to "ldaps://LDAPSERVER" or "ldaps://LDAPSERVER.domain.com"

- ldap_connect_param_set_XXXX_port should be set to 636

- ldap_connect_param_set_XXXX_tls should be set to 0 intead of 1

- ldap_connect_param_set_XXXX_search_dn should be set to use the full CN path.  "cn=USERID,ou=XXXX,ou=XXXX,dc=XXXX,dc=domain,dc=com" (no quotes)

If any of the above changes are made in the CA SAM Configuration, we recommend recycling IIS.

* The certificate setting for "ldap.conf" needs to be specified under system environment variable LDAPPRC.  The full path (without quotes) is usually "X:\Program Files (x86)\ca\sam\env\LDAP\ldap.conf".  If LDAPPRC environment variable is changed, one should recycle the whole server.

* The certificate that is in play should optimally be in a pfx or cer format.

* The content of ldap.conf should read as

TLS_CACERT X:\Program Files (x86)\ca\sam\env\LDAP\CA.cer 

* Alternatively, one can also modify the ldap.conf file to contain this line only:

TLS_REQCERT never 

If the ldap.conf file is modified, one will need to recycle IIS.