search cancel

LDAP-based admins are unable to authenticate using sAMAccountName as primary email

book

Article ID: 163602

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

Messaging Gateway can be configured to use LDAP based administration groups via Administration->Policy Groups based on the sAMAccountName and userprincipalName attributes but accounts which do not have a proxyAddresses attribute are unable to authenticate to the Control Center admin interface. Switching the "Primary email address" attribute on the data source configuration to sAMAccountName will address the inability to authenticate but the resulting session has default end user rights and not admin rights.

Default configuration which fails to authenticate for admin accounts with no proxyAddresses attribute

LDAP Query: (|(sAMAccountName=%u)(userPrincipalName=%s))
Primary email address: proxyAddresses

Modified configuration which authenticates but does not set the expected access level

LDAP Query: (|(sAMAccountName=%u)(userPrincipalName=%s))
Primary email address: sAMAccountName

Cause

It is an undocumented requirement that LDAP based admin accounts using Active Directory for the data source have a valid email address in the proxyAddresses attribute.

Resolution

This is a known issue and will be addressed in a future release.

Currently all LDAP based administration accounts are required to have a proxyAddresses attribute with a valid email address.