These were exceptionally helpful replies.
Given some of the information above and some LDAP Foo from my AD Guys we managed to get this setup. Our AD Archichitecture ALWAYS causes issues for getting products AD Integrated (we separate users and groups into multiple top level OU’s meaning the only place you have to get ahold of all users/groups is to point the base DN at our base domain). We also apparently have weird information in the userPrincipalName which was causing issues as well.
Just to be more explicit, with my AD Infrastructure this is what worked for us:
IMPORTANT (Lessons Learned):
- BaseDN needs to be somewhere where the users that will log in to the system can be obtained from. In my org we break groups into top level OUs.
OU=Users,OU=Location1,DC=domain,DC=com; OU=Users,OU=Location2,DC=domain,DC=com; OU=Users,OU=Location3,DC=domain,DC=com;etc. Thus my Base DN needed to beDC=domain,DC=combecause that’s the only location in the tree that can find all the users. - Groups base DN needs to be a location in the tree that has access to any groups you’re going to setup through Katello. In my org, we separated the Unix AD Stuff into it’s own top level OU. So
OU=Unix,DC=domain,DC=comis the top level OU for all Unix based stuff in AD, and I have a “groups” OU under that for all groups pertaining to Unix stuff. Again, I have one group I use out of one Lower level OU and one group out of another lower level OU, so my Groups base DN points at a higher OU so it can see both lower level OUs. - The LDAP Filter is absolutely optional. If there’s a single group to allow access to Katello, it’s easier to just use the Groups base DN pointed all the way down to the group:
CN=Katello_Access,OU=Groups,DC=domain,DC=com; however, if you have multiple groups to allow access you’ll need to set Groups base DN to an OU that includes all the groups and then use the LDAP Filter (below) to specify each group to validate against. - If you have multiple groups for access you can use a filter something like the following:
(|(memberOf=CN=katello_dev_login,OU=Patch Management,OU=Unix Groups,OU=UNIX,DC=domain,DC=com)(memberOf=CN=Enterprise Unix Admins,OU=Unix Groups,OU=UNIX,DC=domain,DC=com))
My Final Config:
Host: < ldap server name >
LDAPS: Unchecked
Port: 389
Server Type: Active Directory
Account: < Account with Access to AD >
Password: < password to above >
Base DN: DC=domain,DC=com
Groups base DN: OU=Groups,OU=UNIX,DC=domain,DC=com
LDAP Filter: (|(memberOf=CN=katello_dev_login,OU=Groups,OU=UNIX,DC=domain,DC=com)(memberOf=CN=Enterprise Unix Admins,OU=Admin Groups,OU=UNIX,DC=domain,DC=com))
Onthefly register: Checked
Usergroup sync: Checked
Attr Login: userPrincipalName
Attr Firstname: givenName
Attr lastname: sn
Attr mail: mail
Photo attribute: < blank >
NOTE: MAKE SURE YOU CHECK WHAT IS IN userPrincipalName!!! In our case, because we were setup for Office 365, our UPN is an e-mail address "user@domain.com" not just “user”…this is what broke the previous attempts at setting this up on my end…Several times I had the authentication setup correctly, but was attempting to log in as a different account (our AD Login is “user” the UPN however is "user@domain.com".
Thank you to everyone who responded to this, it helped a GREAT deal.