LDAP does not authenticate Widows AD users

juan.torres · December 21, 2018, 6:52pm

Problem:
LDAP Authentication does not work!

Expected outcome:
Windows AD users able to login

Foreman and Proxy versions:
1.17.1

Foreman and Proxy plugin versions:
n/a

Other relevant data:
Notes & Configuration:
-CentOS 7.5:
LDAP is configured at OS level
LDAP login as OS level works
-Foreman:
/etc/foreman/settings.yml or /etc/foreman-proxy/settings.yml
:ldap: true is configured
UI - Test Connection [ ok ]
Server Type: AD
- BaseDN [ ok ]
- Group baseDN [ ok ]
- LDAP filter [ ok ]
- Attrbutes mappings [ ok ]
- Add a user, Authorized by LDAP-Windows

logs - doesn't register an error

services - restarted
I have read the manual and configured as required.
I have research for some other solution or configuration.
Nothing makes Foreman LDAP to work with Windows AD
No Host Firewall, No Network firewall
No malware detector or antivirus
Missing ruby gems?

juan.torres · December 27, 2018, 6:16pm

tcpdump -i ens192 port 389 -vv
…
server01.eng.mydomain.dom.ldap > foreman.eng.mydomain.com.52496: Flags [R.], cksum 0x95d7 (correct), seq 1710, ack 212, win 0, length 0

THE LDAP HANDSHAKING COMPLETES WITH an [ R ], AT THE FIRST WINDOWS AD DS, NOW IS TRYING TO LDAP HANDSHAKING WITH THE SECOND WINDOWS AD DS

…
server02.eng.mydomain.dom.ldap > foreman.eng.mydomain.com.37960: Flags [R.], cksum 0x9d4c (correct), seq 1, ack 71, win 0, length 0

After trace down this TCP hand shake, I found in Windows AD DS and in the Foreman community that the [ Account ] tab > Account needs to add the sub-domain (i.e. ENG$login ),
then the LDAP start working!