1 Rookie
•
25 Posts
0
108
May 22nd, 2025 15:46
Setting up LDAP for OpenManage Enterprise 4.4
I've been going at this for a while and can't seem to find the right combination to get ldap auth working for OpenManage 4.4. I'm able to successfully connect with a Bind DN/Password, but the issue is that the Bind DN is of type CN while user logins are UID. So if I enter CN for "Attribute of User Login" I can successfully test a connection. However, when I try to import groups, it doesn't find anything.
No Events found!
syousef_anl
1 Rookie
•
25 Posts
0
June 13th, 2025 20:06
Finally got this sorted out. The issue is an undocumented requirement for the LDAP bind account. What's not called out is that for LDAP auth to work, the bind account MUST be of type objectClass:posixAccount. Once that was done previous error messages were found to be incorrect. One of which mentions that the user account MUST be a member of a non-default group. That's not true as it's now working and the BIND account was only a member of the users group.
syousef_anl
1 Rookie
•
25 Posts
0
May 22nd, 2025 20:27
Additional info after looking at ldap logs, seems that the objectCategory=group HAS to be defined on the group object in LDAP, and it does not in our environment. Wondering if we can adjust it so that OpenManage doesn't require that specific objectCategory.
DELL-Charles R
Moderator
•
4.6K Posts
0
May 22nd, 2025 20:45
Hello,
Did you go through the OpenManage Enterprise 4.4 User's Guide and check the Prerequisites and Steps:
Import Active Directory and LDAP groups Prerequisites and Steps -Page 55
Add or edit the Active Directory connection- page 58-59
Role and scope-based access page 46
https://dl.dell.com/content/manual22819492-openmanage-enterprise-4-4-user-s-guide.pdf?language=en-us
syousef_anl
1 Rookie
•
25 Posts
0
May 22nd, 2025 20:59
Yes I did, and it seems that OpenManage is adding irrelevant search filters upon LDAP query, from LDAP this was the request coming in when trying to find a cn=infrastructure group. The issue is the "objectCategory" and "sAMAccountName" being added.
filter="(&(?objectCategory=group)(|(cn=infrastructure*)(?sAMAccountName=infrastructure*)))"
Is there a way to remove those two filters from the search that's being run? They result in an error on the LDAP end and therefore don't list the appropriate group.
syousef_anl
1 Rookie
•
25 Posts
0
May 22nd, 2025 21:08
More critically, the question mark (?) in the filter is invalid. Need to have that removed.
DELL-Young E
Moderator
•
5.2K Posts
0
May 23rd, 2025 06:32
Hello we have tested LDAP, and it is working with "sAMAccountName".
If LDAP is done with "UserPrincipalName" we can reproduce the issue.
So I would like to ask you to use LDAP integration using "sAMAccountName".
Can you tell us if you are integrating with Microsoft LDAP or another vendor?
Respectfully,
syousef_anl
1 Rookie
•
25 Posts
0
May 28th, 2025 23:18
@DELL-Young E
This is OpenLDAP, not Microsoft Active Directory. I specified LDAP and the search filter seen on our openldap server indicates that it searches for sAMAccountName which is unique to AD.
DELL-Young E
Moderator
•
5.2K Posts
0
May 29th, 2025 01:59
Hello, I was told that you would be needed to raise an official case so the techsupport can collect required logs and work with issue resolution. You can visit https://www.dell.com/support/incidents-online/en-us/contactus/dynamic
Respectfully,
syousef_anl
1 Rookie
•
25 Posts
0
May 29th, 2025 16:43
@DELL-Young E
Support is the worst. Every system when dealing with Dell is expecting an express code or service tag as if it's hardware.