Active Directory authentication

Hi all,

Has anyone been able to use Active Directory for LDAP authentication?

I have been trying for a couple of days to make this thing work but I have been completely unable to make it work. I am not sure where to check logs to see if i am getting a “bad username/password” message or if I should be using a different encryption (tls vs starttls)…

Any pointers which could be provided would be greatly appreciated.

Thanks,

This worked for me, without TLS:

<ldap>
  <address>dc0.kastelo.net:389</address>
  <bindDN>%s@ad.kastelo.net</bindDN>
</ldap>

I then log in (at the Syncthing/browser prompt) as jb, given:

My test AD isn’t set up for LDAPS, but I assume that should work as well, in the worst case by ignoring the certificate if it’s not an official one…

Note that Syncthing’s LDAP support is rather rudimentary and won’t let you restrict logged in users to a certain group or so…

It also works over LDAPS, but only with insecureSkipVerify (certificate validation disabled), regardless of how great the certificate is. This is a bug, which I’ll fix…

<ldap>
    <address>dc0.ad.kastelo.net:636</address>
    <bindDN>%s@ad.kastelo.net</bindDN>
    <transport>tls</transport>
    <insecureSkipVerify>true</insecureSkipVerify>
</ldap>

Ok!!! Thank you so much because in the Bind part I was trying to limit it by pointing the Bind to a specific group… (as I have done in other applications) so that could be my issue. From the time I posted the OP I WAS able to finally see something LDAP related in the logs… and found I was pointing to the incorrect domain.

For anyone following me trying to do the same with a forrest that has multiple domains, make sure you use the Global Catalog port if you have users from different domains within the same forrest. (I think the GC port is 3628 for non TLS and 3629 for TLS).

1 Like