LDAP Settings for AD Authentication

Use this troubleshooting topic to help you retrieve required information from the Windows Active Directory to use when setting up the LDAP settings for AD authentication.

Retrieving Distinguished Names from the Windows Active Directory

The Web HMI Application Assembler provides a template for defining the LDAP settings for DirectoryServices. This template uses a nonstandard organizational unit (OU) named WebHMI in the Windows Active Directory instead of the default Users OU.
Before you can fill out this template, you must first search for certain values in the Active Dirctory and then record them. This template requires these values from the Active Directory:
Active Directory ValueDescription
serverThe name of the computer where the Active Directory resides.
adminBindDNThe login of the administrative user with permission to run the Active Directory lookup. This is the distinguished name (DN). For example, for the Support administrative account residing in the default Users organizational unit, the DN is:

CN=Support,CN=Users,DC=Support,DC=webhmi,DC=com

userBaseDNThe Active Directory lookup for the user group or base organizational unit. This is the distinguished name. For example, for all users residing in the WebHMI OU, the DN is:

OU=WebHMI,DC=support,DC=webhmi,DC=com

adminPasswordPassword for the above adminBindDN user.

First enable Advanced Features under Active Directory Users and Computers > View. This displays the Attribute Editor where you can find the required distinguished names.

The following sample screens show how to retrieve the distinguished name for an adminBindDN setting. In this example, the Support administrative account resides in the default Users organizational unit.

The following sample screens show how to retrieve a distinguished name for the userBaseDN setting. In this example, the distinguished name uses the WebHMI organizational unit.

Finding the name and IP address of the AD domain controller

Use nslookup, a network administration command-line tool, to retrieve the name and IP address of the AD domain controller on your network, and other information for diagnosing the Domain Name System (DNS) infrastructure.

  1. In nslookup, select Start and then Run.
  2. In the Open box, enter cmd.
  3. Enter nslookup, and press Enter.
  4. Enter set type=all, and press Enter.
  5. Enter _ldap._tcp.dc._msdcs.Domain_Name, where Domain_Name is the name of your domain, and then press Enter.

Retrieving data about AD Users

To generate information about a specific AD user, use the Windows Get-ADUser cmdlet, as shown in this example.

C:\Users\Administrator.ANIMAL> get-aduser "-svc-TEST"
DistinguishedName : CN=Test User,OU=Test,OU=Groups,DC=Animal,DC=farm
Enabled           : True
GivenName         : Test
Name              : Test User
ObjectClass       : user
ObjectGUID        : 7b5bc454-5b2a-4317-8df0-bbdee05b5435
SamAccountName    : -svc-TEST
SID               : S-1-5-21-2742514831-3001338947-4026583061-1618
Surname           : User
UserPrincipalName : [email protected]