Yubico Forum

I'm trying to set up YubiRADIUS with Active Directory 2012. I've created a dedicated account for the VA to use to bind to AD.




Here is the error:



Any clue what i am doing wrong here?

This seems very poorly documented in the YubiRADIUS literature. I'm running successfully against 2012 to authenticate Cisco AnyConnect VPN clients.

I spent a long time and went through quite a bit of swearing to get this to work. I was not (and still not) an AD/LDAP expert when I started this so if I point out some things that are obvious, my apologies. They were not obvious to me.

User DN is the Full Name of the user, not the login. That is, if I create an AD user with first name LDAP and last name Query and give it the login ldapq, then use "CN=LDAP Query" and not "CN=ldapq"

Also, the default filter is pretty poor. You'll probably want something more like:


This should limit the accounts brought over to those that belong to real people.

Lastly, LoginNameIdentifier should be sAMAccountName and not cn. Just like under User DN, cn will yield the full name as the login and not the login you're used to.

Hope this helps.

Thanks for replying! I always find that anything that uses canonical names and not just a plane old login are always a pain in the rear to get working. Using my example 'Yubi' is the login, and first name of the user I've created for ldap queries, there is no last name. --

I just logged into my YRVA to change the filter and ....
WHOA! All my AD users showed up What the EFF???





I seriously have no idea how or why it started working.

The only thing i can think of is I used an account that is in the Users OU, and the account name is a single word (where the username and the first name are the same, and there is no last name). I may have created the user on a different domain controller than the one i configured the VA to use to authenticate (i dont explicitly remember which one i used to create the account) and replication too a while, which could be why it 'just started working', perhaps.