LDAP bind to Azure Domain Services
I'm testing Azure AD and Azure AD DS and I have some issues to bind to Azure DS using LDAP. I used the default AD tenant in my subscription, so i get a domain foo.onmicrosoft.com. Then I create a ADDS synchronized with this directory.
From a Linux VM, I tried to bind to the AD using ldapsearch and I got "invalid credentials" with the following command
ldapsearch -h <ip> -p 389 -b "dc=foo,dc=onmicrosoft,dc=com" -s sub "(objectclass=)" -D [email protected]*
Then I follow the tutorial to activate LDAPS with an autosigned certificate. With the following ldapsearch command, I got the error "ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)"
ldapsearch -H ldaps://foo.onmicrosoft.com -b "dc=foo,dc=onmicrosoft,dc=com" -D [email protected]
Am I using the good base DN ? And the good bind user syntax ? It doesn't work either when using cn=user,dc=foo,dc=onmicrosoft,dc=com
Is LDAPS mandatory ? Should I use the AD DS IP addresses (10.x.x.x) or the Secure LDAP external IP addresses (20.x.x.x) ?
Thanks
From a Linux VM, I tried to bind to the AD using ldapsearch and I got "invalid credentials" with the following command
Most likely the account you tested with does not have the correct password hash synced from AAD to AAD DS yet: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance#enable-user-accounts-for-azure-ad-ds
To confirm, can you install a jump server and try to use the credentials to join the VM to the AAD DS domain? https://docs.microsoft.com/en-us/azure/active-directory-domain-services/join-windows-vm
If the account/password fails here too, then reset the user password on AAD and try again after 20 minutes.
Then I follow the tutorial to activate LDAPS with an autosigned certificate. With the following ldapsearch command, I got the error "ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)"
Do you have the NSG ports open for LDAP? is there actual connectivity between your test server and the LDAP endpoints? TCP port 636 from the internet is what you need to enable.
Is LDAPS mandatory?
No, but it's highly recommended to have it in place.
Should I use the AD DS IP addresses (10.x.x.x) or the Secure LDAP external IP addresses (20.x.x.x)?
That's totally up to you, but usually, if you're only using internal communication, then go with the internal IP addresses. use LDAPS if you have clients connecting over the internet.
Some more guidance here: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-ldaps#configure-dns-zone-for-external-access