Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SBR] Sample LDAP Auth file: Example of a Flexible Bind for Active Directory



Article ID: KB11866 KB Last Updated: 04 Mar 2017Version: 4.0

Sample LDAP Auth file showing how to use Flex Bind against a Windows Active Directory LDAP server. This functionality is only available in the Global Enterprise Edition and Service Provider Editions.


Steel-Belted RADIUS is installed on Solaris or Linux and you wish to authenticate a user from a Windows Active Directory environment.



This functionality is only available in the Global Enterprise Edition and Service Provider Editions.

The concept here is to perform two searches, the first requires that we bind as a user with enough privileges to search the entire LDAP structure, and retrieve the DN of any particular object, in this case the DN of a user object that matches the username SBR received in the authentication request. ** Note that some LDAP servers may allow anonymous users to perform this function.

Once the first search has retrieved the 'Users' DN SBR will move onto the second search, if the first search should fail to find a match this authentication method will reject the user.
The second search takes the DN retrieved in search 1, and attempts to bind to the LDAP server using the password SBR received in the authentication request.
Should this search succeed the user is authenticated and SBR can, if configured, retrieve any attributes needed to complete authorization. Should this fail, the authentication method will reject the user.


LogLevel = 2
UpperCaseName = 0
PasswordFormat = 0
Search = DoLdapSearch
SSL = 0
;MaxScriptSteps = 10000
;ScriptTraceLevel = 0
;FilterSpecialCharacterHandling = 0
;ShutdownTimeout = 1

;Enable = 0
;AllowExpiredAccountsForUsers = 0
;ProfileForExpiredUsers = profile1
;AllowGraceLoginsForUsers = 1
;ProfileForGraceLoginUsers = profile2


Port = 389

;FullName=Remote User

%UserName = User-Name
;Service-Type =
;%NASName = nameofnas
;%NASAddress =

;Filter-Id =
;Session-Timeout =
;%FullName =
;%Password =

;Bind as a privileged user
Scope = 2
%DN = dn
;if the user is found perform search "AuthenticateUser"
onfound = AuthenticateUser
;else reject the user

; bind using the DN retrieved in doldapsearch
Bind = <dn>
;You do not have to supply the password SBR knows to use the one received in the auth request.
;Setting the base to the DN saves time by going straight to the point.
Base =<dn>
Scope = 2
Filter = sAMAccountName=<User-Name>
Attributes = AttrList
Timeout = 20


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search