LDAP Authentication - Distinguished Name (DN) Question


I am currently setting up a new CM1 installation. Right now I am looking at the LDAP authentication piece and ran into an issue with Distinguished Names (DN).

All users in our domain are located under the default Users container (CN=Users), so I created my CMSAdmin user that the ldapserver.xml file is referencing under this same container. The DN that was being referenced looked to be correct, however I search to import users, only a blank screen would show.

After playing around with this for a while I realized that it was failing when I had the user placed under CN=Users, the only way I could get it to work was to create a new Users container (OU=Users) and placed this CMSAdmin user under that container.

I would rather keep this user under the CN=Users container to keep my AD structure clean, so is there a way to get around this or am I stuck with this extra OU?


Hey Eric,

Just to clear a few things up, what was the initial full DN of the CMSAdmin user that didn’t work, and what was the full DN after modifying the LDAP structure to make it work? When you got this working, did you make changes to any of the other properties in your ldapserver.xml file too? Thanks!

Hi Nathaniel

Initial DN that failed: CN=CMSAdmin,CN=Users,DC=DOMAIN,DC=com
Second DN that works: CN=CMSAdmin,OU=Domain Users,DC=DOMAIN,DC=com

This was the only change I made, after restarting the server the LDAP connection was successful.

Hi Eric,

Hm. Your initial DN doesn’t appear to be valid, unless you have a user off of your LDAP root with two CNs, “CMSAdmin” and “Users”, in which case you would only want to specify one of this user’s CNs. Or, are you sure “CN=Users” in that string shouldn’t be “OU=Users”?

At any rate, your second DN is valid and appears to be a very typical user to specify for Percussion to connect to your LDAP server using.

I am positive that the CN=Users container is correct, I am getting the DN straight from the built in ADSI Edit utility in Server 2008. I will forward some screen shots to our account manager to pass along so you can see exactly what I’m looking at.

Hey Eric,

Sorry, I meant to follow up sooner. I looked into it, and I discovered soon after posting that nesting CNs within a CN is in fact valid in Active Directory. My apologies there. There may be an issue with how our software handles nested CNs, however. I’m going to look into this and let you know what I find. For now, you should be fine with housing your binding LDAP account within an OU as it currently is.

No worries, thanks for checking into this.

Hi Eric,

I just had a chance to setup an instance locally replicating the structure of your original configuration, and I actually had no issues (my user’s DN was CN=Ldap Admin,CN=Users,DC=ad08,DC=perc,DC=local). If this is still something you want to look into, I would recommend reverting to the original configuration, shutting down then starting Percussion back up, and then, once Percussion has loaded up fully, take a look in your server.log file located at {perc_root}\AppServer\server\rx\log and look for the latest iteration of this line:

INFO [com.percussion.share.dao.impl.PSServerConfigUpdater] Loading LDAP configuration…

Let me know if any errors appear below this line. If not, try running an empty search in the LDAP import users menu, and then (assuming nothing comes back again) check the last few lines of your server.log file to see if any LDAP related errors are being logged.