uOS 1.35 – Active Directory (AD) Server Enhancement: Bind DN Base Support

Zyxel_Lynn
Zyxel_Lynn Posts: 71  Zyxel Employee
5 Answers First Comment Friend Collector
edited August 26 in Other Topics

When integrating a Zyxel firewall with an Active Directory (AD) server for external user authentication, two important parameters define how the firewall communicates with AD:

  • Search Base DN – specifies where the firewall should begin searching for user accounts.
  • Bind DN Base – specifies where the administrator (bind) account used for authentication queries is located.

Previous Limitation

  • Before uOS 1.35, the firewall assumed that the administrator (bind) account was always located under the default “Users” container in AD.
  • If the administrator account was stored in a different organizational unit (OU) (e.g., IT Team, Sales, Marketing), authentication attempts would fail with errors such as “Invalid DN syntax”.
  • This prevented administrators from placing service accounts in dedicated OUs, which is a common best practice for AD management.

New Behavior in 1.35

  • A new configuration field, Bind DN Base, has been added.
  • Administrators can now explicitly specify the DN path of the AD folder where the bind (administrator) account resides.
  • This allows the firewall to properly locate administrator accounts in custom OUs.

Example Scenario

  1. Default Behavior (Before 1.35)
    • Administrator account IT1 is stored in OU=IT Team, DC=zycamp, DC=com.
    • Without Bind DN Base, the firewall assumes the account is under CN=Users, DC=zycamp, DC=com.
    • Result: Firewall cannot authenticate queries.
  2. Using Bind DN Base (1.35 and later)
    • OU=IT Team,DC=zycamp,DC=com
    • Bind account: IT1 with its password.
    • Firewall can now successfully authenticate and search for other users.

Search Base vs. Bind DN Base

  • Bind DN Base – where the firewall finds the administrator account it uses for queries.
  • Search Base – where the firewall begins looking for user accounts being authenticated.
    • Example: If Search Base = OU=Marketing,DC=zycamp,DC=com, then only marketing users can be found.
    • If blank, the firewall searches the entire directory.

Benefits

  • Supports AD best practices by allowing administrator accounts to be stored in dedicated OUs.
  • Provides greater flexibility in structuring directory services.
  • Resolves confusing “invalid DN syntax” errors encountered in earlier versions.

Key Takeaway

With uOS 1.35, you can now specify a Bind DN Base for Active Directory authentication, ensuring the firewall can locate administrator accounts even when they reside outside the default “Users” container.