uOS 1.35 – Active Directory (AD) Server Enhancement: Bind DN Base Support

Zyxel_Lynn

When integrating a Zyxel firewall with an Active Directory (AD) server for external user authentication, two important parameters define how the firewall communicates with AD:

• Search Base DN – specifies where the firewall should begin searching for user accounts.
• Bind DN Base – specifies where the administrator (bind) account used for authentication queries is located.

Previous Limitation

• Before uOS 1.35, the firewall assumed that the administrator (bind) account was always located under the default “Users” container in AD.
• If the administrator account was stored in a different organizational unit (OU) (e.g., IT Team, Sales, Marketing), authentication attempts would fail with errors such as “Invalid DN syntax”.
• This prevented administrators from placing service accounts in dedicated OUs, which is a common best practice for AD management.

New Behavior in 1.35

• A new configuration field, Bind DN Base, has been added.
• Administrators can now explicitly specify the DN path of the AD folder where the bind (administrator) account resides.
• This allows the firewall to properly locate administrator accounts in custom OUs.

Example Scenario

1. Default Behavior (Before 1.35)
   • Administrator account IT1 is stored in OU=IT Team, DC=zycamp, DC=com.
   • Without Bind DN Base, the firewall assumes the account is under CN=Users, DC=zycamp, DC=com.
   • Result: Firewall cannot authenticate queries.
2. Using Bind DN Base (1.35 and later)
   • OU=IT Team,DC=zycamp,DC=com
   • Bind account: IT1 with its password.
   • Firewall can now successfully authenticate and search for other users.

Search Base vs. Bind DN Base

• Bind DN Base – where the firewall finds the administrator account it uses for queries.
• Search Base – where the firewall begins looking for user accounts being authenticated.
  • Example: If Search Base = OU=Marketing,DC=zycamp,DC=com, then only marketing users can be found.
  • If blank, the firewall searches the entire directory.

Benefits

• Supports AD best practices by allowing administrator accounts to be stored in dedicated OUs.
• Provides greater flexibility in structuring directory services.
• Resolves confusing “invalid DN syntax” errors encountered in earlier versions.

Key Takeaway

With uOS 1.35, you can now specify a Bind DN Base for Active Directory authentication, ensuring the firewall can locate administrator accounts even when they reside outside the default “Users” container.