uOS 1.35 – Active Directory (AD) Server Enhancement: Bind DN Base Support

Zyxel_Lynn
Posts: 71
Zyxel Employee




When integrating a Zyxel firewall with an Active Directory (AD) server for external user authentication, two important parameters define how the firewall communicates with AD:
- Search Base DN – specifies where the firewall should begin searching for user accounts.
- Bind DN Base – specifies where the administrator (bind) account used for authentication queries is located.
Previous Limitation
- Before uOS 1.35, the firewall assumed that the administrator (bind) account was always located under the default “Users” container in AD.
- If the administrator account was stored in a different organizational unit (OU) (e.g., IT Team, Sales, Marketing), authentication attempts would fail with errors such as “Invalid DN syntax”.
- This prevented administrators from placing service accounts in dedicated OUs, which is a common best practice for AD management.
New Behavior in 1.35
- A new configuration field, Bind DN Base, has been added.
- Administrators can now explicitly specify the DN path of the AD folder where the bind (administrator) account resides.
- This allows the firewall to properly locate administrator accounts in custom OUs.
Example Scenario
- Default Behavior (Before 1.35)
- Administrator account
IT1
is stored in OU=IT Team, DC=zycamp, DC=com. - Without Bind DN Base, the firewall assumes the account is under CN=Users, DC=zycamp, DC=com.
- Result: Firewall cannot authenticate queries.
- Administrator account
- Using Bind DN Base (1.35 and later)
- OU=IT Team,DC=zycamp,DC=com
- Bind account:
IT1
with its password. - Firewall can now successfully authenticate and search for other users.
Search Base vs. Bind DN Base
- Bind DN Base – where the firewall finds the administrator account it uses for queries.
- Search Base – where the firewall begins looking for user accounts being authenticated.
- Example: If Search Base =
OU=Marketing,DC=zycamp,DC=com
, then only marketing users can be found. - If blank, the firewall searches the entire directory.
- Example: If Search Base =
Benefits
- Supports AD best practices by allowing administrator accounts to be stored in dedicated OUs.
- Provides greater flexibility in structuring directory services.
- Resolves confusing “invalid DN syntax” errors encountered in earlier versions.
Key Takeaway
With uOS 1.35, you can now specify a Bind DN Base for Active Directory authentication, ensuring the firewall can locate administrator accounts even when they reside outside the default “Users” container.
0
Categories
- All Categories
- 438 Beta Program
- 2.7K Nebula
- 189 Nebula Ideas
- 121 Nebula Status and Incidents
- 6.2K Security
- 458 USG FLEX H Series
- 304 Security Ideas
- 1.6K Switch
- 81 Switch Ideas
- 1.3K Wireless
- 44 Wireless Ideas
- 6.8K Consumer Product
- 279 Service & License
- 438 News and Release
- 88 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 91 Security Highlight