Active Directory Auth is giving Bind error

Hoygen83
Hoygen83 Posts: 21  Freshman Member
First Comment Second Anniversary
edited April 2021 in Security

Hello,

I have a synology nas DS716+II and a Zyxel USG210

The nas is providing active directory to the office.

I want to follow this guide https://support.zyxel.eu/hc/en-us/articles/360000653359-USG-Series-Authenticate-SSL-VPN-clients-with-Microsoft-Active-Directory that looks very good.

Every time I set up the enviroment and test with a fully functional user I get the message Wrong Base Dn Or Bind Dn

I double checked this guide https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=013651&lang=EN but I'm still getting it.

Is there a way to get better informations about what happens when "Wrong Base Dn Or Bind Dn" is trown?

meanwhile i'm asking also to synology users.

https://community.synology.com/enu/forum/1/post/132311

All Replies

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,298  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 50 Answers 1000 Comments
    edited March 2020

    Hi @Hoygen83

    Here is the example of settings on Active Directory

    Base DN : DC=jerry,DC=com

    Bind DN : CN=administrator,CN=Users,DC=jerry,DC=com

    Here is the reference for some AD related parameters settings

    https://businessforum.zyxel.com/discussion/1011/how-to-configure-usg-series-to-authenticate-ssl-vpn-client-with-microsoft-active-directory/p1?new=1

  • Hoygen83
    Hoygen83 Posts: 21  Freshman Member
    First Comment Second Anniversary

    Thank you very much, do you happen to know if someone else has accomplished that scenario with a Synology nas Active Directory?

    I already configured it succesfully on several Windows Server Active Directory.

  • XYtelehandler
    XYtelehandler Posts: 1  Freshman Member
    First Comment Second Anniversary

    Subscribed - please post back if you get it working. I believe 389 is the correct port through deduction as it is used for LDAP and LDAP is unavailable when using Synology Directory Server.

  • David_ECA
    David_ECA Posts: 5  Freshman Member
    First Comment Friend Collector Third Anniversary
    edited October 2020
    Hello,

    Same problem here. I have un Syno DS918+ with Synology Directory Server (new name of Synology Active Directory), and my USG Flex 100 says me : Wrong Base DN or Bind DN

    Here are my parameters :
    BaseDN : DC=xxxxxxxx,DC=local
    Bind DN : CN=administrator,CN=users,DC=xxxxxxxx,DC=local

    Has anyone ever managed to get this to work?

    Thanks !
  • Neige25
    Neige25 Posts: 3  Freshman Member
    First Comment Third Anniversary

    Hello,
    I'm having the same issue..
    I've tried this on many hardware..

    It works on Synology RS815+ with :
        - DSM 6.2.3-25426 Update 2
        - Synology Directory Server 4.4.5-0101
        - Zyxel USG110 V4.39(AAPH.0)



    But it doesn't work on Synology RS812+ with :
        - DSM 6.2.3-25426 Update 2
        - Synology Directory Server 4.4.5-0101
        - Zyxel USG60 V4.39(AAKY.0)



    I also tried to connect the Zyxel USG60 router on :
        - A true Active Directory on Windows Server 2008 R2 (the same functional diagram) and it works correctly
        - A Samba 4 Active Directory (Debian 9) and it works correctly

  • David_ECA
    David_ECA Posts: 5  Freshman Member
    First Comment Friend Collector Third Anniversary
    Hello,

    I finally found the solution with the support of Synology.
    There were actually several cumulative problems.

    First of all, you must verify on the Zyxel that there is a DNS entry to reach the Synology:
    In System => DNS:
    Either a PTR record of the type:
    * .mydomain.local => Synology IP
    Or a Domain Zone Forwarder:
    Zone: mydomain.local
    Public DNS: Synology IP

    Then, it is necessary to put in SSL on the configuration of the AD server. This is your case here. This is because Zyxel uses LDAP to contact AD, and Synology refuses this without SSL.

    Finally, you must verify that the correct certificate is used on Synology.
    In Security => Certificates:
    Click on Configure
    Check that Synology Directory Server is using the certificate of AD, and not the general certificate of Synology.

    I think it's this last point that gets stuck in your case (It was my last problem)
  • Neige25
    Neige25 Posts: 3  Freshman Member
    First Comment Third Anniversary
    Thank you for your reply.

    I have checked and the certificates are correctly configured.

    I also add the Domain Zone Forwarder.

    But it doesn't work :(
  • Jeremylin
    Jeremylin Posts: 166  Master Member
    First Answer First Comment Third Anniversary
    edited November 2020
    From the message, it seems the configuration of IP and Port between device and USG are mismatch.
    Can your USG ping to Synology Active Directory Server?
    You may check configuration on Synology with below link
    https://www.synology.com/en-us/knowledgebase/DSM/help/DirectoryServerForWindowsDomain/synologydirectoryserver_desc


  • Neige25
    Neige25 Posts: 3  Freshman Member
    First Comment Third Anniversary
    Yes, the USG is pinging the server well.

    I have checked my configuration on Synology, it is correct. (it works for another customer with the same configuration)
  • Jeremylin
    Jeremylin Posts: 166  Master Member
    First Answer First Comment Third Anniversary
    I think you should check configuration on Synology, since device works on Windows Server 2008 R2 and Model RS815+.

Security Highlight