AD Bind Credentials

Christopher Bland chris at
Thu Nov 14 13:57:07 EST 2019

Hi All,

My AD guys are restructuring OUs and user placement which is going to affect my AD service account.  At present I am running IDP v3.4.4 using a JAAS config going against AD.  Following the directions when I set this up earlier in the year I set the following values

bindDn = ”Service Account DistinquishedName”
idp.authn.LDAP.bindDN = ”Service Account DistinquishedName”

idp.authn.LDAP.bindDN = ”Service Account DistinquishedName”

In an effort not to have to make these changes in the future I switched the bindDN value to the UPN value of my AD service account and things seem to work during testing on my dev IDP.  Since the value is supposed to be a DN, I am wondering what other admins have done?

My second question -  In my and I have configure “idp.authn.LDAP.authenticator = adAuthenticator”.  As such my understanding is that there is no need to search for the user’s DN because the IDP accepts the user at domain format for authentication.  Is it necessary to have credentials configured in the bindDN and bindCredential for authentication?  Also can my AD DataConnector in my attribute-resolver.xml file resolve attributes based on the user that it has authenticated?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list