1. If the password in AD is changed then you can log into Impress with both the old password and the new password. (verified)
  2. The user account in Active Directory must have an e-mail attribute specified in the user properties. If you are using Microsoft Exchange server this will already be an attribute of the users. If you are not using Exchange you will need to do this manually. (verified)

What Works that Didn't in Earlier Versions

  1. Automatic account creation does work and there is no need for a user to register on Impress site if they exist in Active Directory. (verified)
  2. Users in all Organizational units are able to authenticate. (verified)

Working Configuration

LDAP Port Number - 389

LDAP Server Name - (FQDN or IP of a domain controller in your AD domain)

LDAP Base DN - dc=yourdomain,dc=com DN of the LDAP Manager - CN=Administrator,CN=users,DC=yourdomain,DC=com (This should probably be a regular user that you create specifically for LDAP integrations. Does not have to be an Admin. (unverified))

Password of the LDAP Manager - **********

LDAP Version Protocol - 3

ImpressCMS User(s) bypass LDAP Authentication - admin (and any other local ICMS accounts you want to create)

Login name use in the DN - NO

LDAP Attribute use to search the user - sAMAccountName (case sensitive)

The search filter LDAP query to find user - "leave this blank"

The domain name -

Automatic ImpressCMS account provisionning - YES

Default affect group - Registered Users

LDAP - Mail Field Name - mail (Case sensitive)

LDAP - Given Name Field Name - givenname (Case sensitive)

LDAP - Surname Field Name - sn (Case Sensitive)

ImpressCMS-Auth server fields mapping - email=mail|name=displayname (Case Sensitive)

Maintain ImpressCMS account provisioning - YES

Use TLS connection - NO

Simple Troubleshooting Steps to Make Life Easier

  1. From your server running ICMS make sure you can ping the AD domain controller that you specified in the above configuration.
  2. From your server running ICMS make sure you can telnet to port 389 of your AD domain controller.
    telnet 389

    If you get connection refused there is either a firewall blocking your connection or LDAP is listening on a port other than 389.
  3. Follow instructions in the Microsoft Article here to enable event logging for "16 LDAP Interface Events" -
Last modified on 2012/4/4 by Anonymous
The comments are owned by the poster. We aren't responsible for their content.