Create a .bat file in the jwt/bin directory in the Journyx install directory. This is usually C:\Program Files\Journyx\jwt\bin. You can name it whatever you would like, but for this article I will name mine "ldap_auth.bat". Below is the contents of the "ldap_auth.bat" file.
@echo off rem ldap_auth.bat LDAP_BIND_USER LDAP_BIND_PASS [USER] rem LDAP_BIND_USER is the user that the LDAP query will bind with to query about USER. rem LDAP_BIND_PASS is LDAP_BIND_USER's password. These can be set in Journyx so they're rem not sitting on your filesystem somewhere in what amounts to a plain text file. set LDAP_BIND_USER=%1 set LDAP_BIND_PASS=%2 rem USER is the user which we are looking up to see if they exist in LDAP. It is also the rem user who is logging in so we don't get information about everyone they can see, only rem information about them. set USER=%3 rem If USER isn't provided, use LDAP_BIND_USER IF [%USER%] == [] set USER=%LDAP_BIND_USER% rem bind with LDAP_BIND_USER with password LDAP_BIND_PASS and search for a user with the rem samid of USER. With the result, find the characters "CN". We then use the exit code rem from the find to exit this script to tell Journyx whether or not it worked. rem Exit code 0 means the bind/lookup succeeded. Exit code 1 means it did not. dsquery user -u %LDAP_BIND_USER% -p %LDAP_BIND_PASS% -samid %USER% | find "CN" exit %errorlevel%
In the LDAP tool settings for the Existence command, use the following. Replace "ldapuser" with the name of a user in LDAP that can query LDAP. Replace "ldappassword" with the password for that user. These credentials are separate from the user's login.
"C:\Program Files\Journyx\jwt\bin\ldap_auth.bat" ldapuser ldappassword <user>
For Authentication use:
"C:\Program Files\Journyx\jwt\bin\ldap_auth.bat" <user> <password>