[tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory

adam prozaconstilts at gmail.com
Fri Nov 20 03:26:55 UTC 2009 

Hailu Meng wrote:
> Adam,
> 
> I tried the su - "userid" in my tacacs+ server but I don't have that 
> userid in CentOS. So the CentOS just don't want me log in. I think this 
> will not ask tacacs server to authenticate against AD.

You shouldn't need to have to define the user in CentOS, that's the 
point of using ldap for authentication. The user is defined in ldap, not 
in CentOS. Now that I think about it, su - <user> probably wouldn't work 
anyway, as AD doesn't by default have the data needed by a linux box to 
allow login...but see below for more options.

> 
> Is there any other way to test ldap authentication against AD with the 
> userid in AD? I tried ldapsearch. It did find my user id without 
> problem. But I haven't found any option to try with password and 
> authenticate against AD.

Try using -D:

from `man ldapsearch`:

-D binddn
   Use the Distinguished Name binddn to bind to the LDAP directory.

so -D cn=username,ou=my_ou,dc=my_dc should let you try to authenticate 
using whatever user you want to define. Just check and double check you 
get the right path in that dn.

> Do you have ldap server setup or only the openldap library and openldap 
> client? I don't understand why the log is not turned on. There must be 
> some debugging info in the log which can help solve this issue.

only the libs and client. You should not need the server. In the 
ldapsearch, you can use -d <integer> to get debugging info for that 
search. As before, higher number = more debug

> If the user can authenticate, does ethereal capture some packets about 
> password verification? Right now I only see the packets when ldap search 
> for my user id and gets results back from AD.

Ethereal should catch all data flowing between the client and server. If 
you can search out the user in your AD right now, then one of two things 
is happening:

1. You are performing anonymous searches. In this case, no username and 
pw is provided, and your AD is happy to hand over info to anyone who 
asks for it. If this is the case, you will _not_ see authentication 
information. The following MS KB article should probably help you 
determine on your AD if anonymous queries are allowed:

http://support.microsoft.com/kb/320528

It has exact instructions for how to get it going, but you can follow 
along with it to check your current settings without making any changes.

2. Authentication is happening. It will be the _very_ first thing the 
client and server perform, after basic connection establishment. Look 
for it at the very beginning of a dump.



Also, it's a bit overkill, but the following article is extremely 
informative about all the different ways you can plug linux into AD for 
authentication. It might offer some hints...


> 
> Maybe I need dig into ldap.conf more. If you have any idea, let me know.
> 
> Thank you very much.
> 
> Lou

More information about the tac_plus mailing list