[tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory

Hailu Meng hailumeng at gmail.com
Mon Nov 23 18:12:58 UTC 2009 

Hi Adam,

If the ldapsearch -D "" -w "" runs successfully, what do we suppose to get
from the output? I just got all of the user information in that group. Does
that means my password and username got authenticated successfully against
AD?

This thing drives me crazy. I need solve it through this week before the
holiday...

Thanks a lot for the help.

Lou

On Fri, Nov 20, 2009 at 7:26 AM, Hailu Meng <hailumeng at gmail.com> wrote:

> Still no clue how to turn on the log. binding seems good. See my findings
> below. Thanks a lot.
>
> On Thu, Nov 19, 2009 at 9:26 PM, adam <prozaconstilts at gmail.com> wrote:
>
>> Hailu Meng wrote:
>>
>>> Adam,
>>>
>>> I tried the su - "userid" in my tacacs+ server but I don't have that
>>> userid in CentOS. So the CentOS just don't want me log in. I think this will
>>> not ask tacacs server to authenticate against AD.
>>>
>>
>> You shouldn't need to have to define the user in CentOS, that's the point
>> of using ldap for authentication. The user is defined in ldap, not in
>> CentOS. Now that I think about it, su - <user> probably wouldn't work
>> anyway, as AD doesn't by default have the data needed by a linux box to
>> allow login...but see below for more options.
>>
>>
>>
>>> Is there any other way to test ldap authentication against AD with the
>>> userid in AD? I tried ldapsearch. It did find my user id without problem.
>>> But I haven't found any option to try with password and authenticate against
>>> AD.
>>>
>>
>> Try using -D:
>>
>> from `man ldapsearch`:
>>
>> -D binddn
>>  Use the Distinguished Name binddn to bind to the LDAP directory.
>>
>> so -D cn=username,ou=my_ou,dc=my_dc should let you try to authenticate
>> using whatever user you want to define. Just check and double check you get
>> the right path in that dn.
>>
>>
>> I tried -D " cn=username,ou=my_ou,dc=my_dc " but it just returned lots of
> users' information. It means successful?
>
>
>>  Do you have ldap server setup or only the openldap library and openldap
>>> client? I don't understand why the log is not turned on. There must be some
>>> debugging info in the log which can help solve this issue.
>>>
>>
>> only the libs and client. You should not need the server. In the
>> ldapsearch, you can use -d <integer> to get debugging info for that search.
>> As before, higher number = more debug
>>
>>
>>  If the user can authenticate, does ethereal capture some packets about
>>> password verification? Right now I only see the packets when ldap search for
>>> my user id and gets results back from AD.
>>>
>>
>> Ethereal should catch all data flowing between the client and server. If
>> you can search out the user in your AD right now, then one of two things is
>> happening:
>>
>> 1. You are performing anonymous searches. In this case, no username and pw
>> is provided, and your AD is happy to hand over info to anyone who asks for
>> it. If this is the case, you will _not_ see authentication information. The
>> following MS KB article should probably help you determine on your AD if
>> anonymous queries are allowed:
>>
>> http://support.microsoft.com/kb/320528
>>
>> It has exact instructions for how to get it going, but you can follow
>> along with it to check your current settings without making any changes.
>>
>
> I checked our setting. Permission type for normal user is "Read & Execute".
> I click edit to check the detail about permission. I think it only allow the
> user to read the attributes, permission something and can't modify the
> AD.There is "Everyone" setting is also set as "Read & Execute". By the way,
> the AD is Win2003 R2.
>
>
>>
>> 2. Authentication is happening. It will be the _very_ first thing the
>> client and server perform, after basic connection establishment. Look for it
>> at the very beginning of a dump.
>>
>>
>>
>> Also, it's a bit overkill, but the following article is extremely
>> informative about all the different ways you can plug linux into AD for
>> authentication. It might offer some hints...
>>
>>
>>
>>
>>> Maybe I need dig into ldap.conf more. If you have any idea, let me know.
>>>
>>> Thank you very much.
>>>
>>> Lou
>>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html

More information about the tac_plus mailing list