[tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory

john heasley heas at shrubbery.net
Mon Nov 23 18:23:51 UTC 2009


Mon, Nov 23, 2009 at 12:12:58PM -0600, Hailu Meng:
> Hi Adam,
> 
> If the ldapsearch -D "" -w "" runs successfully, what do we suppose to get
> from the output? I just got all of the user information in that group. Does
> that means my password and username got authenticated successfully against
> AD?
> 
> This thing drives me crazy. I need solve it through this week before the
> holiday...

i havent followed this thread, as i know nearly zero about ldap.  but,
have you enabled authentication debugging in the tacacas daemon and
checked the logs to determine what is coming back from pam?  it very
well may be that the ldap client is working just fine, but there is a
pam module bug or a bug in the tacplus daemon or that your device
simply doesnt like something about the replies.

> Thanks a lot for the help.
> 
> Lou
> 
> On Fri, Nov 20, 2009 at 7:26 AM, Hailu Meng <hailumeng at gmail.com> wrote:
> 
> > Still no clue how to turn on the log. binding seems good. See my findings
> > below. Thanks a lot.
> >
> > On Thu, Nov 19, 2009 at 9:26 PM, adam <prozaconstilts at gmail.com> wrote:
> >
> >> Hailu Meng wrote:
> >>
> >>> Adam,
> >>>
> >>> I tried the su - "userid" in my tacacs+ server but I don't have that
> >>> userid in CentOS. So the CentOS just don't want me log in. I think this will
> >>> not ask tacacs server to authenticate against AD.
> >>>
> >>
> >> You shouldn't need to have to define the user in CentOS, that's the point
> >> of using ldap for authentication. The user is defined in ldap, not in
> >> CentOS. Now that I think about it, su - <user> probably wouldn't work
> >> anyway, as AD doesn't by default have the data needed by a linux box to
> >> allow login...but see below for more options.
> >>
> >>
> >>
> >>> Is there any other way to test ldap authentication against AD with the
> >>> userid in AD? I tried ldapsearch. It did find my user id without problem.
> >>> But I haven't found any option to try with password and authenticate against
> >>> AD.
> >>>
> >>
> >> Try using -D:
> >>
> >> from `man ldapsearch`:
> >>
> >> -D binddn
> >>  Use the Distinguished Name binddn to bind to the LDAP directory.
> >>
> >> so -D cn=username,ou=my_ou,dc=my_dc should let you try to authenticate
> >> using whatever user you want to define. Just check and double check you get
> >> the right path in that dn.
> >>
> >>
> >> I tried -D " cn=username,ou=my_ou,dc=my_dc " but it just returned lots of
> > users' information. It means successful?
> >
> >
> >>  Do you have ldap server setup or only the openldap library and openldap
> >>> client? I don't understand why the log is not turned on. There must be some
> >>> debugging info in the log which can help solve this issue.
> >>>
> >>
> >> only the libs and client. You should not need the server. In the
> >> ldapsearch, you can use -d <integer> to get debugging info for that search.
> >> As before, higher number = more debug
> >>
> >>
> >>  If the user can authenticate, does ethereal capture some packets about
> >>> password verification? Right now I only see the packets when ldap search for
> >>> my user id and gets results back from AD.
> >>>
> >>
> >> Ethereal should catch all data flowing between the client and server. If
> >> you can search out the user in your AD right now, then one of two things is
> >> happening:
> >>
> >> 1. You are performing anonymous searches. In this case, no username and pw
> >> is provided, and your AD is happy to hand over info to anyone who asks for
> >> it. If this is the case, you will _not_ see authentication information. The
> >> following MS KB article should probably help you determine on your AD if
> >> anonymous queries are allowed:
> >>
> >> http://support.microsoft.com/kb/320528
> >>
> >> It has exact instructions for how to get it going, but you can follow
> >> along with it to check your current settings without making any changes.
> >>
> >
> > I checked our setting. Permission type for normal user is "Read & Execute".
> > I click edit to check the detail about permission. I think it only allow the
> > user to read the attributes, permission something and can't modify the
> > AD.There is "Everyone" setting is also set as "Read & Execute". By the way,
> > the AD is Win2003 R2.
> >
> >
> >>
> >> 2. Authentication is happening. It will be the _very_ first thing the
> >> client and server perform, after basic connection establishment. Look for it
> >> at the very beginning of a dump.
> >>
> >>
> >>
> >> Also, it's a bit overkill, but the following article is extremely
> >> informative about all the different ways you can plug linux into AD for
> >> authentication. It might offer some hints...
> >>
> >>
> >>
> >>
> >>> Maybe I need dig into ldap.conf more. If you have any idea, let me know.
> >>>
> >>> Thank you very much.
> >>>
> >>> Lou
> >>>
> >>
> >>
> >>
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html 
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus


More information about the tac_plus mailing list