Oh and here's the log for the same /usr/local/pf/bin/pftest authentication my_domain_user ""
pftest(30112) ERROR: unable to read password file '/usr/local/pf/conf/admin.conf' (pf::Authentication::Source::HtpasswdSource::authenticate) pftest(30112) INFO: Matched rule (catchall) in source email, returning actions. (pf::Authentication::Source::match) pftest(30112) WARN: [my_ad] User CN=User User,OU=Users,OU=My Org,DC=dc,DC=local cannot bind from OU=Users,OU=My Org,DC=dc,DC=local on 10.10.10.10:389 (pf::Authentication::Source::LDAPSource::authenticate) /usr/local/pf/bin/pftest authentication my_domain_user "random_wrong_password" pftest(29775) ERROR: unable to read password file '/usr/local/pf/conf/admin.conf' (pf::Authentication::Source::HtpasswdSource::authenticate) pftest(29775) INFO: Matched rule (catchall) in source email, returning actions. (pf::Authentication::Source::match) pftest(29775) INFO: [my_ad] Authentication successful for my_domain_user (pf::Authentication::Source::LDAPSource::authenticate) pftest(29775) INFO: [my_ad internal_access] Found a match (CN=User User,OU=Users,OU=My Org,DC=dc,DC=local) (pf::Authentication::Source::LDAPSource::match_in_subclass) pftest(29775) INFO: Matched rule (internal_access) in source my_ad, returning actions. (pf::Authentication::Source::match) So where's the problem do you think? PS: Just so you know for my configuration '/usr/local/pf/conf/admin.conf' does not exist. ---------------------------------------- > From: [email protected] > To: [email protected] > Date: Wed, 10 Feb 2016 09:27:25 +0000 > Subject: Re: [PacketFence-users] AD integration > > Hi. > > Thanks for that little script. Didn't know about that. Very handy. I was able > to test it and can confirm something is really wrong either in my config or > the AD configuration itself. > When I test with no password at all the authentication fails - which is what > I would expect > > /usr/local/pf/bin/pftest authentication my_domain_user "" > Testing authentication for "my_domain_user" > > Authenticating against local > Authentication FAILED against local (Unable to authenticate successfully > using SQL.) > Did not match against local > > Authenticating against email > Authentication FAILED against email () > Matched against email > set_role : guest > set_access_duration : 1D > > Authenticating against my_ad > Authentication FAILED against my_ad (Invalid login or password) > Matched against my_ad > set_role : internal_role > set_access_duration : 1D > > But when I put any random password (not the correct password) the > authentication succeeds as long as there is some text present > > /usr/local/pf/bin/pftest authentication my_domain_user "random_wrong_password" > Testing authentication for "my_domain_user" > > Authenticating against local > Authentication FAILED against local (Unable to authenticate successfully > using SQL.) > Did not match against local > > Authenticating against email > Authentication FAILED against email () > Matched against email > set_role : guest > set_access_duration : 1D > > Authenticating against my_ad > Authentication SUCCEEDED against my_ad (Authentication successful using LDAP) > Matched against my_ad > set_role : internal_role > set_access_duration : 1D > > > > ________________________________ >> From: [email protected] >> Date: Tue, 9 Feb 2016 14:44:52 -0500 >> To: [email protected] >> Subject: Re: [PacketFence-users] AD integration >> >> Andy, >> >> You can test an account in your ad with: >> >> /usr/local/pf/bin/pftest authentication administrator "" >> >> Authenticating against AD-Inverse >> Authentication FAILED against AD-Inverse (Invalid login or password) >> Matched against AD-Inverse for 'authentication' rules >> set_role : default >> set_access_duration : 5D >> Matched against AD-Inverse for 'administration' rules >> mark_as_sponsor : 1 >> >> /usr/local/pf/bin/pftest authentication administrator realpassword >> >> Authenticating against AD-Inverse >> Authentication SUCCEEDED against AD-Inverse (Authentication successful.) >> Matched against AD-Inverse for 'authentication' rules >> set_role : default >> set_access_duration : 5D >> Matched against AD-Inverse for 'administration' rules >> mark_as_sponsor : 1 >> >> Make sure that your are matching the correct portal profile into the >> logs/packetfence.log >> >> Instantiate profile PORTAL-PROFILE-NAME >> (pf::Portal::ProfileFactory::_from_profile) >> >> Thanks, >> >> Ludovic Zammit >> [email protected]<mailto:[email protected]> :: +1.514.447.4918 (x145) :: >> www.inverse.ca<http://www.inverse.ca> >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >> (http://packetfence.org) >> >> >> >> >> >> Le 9 févr. 2016 à 14:25, Andy A >> <[email protected]<mailto:[email protected]>> a écrit >> : >> >> Thanks for your reply. I have AD source that is configured in >> PacketFence and the source talks to a AD server for my Domain. >> >> cat /usr/local/pf/conf/authentication.conf >> [local] >> description=Local Users >> type=SQL >> >> [email] >> description=Email-based registration >> email_activation_timeout=10m >> type=Email >> create_local_account=yes >> allow_localdomain=yes >> >> [my_ad] >> description=My Active Directory >> password=PASSWORD >> scope=sub >> binddn=OU=Users,OU=My Org,DC=orgDC,DC=local >> basedn=OU=Users,OU=My Org,DC=orgDC,DC=local >> usernameattribute=sAMAccountName >> connection_timeout=15 >> stripped_user_name=no >> encryption=none >> cache_match=1 >> port=389 >> type=AD >> host=10.10.10.10 >> >> [my_ad rule internal_access] >> description=internal access >> match=all >> action0=set_role=internal_role >> action1=set_access_duration=1D >> >> cat /usr/local/pf/conf/profiles.conf >> [default] >> description=Default Profile >> logo=/captive-portal/content/assets/img/logo.gif >> billing_engine=disabled >> redirecturl=http://google.com<http://google.com/> >> always_use_redirecturl=enabled >> mandatory_fields=firstname,lastname,email >> locale=en_US >> nbregpages=0 >> filter_match_style=any >> block_interval=10m >> sms_pin_retry_limit=0 >> sms_request_limit=0 >> login_attempt_limit=0 >> dot1x_recompute_role_from_portal=enabled >> reuse_dot1x_credentials=0 >> sources=email,local >> provisioners= >> custom_fields_authentication_sources= >> scans= >> >> [my_site] >> description=internal site >> login_attempt_limit=0 >> dot1x_recompute_role_from_portal=0 >> sms_pin_retry_limit=0 >> locale=en_US >> sms_request_limit=0 >> nbregpages=0 >> always_use_redirecturl=enabled >> redirecturl=http://www.google.com<http://www.google.com/> >> billing_engine=disabled >> filter=network:10.10.0.0/24 >> description=my site internal profile >> mandatory_fields= >> scans= >> reuse_dot1x_credentials=0 >> sources=my_ad,email,local >> block_interval=12h >> provisioners= >> custom_fields_authentication_sources= >> filter_match_style=any >> >> >> ________________________________ >> From: [email protected]<mailto:[email protected]> >> Date: Tue, 9 Feb 2016 13:20:07 -0500 >> To: >> [email protected]<mailto:[email protected]> >> Subject: Re: [PacketFence-users] AD integration >> >> Hello Andy, >> >> When you are saying ‘AD integration’, did you configure the AD source >> in PacketFence or you have joined you PacketFence server to your AD >> domain ? >> >> Can you paste the output of those commands (hiding the passwords): >> >> cat /usr/local/pf/conf/authentication.conf >> >> cat /usr/local/pf/conf/profiles.conf >> >> Thanks, >> >> Ludovic Zammit >> [email protected]<mailto:[email protected]><mailto:[email protected]> >> :: +1.514.447.4918 (x145) >> :: >> www.inverse.ca<http://www.inverse.ca/><http://www.inverse.ca<http://www.inverse.ca/>> >> Inverse inc. :: Leaders behind SOGo >> (http://www.sogo.nu<http://www.sogo.nu/>) and PacketFence >> (http://packetfence.org<http://packetfence.org/>) >> >> >> >> >> >> Le 9 févr. 2016 à 12:22, Andy A >> <[email protected]<mailto:[email protected]><mailto:[email protected]>> >> a écrit >> : >> >> Hello. >> >> I am using PF 5.2 on Centos 6.x in inline mode. We are using AD >> integration and it works fine to get people on the internet with just a >> small issue. >> The AD doesn't require the user's domain password to sign-in to the >> internet as long as the username is a valid child within the AD object >> tree. >> >> So basically 'userA' and 'userB' can type 'password' as their password >> and still be authenticated as the AD is not considering the password at >> all. >> >> Is this a correct behaviour? or have I missed a trick here and not >> configured the AD properly? >> >> Thanks. >> ------------------------------------------------------------------------------ >> Site24x7 APM Insight: Get Deep Visibility into Application Performance >> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month >> Monitor end-to-end web transactions and take corrective actions now >> Troubleshoot faster and improve end-user experience. Signup Now! >> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> >> ------------------------------------------------------------------------------ >> Site24x7 APM Insight: Get Deep Visibility into Application Performance >> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month >> Monitor end-to-end web transactions and take corrective actions now >> Troubleshoot faster and improve end-user experience. Signup Now! >> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 >> _______________________________________________ PacketFence-users >> mailing list [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> ------------------------------------------------------------------------------ >> Site24x7 APM Insight: Get Deep Visibility into Application Performance >> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month >> Monitor end-to-end web transactions and take corrective actions now >> Troubleshoot faster and improve end-user experience. Signup Now! >> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 >> _______________________________________________ >> PacketFence-users mailing list >> [email protected]<mailto:[email protected]> >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> >> ------------------------------------------------------------------------------ >> Site24x7 APM Insight: Get Deep Visibility into Application Performance >> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month >> Monitor end-to-end web transactions and take corrective actions now >> Troubleshoot faster and improve end-user experience. Signup Now! >> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 >> _______________________________________________ PacketFence-users >> mailing list [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > > ------------------------------------------------------------------------------ > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
