Hi Ludovic Zammit. Any further ideas?
---------------------------------------- > From: [email protected] > To: [email protected] > Date: Wed, 10 Feb 2016 09:48:59 +0000 > Subject: Re: [PacketFence-users] AD integration > > Oh and here's the log for the same > > /usr/local/pf/bin/pftest authentication my_domain_user "" > > pftest(30112) ERROR: unable to read password file > '/usr/local/pf/conf/admin.conf' > (pf::Authentication::Source::HtpasswdSource::authenticate) > pftest(30112) INFO: Matched rule (catchall) in source email, returning > actions. (pf::Authentication::Source::match) > pftest(30112) WARN: [my_ad] User CN=User User,OU=Users,OU=My > Org,DC=dc,DC=local cannot bind from OU=Users,OU=My Org,DC=dc,DC=local on > 10.10.10.10:389 (pf::Authentication::Source::LDAPSource::authenticate) > > /usr/local/pf/bin/pftest authentication my_domain_user "random_wrong_password" > pftest(29775) ERROR: unable to read password file > '/usr/local/pf/conf/admin.conf' > (pf::Authentication::Source::HtpasswdSource::authenticate) > pftest(29775) INFO: Matched rule (catchall) in source email, returning > actions. (pf::Authentication::Source::match) > pftest(29775) INFO: [my_ad] Authentication successful for my_domain_user > (pf::Authentication::Source::LDAPSource::authenticate) > pftest(29775) INFO: [my_ad internal_access] Found a match (CN=User > User,OU=Users,OU=My Org,DC=dc,DC=local) > (pf::Authentication::Source::LDAPSource::match_in_subclass) > pftest(29775) INFO: Matched rule (internal_access) in source my_ad, returning > actions. (pf::Authentication::Source::match) > > So where's the problem do you think? > > PS: Just so you know for my configuration '/usr/local/pf/conf/admin.conf' > does not exist. > > ---------------------------------------- >> From: [email protected] >> To: [email protected] >> Date: Wed, 10 Feb 2016 09:27:25 +0000 >> Subject: Re: [PacketFence-users] AD integration >> >> Hi. >> >> Thanks for that little script. Didn't know about that. Very handy. I was >> able to test it and can confirm something is really wrong either in my >> config or the AD configuration itself. >> When I test with no password at all the authentication fails - which is what >> I would expect >> >> /usr/local/pf/bin/pftest authentication my_domain_user "" >> Testing authentication for "my_domain_user" >> >> Authenticating against local >> Authentication FAILED against local (Unable to authenticate successfully >> using SQL.) >> Did not match against local >> >> Authenticating against email >> Authentication FAILED against email () >> Matched against email >> set_role : guest >> set_access_duration : 1D >> >> Authenticating against my_ad >> Authentication FAILED against my_ad (Invalid login or password) >> Matched against my_ad >> set_role : internal_role >> set_access_duration : 1D >> >> But when I put any random password (not the correct password) the >> authentication succeeds as long as there is some text present >> >> /usr/local/pf/bin/pftest authentication my_domain_user >> "random_wrong_password" >> Testing authentication for "my_domain_user" >> >> Authenticating against local >> Authentication FAILED against local (Unable to authenticate successfully >> using SQL.) >> Did not match against local >> >> Authenticating against email >> Authentication FAILED against email () >> Matched against email >> set_role : guest >> set_access_duration : 1D >> >> Authenticating against my_ad >> Authentication SUCCEEDED against my_ad (Authentication successful using LDAP) >> Matched against my_ad >> set_role : internal_role >> set_access_duration : 1D >> >> >> >> ________________________________ >>> From: [email protected] >>> Date: Tue, 9 Feb 2016 14:44:52 -0500 >>> To: [email protected] >>> Subject: Re: [PacketFence-users] AD integration >>> >>> Andy, >>> >>> You can test an account in your ad with: >>> >>> /usr/local/pf/bin/pftest authentication administrator "" >>> >>> Authenticating against AD-Inverse >>> Authentication FAILED against AD-Inverse (Invalid login or password) >>> Matched against AD-Inverse for 'authentication' rules >>> set_role : default >>> set_access_duration : 5D >>> Matched against AD-Inverse for 'administration' rules >>> mark_as_sponsor : 1 >>> >>> /usr/local/pf/bin/pftest authentication administrator realpassword >>> >>> Authenticating against AD-Inverse >>> Authentication SUCCEEDED against AD-Inverse (Authentication successful.) >>> Matched against AD-Inverse for 'authentication' rules >>> set_role : default >>> set_access_duration : 5D >>> Matched against AD-Inverse for 'administration' rules >>> mark_as_sponsor : 1 >>> >>> Make sure that your are matching the correct portal profile into the >>> logs/packetfence.log >>> >>> Instantiate profile PORTAL-PROFILE-NAME >>> (pf::Portal::ProfileFactory::_from_profile) >>> >>> Thanks, >>> >>> Ludovic Zammit >>> [email protected]<mailto:[email protected]> :: +1.514.447.4918 (x145) :: >>> www.inverse.ca<http://www.inverse.ca> >>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>> (http://packetfence.org) >>> >>> >>> >>> >>> >>> Le 9 févr. 2016 à 14:25, Andy A >>> <[email protected]<mailto:[email protected]>> a écrit >>> : >>> >>> Thanks for your reply. I have AD source that is configured in >>> PacketFence and the source talks to a AD server for my Domain. >>> >>> cat /usr/local/pf/conf/authentication.conf >>> [local] >>> description=Local Users >>> type=SQL >>> >>> [email] >>> description=Email-based registration >>> email_activation_timeout=10m >>> type=Email >>> create_local_account=yes >>> allow_localdomain=yes >>> >>> [my_ad] >>> description=My Active Directory >>> password=PASSWORD >>> scope=sub >>> binddn=OU=Users,OU=My Org,DC=orgDC,DC=local >>> basedn=OU=Users,OU=My Org,DC=orgDC,DC=local >>> usernameattribute=sAMAccountName >>> connection_timeout=15 >>> stripped_user_name=no >>> encryption=none >>> cache_match=1 >>> port=389 >>> type=AD >>> host=10.10.10.10 >>> >>> [my_ad rule internal_access] >>> description=internal access >>> match=all >>> action0=set_role=internal_role >>> action1=set_access_duration=1D >>> >>> cat /usr/local/pf/conf/profiles.conf >>> [default] >>> description=Default Profile >>> logo=/captive-portal/content/assets/img/logo.gif >>> billing_engine=disabled >>> redirecturl=http://google.com<http://google.com/> >>> always_use_redirecturl=enabled >>> mandatory_fields=firstname,lastname,email >>> locale=en_US >>> nbregpages=0 >>> filter_match_style=any >>> block_interval=10m >>> sms_pin_retry_limit=0 >>> sms_request_limit=0 >>> login_attempt_limit=0 >>> dot1x_recompute_role_from_portal=enabled >>> reuse_dot1x_credentials=0 >>> sources=email,local >>> provisioners= >>> custom_fields_authentication_sources= >>> scans= >>> >>> [my_site] >>> description=internal site >>> login_attempt_limit=0 >>> dot1x_recompute_role_from_portal=0 >>> sms_pin_retry_limit=0 >>> locale=en_US >>> sms_request_limit=0 >>> nbregpages=0 >>> always_use_redirecturl=enabled >>> redirecturl=http://www.google.com<http://www.google.com/> >>> billing_engine=disabled >>> filter=network:10.10.0.0/24 >>> description=my site internal profile >>> mandatory_fields= >>> scans= >>> reuse_dot1x_credentials=0 >>> sources=my_ad,email,local >>> block_interval=12h >>> provisioners= >>> custom_fields_authentication_sources= >>> filter_match_style=any >>> >>> >>> ________________________________ >>> From: [email protected]<mailto:[email protected]> >>> Date: Tue, 9 Feb 2016 13:20:07 -0500 >>> To: >>> [email protected]<mailto:[email protected]> >>> Subject: Re: [PacketFence-users] AD integration >>> >>> Hello Andy, >>> >>> When you are saying ‘AD integration’, did you configure the AD source >>> in PacketFence or you have joined you PacketFence server to your AD >>> domain ? >>> >>> Can you paste the output of those commands (hiding the passwords): >>> >>> cat /usr/local/pf/conf/authentication.conf >>> >>> cat /usr/local/pf/conf/profiles.conf >>> >>> Thanks, >>> >>> Ludovic Zammit >>> [email protected]<mailto:[email protected]><mailto:[email protected]> >>> :: +1.514.447.4918 (x145) >>> :: >>> www.inverse.ca<http://www.inverse.ca/><http://www.inverse.ca<http://www.inverse.ca/>> >>> Inverse inc. :: Leaders behind SOGo >>> (http://www.sogo.nu<http://www.sogo.nu/>) and PacketFence >>> (http://packetfence.org<http://packetfence.org/>) >>> >>> >>> >>> >>> >>> Le 9 févr. 2016 à 12:22, Andy A >>> <[email protected]<mailto:[email protected]><mailto:[email protected]>> >>> a écrit >>> : >>> >>> Hello. >>> >>> I am using PF 5.2 on Centos 6.x in inline mode. We are using AD >>> integration and it works fine to get people on the internet with just a >>> small issue. >>> The AD doesn't require the user's domain password to sign-in to the >>> internet as long as the username is a valid child within the AD object >>> tree. >>> >>> So basically 'userA' and 'userB' can type 'password' as their password >>> and still be authenticated as the AD is not considering the password at >>> all. >>> >>> Is this a correct behaviour? or have I missed a trick here and not >>> configured the AD properly? >>> >>> Thanks. >>> ------------------------------------------------------------------------------ >>> Site24x7 APM Insight: Get Deep Visibility into Application Performance >>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month >>> Monitor end-to-end web transactions and take corrective actions now >>> Troubleshoot faster and improve end-user experience. Signup Now! >>> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 >>> _______________________________________________ >>> PacketFence-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >>> >>> ------------------------------------------------------------------------------ >>> Site24x7 APM Insight: Get Deep Visibility into Application Performance >>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month >>> Monitor end-to-end web transactions and take corrective actions now >>> Troubleshoot faster and improve end-user experience. Signup Now! >>> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 >>> _______________________________________________ PacketFence-users >>> mailing list [email protected] >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >>> ------------------------------------------------------------------------------ >>> Site24x7 APM Insight: Get Deep Visibility into Application Performance >>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month >>> Monitor end-to-end web transactions and take corrective actions now >>> Troubleshoot faster and improve end-user experience. Signup Now! >>> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 >>> _______________________________________________ >>> PacketFence-users mailing list >>> [email protected]<mailto:[email protected]> >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >>> >>> ------------------------------------------------------------------------------ >>> Site24x7 APM Insight: Get Deep Visibility into Application Performance >>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month >>> Monitor end-to-end web transactions and take corrective actions now >>> Troubleshoot faster and improve end-user experience. Signup Now! >>> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 >>> _______________________________________________ PacketFence-users >>> mailing list [email protected] >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> ------------------------------------------------------------------------------ >> Site24x7 APM Insight: Get Deep Visibility into Application Performance >> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month >> Monitor end-to-end web transactions and take corrective actions now >> Troubleshoot faster and improve end-user experience. Signup Now! >> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > > ------------------------------------------------------------------------------ > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
