Hi David. Thanks so much for taking the time to write all of that. It is VERY helpful since I am not very experienced with Active Directory. I just wanted to confirm the steps that you have written are for the issue that I am having and it came across in my previous emails.
Let me describe my main issue. Let's we have a domain user John Doe username: john.doe password: john123 The issue I am currently having with my AD integration is that if I use john.doe with '123john' or '123jane' as password - the user gets authenticated - which shouldn't happen as it seems to be authenticating the user with the original AD password (which in this case is john123). Is that a wrong expectation from my side (inexperienced with Active Directory)? So what I am asking is whether the steps you've outlined will help resolve that issue? ________________________________ > From: [email protected] > Date: Thu, 11 Feb 2016 11:34:30 +1300 > To: [email protected] > Subject: Re: [PacketFence-users] AD integration > > > On Wed, Feb 10, 2016 at 10:48 PM, Andy A > <[email protected]<mailto:[email protected]>> wrote: > pftest(30112) WARN: [my_ad] User CN=User User,OU=Users,OU=My > Org,DC=dc,DC=local cannot bind from OU=Users,OU=My Org,DC=dc,DC=local > on 10.10.10.10:389<http://10.10.10.10:389> > (pf::Authentication::Source::LDAPSource::authenticate) > > Hi Andy, > > This is the problem - it can't bind, which means either you're not > using the right host or username or OU. > > Here's a useful command line test I use called ldapsearch for testing > ldap queries on linux - you'll have to install it on your packetfence > box: > > if ubuntu/debian: sudo apt-get install ldap-utils > if rhel/centos/oel: sudo yum install openldap-clients > > For me, I run this command and get all ldap data associated with a > user. Its very useful for building filters: > > ldapsearch -LLL -H > ldap://activedirectory.waikato.ac.nz<http://activedirectory.waikato.ac.nz> > -b dc=waikato,dc=ac,dc=nz > -D [email protected]<mailto:[email protected]> -W > "(sAMAccountName=TARGET)" > > (changing the waikato.ac.nz<http://waikato.ac.nz> bits for your > environment, of course) > > Replace BIND with a username you can use to connect to AD with - your > own for testing purposes works well. > Replace TARGET with the username you're interested in the details of. > > > for the entries you're given: > >>> binddn=OU=Users,OU=My Org,DC=orgDC,DC=local <---- this looks > wrong - try changing to [email protected]<mailto:[email protected]> >>> basedn=OU=Users,OU=My Org,DC=orgDC,DC=local <-- this also looks > quite wrong, perhaps just: OU=Users,OU=My Org,DC=org >>> usernameattribute=sAMAccountName >>> host=10.10.10.10 >>> cache_match=1 <-- turn this off while trying to figure out this > problem - it might be caching an incorrect answer, maybe? Turn it on > again later once its sorted though. > > For comparison purposes, my authentication.conf has this: > > [StaffAD] > description=Staff Users > password=XXXXXXXX > scope=sub > [email protected]<mailto:[email protected]> > basedn=DC=waikato,DC=ac,DC=nz > usernameattribute=sAMAccountName > connection_timeout=5 > stripped_user_name=yes > encryption=none > port=389 > type=AD > host=activedirectory.waikato.ac.nz<http://activedirectory.waikato.ac.nz> > > [StaffAD rule Staff] > description= > class=administration > match=any > action0=mark_as_sponsor=1 > condition0=mail,is member of,CN=Staff,CN=Users,DC=waikato,DC=ac,DC=nz > > The search string for condition0 argument above returns only members of > the staff group a match. > > Finally, if you change conf/log.conf to debug + restart packetfence: > > [root@packetfence / ]# cat /usr/local/pf/conf/log.conf > ### Root/Parent (PacketFence) logger ### > # Will log everything (even categories defined to log in another > appender) unless > # specified using the additivity parameter > log4perl.rootLogger = DEBUG, LOGFILE > > You'll get a bunch more logs in the packetfence.log file, which > includes the ldap connection its making and the output and decisions > around those logs. > > You may also need to change other log files in > the /usr/local/pf/conf/log.conf.d/ directory to increase their > verbosity as well. > > This is essentially how I figured out what was going wrong. The next > deeper log level is TRACE. Good luck. > > Hope this helps, > > Cheers, > David > > > > ------------------------------------------------------------------------------ > > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 > _______________________________________________ PacketFence-users > mailing list [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
