Hi Andy,
I think that something else in the sources is authorising the user, perhaps.
I'd enable trace or debugging in the logs and see what is going on.
That said, your connection to your AD server isn't working, and you're
going to have to solve that problem if you want to have users authorized
and or authenticated against AD.
(Authenticated means is the username/password is a match for someone,
authorized means is the user part of a particular group) (this is the
v.short version, and there are subtleties here)
- Alternatively, there are support contracts from the packetfence guys that
can help you out :)
The ldapsearch command is used to test that the connection to AD works like
you'd expect.
With AD, there's several discrete operations that have to happen to get
validation of a user:
1: you need to be able to connect to the AD server with TCP on port 389
2: a valid username/pass to connect to the ad server (called binding) <--
this isn't working, I think?
3: a valid query to perform to see if the user who wants to be allowed is
part of a group you specify
Cheers,
David
On Thu, Feb 11, 2016 at 1:53 PM, Andy A <[email protected]> wrote:
> Hi David.
>
> Thanks so much for taking the time to write all of that. It is VERY
> helpful since I am not very experienced with Active Directory.
> I just wanted to confirm the steps that you have written are for the issue
> that I am having and it came across in my previous emails.
>
> Let me describe my main issue. Let's we have a domain user
>
> John Doe
> username: john.doe
> password: john123
>
> The issue I am currently having with my AD integration is that if I use
> john.doe with '123john' or '123jane' as password - the user gets
> authenticated - which shouldn't happen as it seems to be authenticating the
> user with the original AD password (which in this case is john123). Is that
> a wrong expectation from my side (inexperienced with Active Directory)?
>
> So what I am asking is whether the steps you've outlined will help resolve
> that issue?
>
>
> ________________________________
> > From: [email protected]
> > Date: Thu, 11 Feb 2016 11:34:30 +1300
> > To: [email protected]
> > Subject: Re: [PacketFence-users] AD integration
> >
> >
> > On Wed, Feb 10, 2016 at 10:48 PM, Andy A
> > <[email protected]<mailto:[email protected]>> wrote:
> > pftest(30112) WARN: [my_ad] User CN=User User,OU=Users,OU=My
> > Org,DC=dc,DC=local cannot bind from OU=Users,OU=My Org,DC=dc,DC=local
> > on 10.10.10.10:389<http://10.10.10.10:389>
> > (pf::Authentication::Source::LDAPSource::authenticate)
> >
> > Hi Andy,
> >
> > This is the problem - it can't bind, which means either you're not
> > using the right host or username or OU.
> >
> > Here's a useful command line test I use called ldapsearch for testing
> > ldap queries on linux - you'll have to install it on your packetfence
> > box:
> >
> > if ubuntu/debian: sudo apt-get install ldap-utils
> > if rhel/centos/oel: sudo yum install openldap-clients
> >
> > For me, I run this command and get all ldap data associated with a
> > user. Its very useful for building filters:
> >
> > ldapsearch -LLL -H
> > ldap://activedirectory.waikato.ac.nz<
> http://activedirectory.waikato.ac.nz>
> > -b dc=waikato,dc=ac,dc=nz
> > -D [email protected]<mailto:[email protected]> -W
> > "(sAMAccountName=TARGET)"
> >
> > (changing the waikato.ac.nz<http://waikato.ac.nz> bits for your
> > environment, of course)
> >
> > Replace BIND with a username you can use to connect to AD with - your
> > own for testing purposes works well.
> > Replace TARGET with the username you're interested in the details of.
> >
> >
> > for the entries you're given:
> >
> >>> binddn=OU=Users,OU=My Org,DC=orgDC,DC=local <---- this looks
> > wrong - try changing to [email protected]<mailto:[email protected]>
> >>> basedn=OU=Users,OU=My Org,DC=orgDC,DC=local <-- this also looks
> > quite wrong, perhaps just: OU=Users,OU=My Org,DC=org
> >>> usernameattribute=sAMAccountName
> >>> host=10.10.10.10
> >>> cache_match=1 <-- turn this off while trying to figure out this
> > problem - it might be caching an incorrect answer, maybe? Turn it on
> > again later once its sorted though.
> >
> > For comparison purposes, my authentication.conf has this:
> >
> > [StaffAD]
> > description=Staff Users
> > password=XXXXXXXX
> > scope=sub
> > [email protected]<mailto:[email protected]>
> > basedn=DC=waikato,DC=ac,DC=nz
> > usernameattribute=sAMAccountName
> > connection_timeout=5
> > stripped_user_name=yes
> > encryption=none
> > port=389
> > type=AD
> > host=activedirectory.waikato.ac.nz<http://activedirectory.waikato.ac.nz>
> >
> > [StaffAD rule Staff]
> > description=
> > class=administration
> > match=any
> > action0=mark_as_sponsor=1
> > condition0=mail,is member of,CN=Staff,CN=Users,DC=waikato,DC=ac,DC=nz
> >
> > The search string for condition0 argument above returns only members of
> > the staff group a match.
> >
> > Finally, if you change conf/log.conf to debug + restart packetfence:
> >
> > [root@packetfence / ]# cat /usr/local/pf/conf/log.conf
> > ### Root/Parent (PacketFence) logger ###
> > # Will log everything (even categories defined to log in another
> > appender) unless
> > # specified using the additivity parameter
> > log4perl.rootLogger = DEBUG, LOGFILE
> >
> > You'll get a bunch more logs in the packetfence.log file, which
> > includes the ldap connection its making and the output and decisions
> > around those logs.
> >
> > You may also need to change other log files in
> > the /usr/local/pf/conf/log.conf.d/ directory to increase their
> > verbosity as well.
> >
> > This is essentially how I figured out what was going wrong. The next
> > deeper log level is TRACE. Good luck.
> >
> > Hope this helps,
> >
> > Cheers,
> > David
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Site24x7 APM Insight: Get Deep Visibility into Application Performance
> > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> > Monitor end-to-end web transactions and take corrective actions now
> > Troubleshoot faster and improve end-user experience. Signup Now!
> > http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
> > _______________________________________________ PacketFence-users
> > mailing list [email protected]
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
