Pieter, That was a search and replace error on my part. This is what it actually looks like
AUTH 05/27/2010 17:43:01 I 2784 2752 0x1b Start UDB_AUTHENTICATE_USER, client 1 (127.0.0.1) AUTH 05/27/2010 17:43:01 I 1742 2752 0x1c pvAuthenticateUser: authenticate 'tyson' against IPexpert AUTH 05/27/2010 17:43:01 I 0216 2752 0x1c External DB [DServDll.dll]: Starting PAP AuthUser AUTH 05/27/2010 17:43:01 I 0458 2752 0x1c External DB [DServDll.dll]: Get Open size=1 (0) AUTH 05/27/2010 17:43:01 I 1357 2752 0x1c External DB [DServDll.dll]: Try to bind 'tyson' with cached DN 'CN=Tyson Scott,CN=Users,DC=ipexpert,DC=com' AUTH 05/27/2010 17:43:01 I 2882 2752 0x1c External DB [DServDll.dll]: Launching asynchronous bind for CN=Tyson Scott,CN=Users,DC=ipexpert,DC=com AUTH 05/27/2010 17:43:01 I 2968 2752 0x1c External DB [DServDll.dll]: Bind operation successful for CN=Tyson Scott,CN=Users,DC=ipexpert,DC=com AUTH 05/27/2010 17:43:01 I 2464 2752 0x1c External DB [DServDll.dll]: Bind '0' AUTH 05/27/2010 17:43:01 I 1360 2752 0x1c External DB [DServDll.dll]: Bind 'tyson' with cached DN ended successfully AUTH 05/27/2010 17:43:01 I 1753 2752 0x1c External DB [DServDll.dll]: Start search operation... AUTH 05/27/2010 17:43:01 I 1769 2752 0x1c External DB [DServDll.dll]: Search CN=Users,DC=ipexpert,DC=com for groups using: (&(objectclass=Group)(Member=CN=Tyson Scott,CN=Users,DC=ipexpert,DC=com)) result 0 AUTH 05/27/2010 17:43:01 I 1777 2752 0x1c External DB [DServDll.dll]: User CN=Tyson Scott,CN=Users,DC=ipexpert,DC=com has 2 groups AUTH 05/27/2010 17:43:01 I 1819 2752 0x1c External DB [DServDll.dll]: User CN=Tyson Scott,CN=Users,DC=ipexpert,DC=com group 0: Enterprise Admins AUTH 05/27/2010 17:43:01 I 1819 2752 0x1c External DB [DServDll.dll]: User CN=Tyson Scott,CN=Users,DC=ipexpert,DC=com group 1: Domain Admins AUTH 05/27/2010 17:43:01 I 0190 2752 0x1c External DB [DServDll.dll]: TestLogon OK AUTH 05/27/2010 17:43:01 I 0395 2752 0x1c External DB [DServDll.dll]: Release size=1 (0) AUTH 05/27/2010 17:43:01 I 0275 2752 0x1c External DB [DServDll.dll]: External DS User tyson authenticated into ACS Group 2 AUTH 05/27/2010 17:43:01 I 5496 2752 0x1c Done UDB_AUTHENTICATE_USER, client 1, status UDB_OK AUTH 05/27/2010 17:43:01 I 5861 2752 0x1c Worker 3 processing message 22. AUTH 05/27/2010 17:43:01 I 2784 2752 0x1c Start UDB_GET_PASS_STATUS, client 1 (127.0.0.1) AUTH 05/27/2010 17:43:01 I 5496 2752 0x1c Done UDB_GET_PASS_STATUS, client 1, status UDB_OK AUTH 05/27/2010 17:43:01 I 5861 2752 0x1c Worker 3 processing message 23. AUTH 05/27/2010 17:43:01 I 2784 2752 0x1c Start UDB_USER_LOCN_CHECK, client 1 (127.0.0.1) This was something I was trying to do for the racks. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Friday, May 28, 2010 1:48 AM To: Tyson Scott Cc: 'OSL Security' Subject: Re: [OSL | CCIE_Security] LDAP Authentication HI Tyson, Altough It looks ok, but what I find strange is the LDAP base DN, it's only binding to the .com part of your AD, and that could be the cause of your problem. The bind / search is based on CN=Users,DC=, DC=Com And if I remember correctly, microsoft doesn't allow you to have an AD of just com. I use a tool called LDAP Browser (on my mac) to bind to an AD / ldap servers to search on LDAP servers myself. My feeling is that a search DN like CN=Users,DC=,DC=Com is invalid and that the DN should then be CN=Users,DC=Com Kind regards PIeter-Jan > Hey Guys, > > > > I am stuck on something and can't seem to get it to work. I am testing > running ACS 4.1 on x64 windows. Have run into quite a few snags that I > wasn't expecting but working to overcome them. My last problem that I > cannot figure out for the life of me is the Active Directory > authentication. > ACS 4.1 is not compatible with active directory on an x64 system. So I am > doing Generic LDAP authentication but for some reason my user when > authenticating is not being mapped to the correct group. It is being > authorized to my default group mapping. But looking at the logs of ACS I > can see the following. > > > > AUTH 05/27/2010 17:42:59 I 1742 2752 0x1b pvAuthenticateUser: authenticate > 'tyson' against > > AUTH 05/27/2010 17:42:59 I 5496 2752 0x1b Done UDB_AUTHENTICATE_USER, > client > 1, status UDB_PASSWORD_REQUIRED > > AUTH 05/27/2010 17:43:01 I 5861 2752 0x1b Worker 3 processing message > 21. > > AUTH 05/27/2010 17:43:01 I 2784 2752 0x1b Start UDB_AUTHENTICATE_USER, > client 1 (127.0.0.1) > > AUTH 05/27/2010 17:43:01 I 1742 2752 0x1c pvAuthenticateUser: authenticate > 'tyson' against > > AUTH 05/27/2010 17:43:01 I 0216 2752 0x1c External DB [DServDll.dll]: > Starting PAP AuthUser > > AUTH 05/27/2010 17:43:01 I 0458 2752 0x1c External DB [DServDll.dll]: Get > Open size=1 (0) > > AUTH 05/27/2010 17:43:01 I 1357 2752 0x1c External DB [DServDll.dll]: Try > to > bind 'tyson' with cached DN 'CN=Tyson Scott,CN=Users,DC=,DC=com' > > AUTH 05/27/2010 17:43:01 I 2882 2752 0x1c External DB [DServDll.dll]: > Launching asynchronous bind for CN=Tyson Scott,CN=Users,DC=,DC=com > > AUTH 05/27/2010 17:43:01 I 2968 2752 0x1c External DB [DServDll.dll]: Bind > operation successful for CN=Tyson Scott,CN=Users,DC=,DC=com > > AUTH 05/27/2010 17:43:01 I 2464 2752 0x1c External DB [DServDll.dll]: Bind > '0' > > AUTH 05/27/2010 17:43:01 I 1360 2752 0x1c External DB [DServDll.dll]: Bind > 'tyson' with cached DN ended successfully > > AUTH 05/27/2010 17:43:01 I 1753 2752 0x1c External DB [DServDll.dll]: > Start > search operation... > > AUTH 05/27/2010 17:43:01 I 1769 2752 0x1c External DB [DServDll.dll]: > Search > CN=Users,DC=,DC=com for groups using: > (&(objectclass=Group)(Member=CN=Tyson > Scott,CN=Users,DC=,DC=com)) result 0 > > AUTH 05/27/2010 17:43:01 I 1777 2752 0x1c External DB [DServDll.dll]: User > CN=Tyson Scott,CN=Users,DC=,DC=com has 2 groups > > AUTH 05/27/2010 17:43:01 I 1819 2752 0x1c External DB [DServDll.dll]: User > CN=Tyson Scott,CN=Users,DC=,DC=com group 0: Enterprise Admins > > AUTH 05/27/2010 17:43:01 I 1819 2752 0x1c External DB [DServDll.dll]: User > CN=Tyson Scott,CN=Users,DC=,DC=com group 1: Domain Admins > > AUTH 05/27/2010 17:43:01 I 0190 2752 0x1c External DB [DServDll.dll]: > TestLogon OK > > AUTH 05/27/2010 17:43:01 I 0395 2752 0x1c External DB [DServDll.dll]: > Release size=1 (0) > > AUTH 05/27/2010 17:43:01 I 0275 2752 0x1c External DB [DServDll.dll]: > External DS User tyson authenticated into ACS Group 2 > > AUTH 05/27/2010 17:43:01 I 5496 2752 0x1c Done UDB_AUTHENTICATE_USER, > client > 1, status UDB_OK > > > > I can see that the user is successfully authenticated. I can then see > that > it finds the two groups the user belongs to. But the user is not being > put > with the mapping I have for those two groups. Do you guys have any > thoughts? > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > <http://www.ipexpert.com/> > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
