Pieter-Jan, Good job man. That was it. I had to put it with a Group with no spaces.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com -----Original Message----- From: Pieter-Jan Nefkens [mailto:[email protected]] Sent: Friday, May 28, 2010 9:48 AM To: Tyson Scott Cc: 'OSL Security' Subject: Re: [OSL | CCIE_Security] LDAP Authentication Hi Tyson, No problem. With prepping for my lab coming tuesday, you tend to get focused on minor details somehow ;-) Ehm, obvious questions of course is that I can assume, with each test you remove the dynamic users from the acs, etc.. (I assume that as a yes, but you know, asking extra never hurts) ;-) Have you tried matching on a group that doesn't have a space in it? Something like vpn_testme as group name and bind that one? The order on ACS is also correct? PJ On 28 mei 2010, at 15:41, Tyson Scott wrote: > Pieter, > > That was a search and replace error on my part. This is what it > actually looks like > > AUTH 05/27/2010 17:43:01 I 2784 2752 0x1b Start UDB_AUTHENTICATE_USER, > client 1 (127.0.0.1) AUTH 05/27/2010 17:43:01 I 1742 2752 0x1c > pvAuthenticateUser: authenticate 'tyson' against IPexpert AUTH > 05/27/2010 17:43:01 I 0216 2752 0x1c External DB [DServDll.dll]: > Starting PAP AuthUser > AUTH 05/27/2010 17:43:01 I 0458 2752 0x1c External DB [DServDll.dll]: > Get Open size=1 (0) AUTH 05/27/2010 17:43:01 I 1357 2752 0x1c External > DB [DServDll.dll]: Try to bind 'tyson' with cached DN 'CN=Tyson > Scott,CN=Users,DC=ipexpert,DC=com' > AUTH 05/27/2010 17:43:01 I 2882 2752 0x1c External DB [DServDll.dll]: > Launching asynchronous bind for CN=Tyson > Scott,CN=Users,DC=ipexpert,DC=com AUTH 05/27/2010 17:43:01 I 2968 2752 > 0x1c External DB [DServDll.dll]: Bind operation successful for > CN=Tyson Scott,CN=Users,DC=ipexpert,DC=com AUTH 05/27/2010 17:43:01 I > 2464 2752 0x1c External DB [DServDll.dll]: Bind '0' > AUTH 05/27/2010 17:43:01 I 1360 2752 0x1c External DB [DServDll.dll]: > Bind 'tyson' with cached DN ended successfully AUTH 05/27/2010 > 17:43:01 I 1753 2752 0x1c External DB [DServDll.dll]: Start search > operation... > AUTH 05/27/2010 17:43:01 I 1769 2752 0x1c External DB [DServDll.dll]: > Search CN=Users,DC=ipexpert,DC=com for groups using: > (&(objectclass=Group)(Member=CN=Tyson > Scott,CN=Users,DC=ipexpert,DC=com)) > result 0 > AUTH 05/27/2010 17:43:01 I 1777 2752 0x1c External DB [DServDll.dll]: > User CN=Tyson Scott,CN=Users,DC=ipexpert,DC=com has 2 groups AUTH > 05/27/2010 17:43:01 I 1819 2752 0x1c External DB [DServDll.dll]: User > CN=Tyson Scott,CN=Users,DC=ipexpert,DC=com group 0: Enterprise Admins > AUTH 05/27/2010 17:43:01 I 1819 2752 0x1c External DB [DServDll.dll]: > User CN=Tyson Scott,CN=Users,DC=ipexpert,DC=com group 1: Domain Admins > AUTH 05/27/2010 17:43:01 I 0190 2752 0x1c External DB [DServDll.dll]: > TestLogon OK > AUTH 05/27/2010 17:43:01 I 0395 2752 0x1c External DB [DServDll.dll]: > Release size=1 (0) > AUTH 05/27/2010 17:43:01 I 0275 2752 0x1c External DB [DServDll.dll]: > External DS User tyson authenticated into ACS Group 2 AUTH 05/27/2010 > 17:43:01 I 5496 2752 0x1c Done UDB_AUTHENTICATE_USER, client 1, status > UDB_OK > AUTH 05/27/2010 17:43:01 I 5861 2752 0x1c Worker 3 processing message > 22. > AUTH 05/27/2010 17:43:01 I 2784 2752 0x1c Start UDB_GET_PASS_STATUS, > client > 1 (127.0.0.1) > AUTH 05/27/2010 17:43:01 I 5496 2752 0x1c Done UDB_GET_PASS_STATUS, > client 1, status UDB_OK > AUTH 05/27/2010 17:43:01 I 5861 2752 0x1c Worker 3 processing message > 23. > AUTH 05/27/2010 17:43:01 I 2784 2752 0x1c Start UDB_USER_LOCN_CHECK, > client > 1 (127.0.0.1) > > This was something I was trying to do for the racks. > > > Regards, > > Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. > Instructor - IPexpert, Inc. > Mailto: [email protected] > Telephone: +1.810.326.1444, ext. 208 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > IPexpert is a premier provider of Self-Study Workbooks, Video on > Demand, Audio Tools, Online Hardware Rental and Classroom Training for > the Cisco CCIE (R&S, Voice, Security & Service Provider) > certification(s) with training locations throughout the United States, > Europe, South Asia and Australia. Be sure to visit our online > communities at www.ipexpert.com/communities and our public website at > www.ipexpert.com > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > Sent: Friday, May 28, 2010 1:48 AM > To: Tyson Scott > Cc: 'OSL Security' > Subject: Re: [OSL | CCIE_Security] LDAP Authentication > > HI Tyson, > > Altough It looks ok, but what I find strange is the LDAP base DN, it's > only binding to the .com part of your AD, and that could be the cause > of your problem. > > The bind / search is based on CN=Users,DC=, DC=Com And if I remember > correctly, microsoft doesn't allow you to have an AD of just com. > > I use a tool called LDAP Browser (on my mac) to bind to an AD / ldap > servers to search on LDAP servers myself. > > My feeling is that a search DN like > CN=Users,DC=,DC=Com is invalid and that the DN should then be > CN=Users,DC=Com > > Kind regards > > PIeter-Jan >> Hey Guys, >> >> >> >> I am stuck on something and can't seem to get it to work. I am >> testing running ACS 4.1 on x64 windows. Have run into quite a few >> snags that I wasn't expecting but working to overcome them. My last >> problem that I cannot figure out for the life of me is the Active >> Directory authentication. >> ACS 4.1 is not compatible with active directory on an x64 system. So >> I am doing Generic LDAP authentication but for some reason my user >> when authenticating is not being mapped to the correct group. It is >> being authorized to my default group mapping. But looking at the >> logs of ACS I can see the following. >> >> >> >> AUTH 05/27/2010 17:42:59 I 1742 2752 0x1b pvAuthenticateUser: >> authenticate 'tyson' against >> >> AUTH 05/27/2010 17:42:59 I 5496 2752 0x1b Done UDB_AUTHENTICATE_USER, >> client 1, status UDB_PASSWORD_REQUIRED >> >> AUTH 05/27/2010 17:43:01 I 5861 2752 0x1b Worker 3 processing message >> 21. >> >> AUTH 05/27/2010 17:43:01 I 2784 2752 0x1b Start >> UDB_AUTHENTICATE_USER, client 1 (127.0.0.1) >> >> AUTH 05/27/2010 17:43:01 I 1742 2752 0x1c pvAuthenticateUser: >> authenticate 'tyson' against >> >> AUTH 05/27/2010 17:43:01 I 0216 2752 0x1c External DB [DServDll.dll]: >> Starting PAP AuthUser >> >> AUTH 05/27/2010 17:43:01 I 0458 2752 0x1c External DB [DServDll.dll]: >> Get Open size=1 (0) >> >> AUTH 05/27/2010 17:43:01 I 1357 2752 0x1c External DB [DServDll.dll]: >> Try to bind 'tyson' with cached DN 'CN=Tyson >> Scott,CN=Users,DC=,DC=com' >> >> AUTH 05/27/2010 17:43:01 I 2882 2752 0x1c External DB [DServDll.dll]: >> Launching asynchronous bind for CN=Tyson Scott,CN=Users,DC=,DC=com >> >> AUTH 05/27/2010 17:43:01 I 2968 2752 0x1c External DB [DServDll.dll]: >> Bind operation successful for CN=Tyson Scott,CN=Users,DC=,DC=com >> >> AUTH 05/27/2010 17:43:01 I 2464 2752 0x1c External DB [DServDll.dll]: >> Bind '0' >> >> AUTH 05/27/2010 17:43:01 I 1360 2752 0x1c External DB [DServDll.dll]: >> Bind 'tyson' with cached DN ended successfully >> >> AUTH 05/27/2010 17:43:01 I 1753 2752 0x1c External DB [DServDll.dll]: >> Start >> search operation... >> >> AUTH 05/27/2010 17:43:01 I 1769 2752 0x1c External DB [DServDll.dll]: >> Search >> CN=Users,DC=,DC=com for groups using: >> (&(objectclass=Group)(Member=CN=Tyson >> Scott,CN=Users,DC=,DC=com)) result 0 >> >> AUTH 05/27/2010 17:43:01 I 1777 2752 0x1c External DB [DServDll.dll]: >> User CN=Tyson Scott,CN=Users,DC=,DC=com has 2 groups >> >> AUTH 05/27/2010 17:43:01 I 1819 2752 0x1c External DB [DServDll.dll]: >> User CN=Tyson Scott,CN=Users,DC=,DC=com group 0: Enterprise Admins >> >> AUTH 05/27/2010 17:43:01 I 1819 2752 0x1c External DB [DServDll.dll]: >> User CN=Tyson Scott,CN=Users,DC=,DC=com group 1: Domain Admins >> >> AUTH 05/27/2010 17:43:01 I 0190 2752 0x1c External DB [DServDll.dll]: >> TestLogon OK >> >> AUTH 05/27/2010 17:43:01 I 0395 2752 0x1c External DB [DServDll.dll]: >> Release size=1 (0) >> >> AUTH 05/27/2010 17:43:01 I 0275 2752 0x1c External DB [DServDll.dll]: >> External DS User tyson authenticated into ACS Group 2 >> >> AUTH 05/27/2010 17:43:01 I 5496 2752 0x1c Done UDB_AUTHENTICATE_USER, >> client 1, status UDB_OK >> >> >> >> I can see that the user is successfully authenticated. I can then >> see that it finds the two groups the user belongs to. But the user >> is not being put with the mapping I have for those two groups. Do >> you guys have any thoughts? >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP >> >> Managing Partner / Sr. Instructor - IPexpert, Inc. >> >> Mailto: [email protected] >> >> Telephone: +1.810.326.1444, ext. 208 >> >> Live Assistance, Please visit: www.ipexpert.com/chat >> >> eFax: +1.810.454.0130 >> >> >> >> IPexpert is a premier provider of Self-Study Workbooks, Video on >> Demand, Audio Tools, Online Hardware Rental and Classroom Training >> for the Cisco CCIE (R&S, Voice, Security & Service Provider) >> certification(s) with training locations throughout the United >> States, Europe, South Asia and Australia. Be sure to visit our online >> communities at www.ipexpert.com/communities and our public website at >> www.ipexpert.com <http://www.ipexpert.com/> >> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, >> please visit www.ipexpert.com >> > > > --- Nefkens Advies Enk 26 4214 DD Vuren The Netherlands Tel: +31 183 634730 Fax: +31 183 690113 Cell: +31 654 323221 Email: [email protected] Web: http://www.nefkensadvies.nl/ _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
