Send netdisco-users mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/netdisco-users
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of netdisco-users digest..."
Today's Topics:
1. Re: LDAPS authentication possible? (Christopher Doolan)
--- Begin Message ---
Hi Bastian, thank you so much for your help.
Regards
Chris
From: Basti S. <[email protected]>
Sent: Tuesday, 28 June 2022 4:46 PM
To: Christopher Doolan <[email protected]>
Cc: Oliver Gorwits <[email protected]>; [email protected]
Subject: Re: [Netdisco] LDAPS authentication possible?
NOTICE: sender is [email protected]<mailto:[email protected]>
Hello Chris,
I was the one who asked for LDAPS ;-) And we got it working, this is our config:
ldap:
servers:
- 'DOMAINCONTROLLER'
user_string: 'DOMAIN\%USER%'
opts:
debug: 0
tls_opts:
start_tls:
verify: 'require'
sslversion: 'tlsv1_2'
Just ensure that your Linux box where Netdisco is running trusts the
certificate of the domain controller (so install the needed root certificates
of your domain).
It is running without any problems on several installations.
Regards,
Bastian
Am Di., 28. Juni 2022 um 07:52 Uhr schrieb Christopher Doolan
<[email protected]<mailto:[email protected]>>:
Hi Oliver, I am looking at how to move Netdisco over to LDAPS and in doing so I
came across the previous e-mail discussions as shown below in the thread below.
Regrettably, my knowledge for such things is more of a just in time type of
knowledge, because I know I will not touch something like LDAP authentication
until the next AD upgrade.
By that time my documentation is usually out of date and I am back to square
one.
So currently, my LDAP configuration in deployment.yml looks something like this
and for the time being it is working.
ldap:
servers: [1.1.1.1, 2.2.2.2, 3.3.3.3]
user_string: 'DOMAIN\%USER%'
I see in the https://github.com/netdisco/netdisco/wiki/Configuration#ldap the
following option;
tls_opts
A hash which, when defined, causes the connection to use Transport Layer
Security (TLS) which provides an encrypted connection. TLS is the preferred
method of encryption, ldaps (port 636) is not supported.
This is only possible if using LDAPv3 and the server supports it. These are the
options for the TLS connection. See the
Net::LDAP<https://metacpan.org/pod/Net::LDAP> documentation under start_tls for
options, but the defaults should work in most cases.
Does this mean I add the following to my deployment.yml (I know it can’t be
that easy).
ldap:
servers: [1.1.1.1, 2.2.2.2, 3.3.3.3]
user_string: 'DOMAIN\%USER%'
tls_opts: #
When it comes to implementing the other option, as shown in Net::LDAP, my
problem right off is that I have no idea where I make, modify or add these
changes.
Any help would be appreciated.
Regards
Chris
-----Original Message-----
From: Christian Ramseyer <[email protected]<mailto:[email protected]>>
Sent: Tuesday, 16 November 2021 10:42 PM
To: Oliver Gorwits <[email protected]<mailto:[email protected]>>; Basti S.
<[email protected]<mailto:[email protected]>>
Cc:
[email protected]<mailto:[email protected]>
Subject: Re: [Netdisco] LDAPS authentication possible / How to discover all?
Yet https://metacpan.org/pod/Net::LDAP has an ldaps URL as the second example.
Maybe it used not to support it but does now?
Cheers
Christian
On 16.11.21 12:24, Oliver Gorwits wrote:
> Hi Bastian
>
> To clarify:
>
> * Netdisco _does_ support secure LDAP using TLS, using the
> official StartTLS extension (see the docs...).
> * Netdisco (and Net::LDAP) does not support the non-standard LDAPS
>
> I googled and found this explanation of the two approaches:
> https://kb.sos-berlin.com/pages/viewpage.action?pageId=18778435<https://secure-web.cisco.com/1vs0OV9rin9OjYHlv6wRsQGBlyLM4f90x3Se99Kt5EMgcD5ck2cmasnoVND8g377a07p-f8HAmjfYcd2OqHzMbQ7E6xGmBEkj4sWwjncx73MVkCpGGAgEln4GoWYrnSFestudNfvu9LgitJ615zv9MHkl4YZniV1e7S1cNMkL5MF5wHGov7nY5O4NmRWr9yGfaAueEOo6msgx0DGI9BpC5CG6To3IBSdz-crgEe9TnI5MJGgsy_uAC_xbW2RIOhjCo61DNzl-Fl-RdmwVqNH9ZWUAQYAegv5mYADTP52SCJIKfXdw_z3ehYUpFXgvqE5tR64fBbwaAf_H-dSHQrcKGtjolGqcOjrqpC0ShMBZ4D4v85zhhD934wI399JJgUXYp6amTAeugVTu5KKXBc1A8Ez3Kzq99zLpdYq-00aJfwMGV8WWkO3Es5CSbgSofXPl/https%3A%2F%2Fkb.sos-berlin.com%2Fpages%2Fviewpage.action%3FpageId%3D18778435>
> <https://kb.sos-berlin.com/pages/viewpage.action?pageId=18778435<https://secure-web.cisco.com/1vs0OV9rin9OjYHlv6wRsQGBlyLM4f90x3Se99Kt5EMgcD5ck2cmasnoVND8g377a07p-f8HAmjfYcd2OqHzMbQ7E6xGmBEkj4sWwjncx73MVkCpGGAgEln4GoWYrnSFestudNfvu9LgitJ615zv9MHkl4YZniV1e7S1cNMkL5MF5wHGov7nY5O4NmRWr9yGfaAueEOo6msgx0DGI9BpC5CG6To3IBSdz-crgEe9TnI5MJGgsy_uAC_xbW2RIOhjCo61DNzl-Fl-RdmwVqNH9ZWUAQYAegv5mYADTP52SCJIKfXdw_z3ehYUpFXgvqE5tR64fBbwaAf_H-dSHQrcKGtjolGqcOjrqpC0ShMBZ4D4v85zhhD934wI399JJgUXYp6amTAeugVTu5KKXBc1A8Ez3Kzq99zLpdYq-00aJfwMGV8WWkO3Es5CSbgSofXPl/https%3A%2F%2Fkb.sos-berlin.com%2Fpages%2Fviewpage.action%3FpageId%3D18778435>>
> This is very similar to SMTP where the standard model is also using
> StartTLS over the standard SMTP ports. SMTPS is an old and outdated model.
>
> I expect that whatever software you use for LDAP should support StartTLS.
>
> regards
> Oliver.
>
> On Tue, 16 Nov 2021 at 10:44, Basti S.
> <[email protected]<mailto:[email protected]>
> <mailto:[email protected]>> wrote:
>
> It would be very nice if somebody patch this and make LDAPS
> possible. :-)
> In the meantime I would say LDAPS is state of the art and normal
> LDAP should no longer be used.
>
> Thanks for the help with the discovery. I will use the loop with a
> text file, good idea!
>
> Regards
> Bastian
>
>
> Am Fr., 12. Nov. 2021 um 13:35 Uhr schrieb Christian Ramseyer
> <[email protected]
> <mailto:[email protected]<mailto:[email protected]%20%3cmailto:[email protected]>>>:
>
> Hi Bastian
>
> On 12.11.21 09:26, Basti S. wrote:
> > Hello,
> >
> > In the past we used the LDAP authentication for netdisco, a
> very nice thing.
> > But as far as I know LDAPS is not possible - is there a way
> to make it
> > possible?
>
> Yes it unsupported according to the doc:
> <https://github.com/netdisco/netdisco/wiki/Configuration#ldap
> <https://github.com/netdisco/netdisco/wiki/Configuration#ldap>>.
> I never
> looked into it too closely but Net::LDAP does ldaps just fine, so I
> imagine it couldn't be too hard to patch in. Most likely nobody
> wanted
> it bad enough to submit a Patch/PR.
>
> >
> > Second question: Should Netdisco find all other connected
> switches if I
> > just do the discovery for the back bone switch? Or how can I
> achieve
> > that without do it for every single switch?
>
> Theoretically Netdisco should find your whole network from a single
> switch, but in practice that's not always working. If you have
> chunks of
> the network missing you can manually discover some IPs in these
> chunks.
>
> Alternatively you can also discover whole IP ranges, e.g.
>
> netdisco-do discover --enqueue -d
> 192.168.7.0/24<http://secure-web.cisco.com/1THrLXa2PMRH9lnU33EBYodzcmfdteW0k9QF7zAptgOfNqhbjUvSlmLQItxzKBTGZEk3P1C78ibgRmLmES6mzUxJXhpn7fNXjJkdSmdiemx75LocG8KL3Pu8ynC-faN0WIDpCT01AoDByAJsFZKCgGYJuNeA8o8cFWXH7jKSmNr_uSlbJaH75ZGpPRvcrJNHLy5iQLPimI9oT8C9IzUBzbIUHDPRDHW60b-MD9bnYoD9ZjBcDgEI7HWx5d-ofMQ8RkjGq1nUqHWSGUjTGVGhqsBqz9Z4DUw1cJWc0W0n0HqILMuCW-hC_wya5iKT6ixSs70f3o88FqpJcpAhXr9Utn2miHgAbzMnJ0UZYVGMTVKMUwn0K2mlN1S0a7hTeU5oPfO9q57utxq9y1G0ZpTdXM7-YGfXbS9ijJh2t8oeeLuQ/http%3A%2F%2F192.168.7.0%2F24>
>
> <http://secure-web.cisco.com/1g0AGcZ6tqw5eNyVzu1pedOkLFLXk62xXGiJDCKhL
> wvToatSmFT62ntKbG1TmHcQmIN_LlZh104wjLTvUwy6YCbUY_r4AnrSJZHK4tM64CeAyTk
> 1kK7ShIh9dr3LZ1VsoJlkbaKwrdSl3QtpbKume-S6JE2nfT9NLDVRqlC6y-GEIWBKxvBNb
> cRdtdLWe3rtRYKnJEYWkk6cRsdjsk8VFdRgGlDoywrCC8RJjvzxMrAu3TMeN87hOc8qYxC
> yPeh1rihXUNZJwfFam9c5EASw9DNWigb4u-lJt_01SdbKYzYNFMMeHwijLt9X7lR9fXQCy
> mDicp-KHpE9FijCvN9gFAwfXCW7h_1RTVByRegbQ_RXAXF8IDbr5WQTp_jWqHfngjHNBzY
> U_uutB4WBtTXczo1PyoMN6MNb_9zD3qjvFwnk/http%3A%2F%2F192.168.7.0%2F24>
>
> or discover a list of ip addresses from your inventory with:
>
> for ip in $(< mylist.txt) ; do netdisco-do discover --enqueue -d
> $ip ; done
>
>
> Cheers
> Christian
>
>
> --
> Christian Ramseyer, netnea ag
> Network Management. Security. OpenSource.
> Phone: +41 79 644 77 64
>
> _______________________________________________
> Netdisco mailing list
>
> [email protected]<mailto:[email protected]>
> <mailto:[email protected]>
> https://sourceforge.net/p/netdisco/mailman/netdisco-users/
> <https://sourceforge.net/p/netdisco/mailman/netdisco-users/>
>
--
Christian Ramseyer, netnea ag
Network Management. Security. OpenSource.
https://secure-web.cisco.com/1zzBKP0ZKPlsyWTsNTF6tEJLhA4gaiSY-vaif_CEPAWZqadrrTJ7WNN7IKqWOLwacSTTdyG2VD-X-HT-gH8eewZX6YqXtKwKtGwXfI6k1olcdrlAon7Lr_yCqsQJmyfYWP8aDMh07T3jlQkta5U45kRDDaR8y-0UVBzGa2Zy-gC4elwFaUtNW8rYeaFSLxlmrDhR3LSutyTHnZ_tLA33n_N-pJBS4Rkwx0yUv_084Srv98E-3vXKaEPl8ijFvEokMrk5NX_29jk9oh5NKtFWBLqV096wegj4M0YdU9KahgDAuUV9UkbwkwXeE5ELQC2w8ayFDvyr57uxhjbS86lKJQsVPkzhsQgMC3QHogowcncI4mNfcRjZ7Qj9mauyMPTzUZyq2oMEsqARkbMlUNQ-mBnec5jhIIjjxKliSoToLZ94/https%3A%2F%2Fwww.netnea.com
Phone: +41 79 644 77 64
_______________________________________________
Netdisco mailing list
[email protected]<mailto:[email protected]>
https://sourceforge.net/p/netdisco/mailman/netdisco-users/
__________________________________________________________________
This email (including any attached files) is confidential and is
for the intended recipient(s) only. If you received this email by
mistake, please, as a courtesy, tell the sender, then delete this
email.
The views and opinions are the originator's and do not necessarily
reflect those of the University of Southern Queensland. Although
all reasonable precautions were taken to ensure that this email
contained no viruses at the time it was sent we accept no
liability for any losses arising from its receipt.
The University of Southern Queensland is a registered provider
of education with the Australian Government.
(CRICOS Institution Code QLD 00244B / NSW 02225M, TEQSA PRV12081)
__________________________________________________________________
This email (including any attached files) is confidential and is
for the intended recipient(s) only. If you received this email by
mistake, please, as a courtesy, tell the sender, then delete this
email.
The views and opinions are the originator's and do not necessarily
reflect those of the University of Southern Queensland. Although
all reasonable precautions were taken to ensure that this email
contained no viruses at the time it was sent we accept no
liability for any losses arising from its receipt.
The University of Southern Queensland is a registered provider
of education with the Australian Government.
(CRICOS Institution Code QLD 00244B / NSW 02225M, TEQSA PRV12081)
--- End Message ---
_______________________________________________
Netdisco mailing list - Digest Mode
[email protected]
https://lists.sourceforge.net/lists/listinfo/netdisco-users
