To allow non TLS connectivity:
allow-plaintext=false Needless to say it is horribly insecure... but useful for troubleshooting. -G > That's what i'm checking right now. > > Is there a way to deactivate starttls/ldaps on the openvas? > > Thanks. > > ------------------------------------------------------------------------ > Cristian Iconaru > > just network services GmbH > klausenburger str. 9 > 81677 münchen > fon +49 89 16785623 > fax +49 89 167856-75 > www.junese.de > > geht nicht gibt's nicht! > ------------------------------------------------------------------------ > registergericht: münchen HRB 12 41 39, Steuernummer 829/29256, UstID > DE199333706, geschäftsführer: Oliver Prebeck, Martin Baumgartner > > Der Inhalt dieser E-Mail ist ausschließlich für den bezeichneten > Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail > oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form > der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des > Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall > mit dem Absender der E-Mail in Verbindung zu setzen. > The information contained in this email is intended solely for the > addressee. Access to this email by anyone else is unauthorized. If you are > not the intended recipient, any form of disclosure, reproduction, > distribution or any action taken or refrained from in reliance on it, is > prohibited and may be unlawful. Please notify the sender > immediately.-----Ursprüngliche Nachricht----- > Von: Geoff Galitz [mailto:[email protected]] > Gesendet: Montag, 3. März 2014 16:27 > An: Cristian Iconaru > Cc: [email protected]; Stefan Schwarz; [email protected] > Betreff: Re: AW: AW: [Openvas-discuss] OpenVAS 6 LDAP/ADS Authentication > Error > > > Is TLS enabled and available? What command are you using for the > ldapsearch? > > -G > > > >> >> It seems right, but now i got different errors: >> >> lib auth: DEBUG:2014-03-03 15h13.26 utc:2583: Authentication trial, >> order 1, method file -> 1. (w/method) lib ldap:WARNING:2014-03-03 >> 15h13.26 utc:2583: StartTLS failed, trying to establish ldaps >> connection. >> lib ldap:WARNING:2014-03-03 15h13.26 utc:2583: LDAP authentication >> failure: Can't contact LDAP server >> lib auth: DEBUG:2014-03-03 15h13.26 utc:2583: Authentication trial, >> order 3, method ldap -> -1. (w/method) event auth:MESSAGE:2014-03-03 >> 15h13.26 utc:2583: Authentication error for user User >> md main: DEBUG:2014-03-03 15h13.26 utc:2583: -> client: >> <authenticate_response status="500" status_text="Internal error"/> >> >> Can't contact LDAP server - that's strange, because if I do a >> ldapsearch I can list the DN.. >> Any ideas? >> >> Thanks. >> >> ---------------------------------------------------------------------- >> -- >> Cristian Iconaru >> >> just network services GmbH >> klausenburger str. 9 >> 81677 münchen >> fon +49 89 16785623 >> fax +49 89 167856-75 >> www.junese.de >> >> geht nicht gibt's nicht! >> ---------------------------------------------------------------------- >> -- >> registergericht: münchen HRB 12 41 39, Steuernummer 829/29256, UstID >> DE199333706, geschäftsführer: Oliver Prebeck, Martin Baumgartner >> >> Der Inhalt dieser E-Mail ist ausschließlich für den bezeichneten >> Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser >> E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass >> jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder >> Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, >> sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. >> The information contained in this email is intended solely for the >> addressee. Access to this email by anyone else is unauthorized. If you >> are not the intended recipient, any form of disclosure, reproduction, >> distribution or any action taken or refrained from in reliance on it, >> is prohibited and may be unlawful. Please notify the sender >> immediately.-----Ursprüngliche Nachricht----- >> Von: Geoff Galitz [mailto:[email protected]] >> Gesendet: Montag, 3. März 2014 16:07 >> An: Cristian Iconaru >> Cc: [email protected]; Stefan Schwarz; >> [email protected] >> Betreff: Re: AW: [Openvas-discuss] OpenVAS 6 LDAP/ADS Authentication >> Error >> >> >> >> Well.. for comparison here is what I have (sanitized of course): >> >> ----------------------- >> >> [root@ openvas]# rpm -qa | grep openvas-mana >> openvas-manager-4.0.0-9.el6.art.x86_64 >> >> [[email protected] users]# pwd /var/lib/openvas/users >> [[email protected] users]# more .auth.conf >> >> # Remote Authentication and authorization against an LDAP Directory, >> needs # libraries to be compiled with ldap support # (pass >> -DBUILD_WITH_LDAP=ON to cmake). >> [method:ldap] >> order=2 >> enable=true >> # Might contain port like in "host.domain:123" >> ldaphost=ldap.xxx.net >> authdn=uid=%s,ou=people,dc=xxx,dc=net >> # Leave empty if authentication alone is enough to qualify as user >> role-attribute=uid role-user-values=user;admin;ggalitz;john >> role-admin-values=admin;ggalitz;john >> rule-attribute=x-gsm-accessrule >> ruletype-attribute=x-gsm-accessruletype >> # If your ldapd does not speak StartTLS you could allow plaintext >> password # transfer (you should never do this). >> allow-plaintext=false >> >> >> >> >> >> >>> Thanks, but has nothing to do...I still got the error. >>> Do you have any ideas? >>> >>> --------------------------------------------------------------------- >>> - >>> -- >>> Cristian Iconaru >>> >>> just network services GmbH >>> klausenburger str. 9 >>> 81677 münchen >>> fon +49 89 16785623 >>> fax +49 89 167856-75 >>> www.junese.de >>> >>> geht nicht gibt's nicht! >>> --------------------------------------------------------------------- >>> - >>> -- >>> registergericht: münchen HRB 12 41 39, Steuernummer 829/29256, UstID >>> DE199333706, geschäftsführer: Oliver Prebeck, Martin Baumgartner >>> >>> Der Inhalt dieser E-Mail ist ausschließlich für den bezeichneten >>> Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser >>> E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, >>> dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung >>> oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten >>> Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu >>> setzen. >>> The information contained in this email is intended solely for the >>> addressee. Access to this email by anyone else is unauthorized. If >>> you are not the intended recipient, any form of disclosure, >>> reproduction, distribution or any action taken or refrained from in >>> reliance on it, is prohibited and may be unlawful. Please notify the >>> sender immediately.-----Ursprüngliche Nachricht----- >>> Von: Geoff Galitz [mailto:[email protected]] >>> Gesendet: Montag, 3. März 2014 15:56 >>> An: Cristian Iconaru >>> Cc: Stefan Schwarz; [email protected] >>> Betreff: Re: [Openvas-discuss] OpenVAS 6 LDAP/ADS Authentication >>> Error >>> >>> >>> Did you notice the typo "highlighted below": >>> >>> --------------------------- >>> auth.conf is in /usr/local/var/lib/openvas/users >>> >>> [method:file] >>> order=1 >>> enabled=true >>> >>> ...the other methods are disabled till >>> >>> [method:ads] >>> order=3 >>> enable=true >>> # Might contain port like "host.domain:123" >>> ldaphost=192.168.10.1 >>> authdn=%s@domain >>> domain=domain.de >>> role-attribute=memberof >>> role-user-values=CN=user,OU=..,OU=..,OU=..,DC=domina,DC=de >>> <-------------------- >>> role-admin-values=CN=admin,OU=..,OU=..,OU=..,DC=domain,DC=de >>> rule-attribute=rules >>> >>> ---------------------------- >>> >>>> Hi Stefan, >>>> >>>> auth.conf is in /usr/local/var/lib/openvas/users >>>> >>>> [method:file] >>>> order=1 >>>> enabled=true >>>> >>>> ...the other methods are disabled till >>>> >>>> [method:ads] >>>> order=3 >>>> enable=true >>>> # Might contain port like "host.domain:123" >>>> ldaphost=192.168.10.1 >>>> authdn=%s@domain >>>> domain=domain.de >>>> role-attribute=memberof >>>> role-user-values=CN=user,OU=..,OU=..,OU=..,DC=domina,DC=de >>>> role-admin-values=CN=admin,OU=..,OU=..,OU=..,DC=domain,DC=de >>>> rule-attribute=rules >>>> ruletype-attribute=ruletype >>>> >>>> What would be the right values for the role attributes? >>>> >>>> Thanks. >>>> Regards >>>> >>>> -------------------------------------------------------------------- >>>> - >>>> - >>>> -- >>>> Cristian Iconaru >>>> >>>> just network services GmbH >>>> klausenburger str. 9 >>>> 81677 münchen >>>> fon +49 89 16785623 >>>> fax +49 89 167856-75 >>>> www.junese.de >>>> >>>> geht nicht gibt's nicht! >>>> -------------------------------------------------------------------- >>>> - >>>> - >>>> -- >>>> registergericht: münchen HRB 12 41 39, Steuernummer 829/29256, UstID >>>> DE199333706, geschäftsführer: Oliver Prebeck, Martin Baumgartner >>>> >>>> Der Inhalt dieser E-Mail ist ausschließlich für den bezeichneten >>>> Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser >>>> E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, >>>> dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung >>>> oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten >>>> Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung >>>> zu setzen. >>>> The information contained in this email is intended solely for the >>>> addressee. Access to this email by anyone else is unauthorized. If >>>> you are not the intended recipient, any form of disclosure, >>>> reproduction, distribution or any action taken or refrained from in >>>> reliance on it, is prohibited and may be unlawful. Please notify the >>>> sender immediately.-----Ursprüngliche Nachricht----- >>>> Von: Openvas-discuss >>>> [mailto:[email protected]] >>>> Im Auftrag von Stefan Schwarz >>>> Gesendet: Montag, 3. März 2014 14:14 >>>> An: [email protected] >>>> Betreff: Re: [Openvas-discuss] OpenVAS 6 LDAP/ADS Authentication >>>> Error >>>> >>>> Hi, >>>> >>>> what's the content of your auth.conf and where it's located? >>>> >>>> Stefan >>>> >>>> Am 03.03.2014 14:09, schrieb Cristian Iconaru: >>>>> Hi all, >>>>> >>>>> I've configured OpenVAS to authenticate to a LDAP/ADS Server but >>>>> I've got this error in the logs. >>>>> >>>>> event auth:MESSAGE:2014-03-03 12h55.28 utc:1872: Authentication >>>>> error for user User >>>>> md main: DEBUG:2014-03-03 12h55.28 utc:1872: -> client: >>>>> <authenticate_response status="500" status_text="Internal error"/> >>>>> >>>>> Does anyone know what that means? Internal error is a bit >>>>> ambiguous... I use OpenVAS 6 and both methods ldap/ads throw this >>>>> error. >>>>> Has anyone had a working config for LDAP/ADS? >>>>> >>>>> Thanks. >>>>> Best regards >>>>> >>>>> Cristian Iconaru >>>> [] >>>> >>>> _______________________________________________ >>>> Openvas-discuss mailing list >>>> [email protected] >>>> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-d >>>> i >>>> s >>>> cuss >>>> >>>> >>> >>> >>> ------------------------------ >>> Geoff Galitz >>> http://www.galitz.org >>> >>> >>> >> >> >> ------------------------------ >> Geoff Galitz >> http://www.galitz.org >> >> >> > > > ------------------------------ > Geoff Galitz > http://www.galitz.org > > > ------------------------------ Geoff Galitz http://www.galitz.org _______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
