I updated to PF 2.2.1 last night, everything is working great with the
exception that the PF admin WebUI login is requiring a valid username
from the context I have specified in admin_ldap.conf, but ignoring the
password entered, and a password does not even need to be entered. A
tcpdump on the PF server confirms that PF is checking the username
against the LDAP server.
In checking the documentation, I have no user.conf anywhere. I also
noticed in the PF 2.2.1 source distro that there is a ui.conf that I
don't have in my RPM updated 2.2.1 install (although I don't know that
that file plays any role in the WebUI setup/authentication.
Upon further testing, I noticed the following when authentication to the
admin webui:
1) The username must be in the LDAP source specified in the
admin_ldap.conf
2) The username does not also need to be specified in admin.perm
3) None of the usernames in the LDAP source exist in the admin.conf
file
4) The username used works with and without the use of a password
Because of items 3 and 4 above, it seems that some functionality in
login.php is not work properly....I noticed that there is a function
that is supposed to check for null passwords, which does not seem to be
working. The function for validating the username against a local flat
file when no result comes from LDAP seems to not be working correctly.
AD/LDAP does not permit anonymous binds, yet somehow LDAP is being used
to some degree as revealed by tcpdump captures.
I think the problem is something I am doing stupid...but not sure. Here
is some additional debugging information:
Contents of admin_ldap.conf:
<?
$ldap_host = "10.10.0.26";
$ldap_bind_dn = "[email protected]";
$ldap_bind_pwd = "redacted";
$ldap_user_base = "OU=IS,OU=Users,OU=American OUs,dc=ds,dc=atv";
$ldap_user_key = "sAMAccountName"
//$ldap_host = "1.2.3.4";
//$ldap_bind_dn = "CN=packetfence,CN=Users,DC=example,DC=com";
//$ldap_bind_pwd = "password";
//$ldap_user_base = "OU=Techs,OU=Board Office,DC=example,DC=com";
//$ldap_user_key = "uid";
//$ldap_group_member_key = "memberOf";
//$ldap_group_dn = "CN=PFAdmin,OU=Board Office,DC=example,DC=com";
?>
Both of the ldapsearch commands return data, just in different formats,
etc.:
ldapsearch -x -LLL -E pr=200/noprompt -h 10.10.0.26 -D
"[email protected]" -w redacted -b "OU=IS,OU=Users,OU=American
OUs,dc=ds,dc=atv" -s sub "(cn=*)" cn mail sn
ldapsearch -x -LLL -E pr=200/noprompt -h 10.10.0.26 -D
"[email protected]" -w redacted -b "OU=IS,OU=Users,OU=American
OUs,dc=ds,dc=atv" -s one
Let me know what other debug information is need to resolve this issue.
Nick
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
