Hello Fabrice,
Thank you for your response
I have taken captures, however what I found in experimenting last night but
haven't completed testing, is that a sensible change in my configuration seems
to have solved my problem.
I had several AD sources with a couple of rules each, all with the same LDAP
parameters (especially the usernameattribute) except the group name being
matched on. I changed to a single AD source per usernameattribute, with several
rules. So I now have two AD sources – one for user auth and one for machine
auth and this is working better. Haven't confirmed it's working perfectly yet.
Regarding the ldap capture:
I'm not a master LDAP packet capture interpreter, but what I see is the rules
in the initial source being searched more than once, rather than moving on to
the next source. The filters look correct, but again, I know enough about ldap
searching to know things are not always obvious. I'm happy to provide you the
pcap, but since I can't sanitize it, I would rather not post to a public forum.
A copy of a filter line via Wireshark: "Filter:
(&(sAMAccountName=pf.testtwo)(memberOf=cn=Logon_PhotoID,ou=Groups,ou=Printer,dc=themastersschool,dc=com))"
The cn is correct.
Tim
From: Fabrice DURAND <[email protected]<mailto:[email protected]>>
Reply-To:
<[email protected]<mailto:[email protected]>>
Date: Fri, 17 Jan 2014 08:08:37 -0500
To:
<[email protected]<mailto:[email protected]>>
Subject: Re: [PacketFence-users] PF 4.1 registration allows only one
authentication source?
Hello Tim,
We redefined the way to match group membership in the LDAP/AD style sources.
So can you capture the ldap traffic and check if the ldap search is correct ?
Regards
Fabrice
Le 2014-01-16 14:27, Palmer, Tim a écrit :
Good day all,
PF 4.1, upgraded from 4.0.6
CentOS 6.5
This is a refinement of my less that specific email from this morning – my
problem involves registration, and multiple AD sources.
I have several AD sources defined, all matching on 'memberof' filters with no
nested groups. When a client connects, the login works as expected - radius
reports "Login OK", access is not immediately denied, correct role is assigned,
device is flipped to correct vlan, and all is well
If the device is not registered, if the user registering is matched by the
first source in the list (whether assigned to a profile or not), all is well.
If the user would match a source after the first, it does not match, the user
is showed the error.html page with "Sorry You have reached maximum number of
devices…",
and the logs show:
Jan 16 13:30:45 register.cgi(0) WARN: No role specified or found for pid
pf.testtwo (MAC xx:xx:xx:xx:xx:xx); assume maximum number of registered nodes
is reached (pf::node::is_max_reg_nodes_reached)
I've changed the order of a couple of authentication sources and the situation
remains the same – first source is allowed to register, no others are.
I have used some custom.pm settings in the past, but removed them all in this
testing
Bug? Feature? My misunderstanding or mistake somewhere?
Thank you for your time,
Tim
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x135) ::
www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More
Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development
Environments & Everything In Between. Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
