Hi. Thanks for that little script. Didn't know about that. Very handy. I was able to test it and can confirm something is really wrong either in my config or the AD configuration itself. When I test with no password at all the authentication fails - which is what I would expect
/usr/local/pf/bin/pftest authentication my_domain_user "" Testing authentication for "my_domain_user" Authenticating against local Authentication FAILED against local (Unable to authenticate successfully using SQL.) Did not match against local Authenticating against email Authentication FAILED against email () Matched against email set_role : guest set_access_duration : 1D Authenticating against my_ad Authentication FAILED against my_ad (Invalid login or password) Matched against my_ad set_role : internal_role set_access_duration : 1D But when I put any random password (not the correct password) the authentication succeeds as long as there is some text present /usr/local/pf/bin/pftest authentication my_domain_user "random_wrong_password" Testing authentication for "my_domain_user" Authenticating against local Authentication FAILED against local (Unable to authenticate successfully using SQL.) Did not match against local Authenticating against email Authentication FAILED against email () Matched against email set_role : guest set_access_duration : 1D Authenticating against my_ad Authentication SUCCEEDED against my_ad (Authentication successful using LDAP) Matched against my_ad set_role : internal_role set_access_duration : 1D ________________________________ > From: [email protected] > Date: Tue, 9 Feb 2016 14:44:52 -0500 > To: [email protected] > Subject: Re: [PacketFence-users] AD integration > > Andy, > > You can test an account in your ad with: > > /usr/local/pf/bin/pftest authentication administrator "" > > Authenticating against AD-Inverse > Authentication FAILED against AD-Inverse (Invalid login or password) > Matched against AD-Inverse for 'authentication' rules > set_role : default > set_access_duration : 5D > Matched against AD-Inverse for 'administration' rules > mark_as_sponsor : 1 > > /usr/local/pf/bin/pftest authentication administrator realpassword > > Authenticating against AD-Inverse > Authentication SUCCEEDED against AD-Inverse (Authentication successful.) > Matched against AD-Inverse for 'authentication' rules > set_role : default > set_access_duration : 5D > Matched against AD-Inverse for 'administration' rules > mark_as_sponsor : 1 > > Make sure that your are matching the correct portal profile into the > logs/packetfence.log > > Instantiate profile PORTAL-PROFILE-NAME > (pf::Portal::ProfileFactory::_from_profile) > > Thanks, > > Ludovic Zammit > [email protected]<mailto:[email protected]> :: +1.514.447.4918 (x145) :: > www.inverse.ca<http://www.inverse.ca> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > > > > > Le 9 févr. 2016 à 14:25, Andy A > <[email protected]<mailto:[email protected]>> a écrit > : > > Thanks for your reply. I have AD source that is configured in > PacketFence and the source talks to a AD server for my Domain. > > cat /usr/local/pf/conf/authentication.conf > [local] > description=Local Users > type=SQL > > [email] > description=Email-based registration > email_activation_timeout=10m > type=Email > create_local_account=yes > allow_localdomain=yes > > [my_ad] > description=My Active Directory > password=PASSWORD > scope=sub > binddn=OU=Users,OU=My Org,DC=orgDC,DC=local > basedn=OU=Users,OU=My Org,DC=orgDC,DC=local > usernameattribute=sAMAccountName > connection_timeout=15 > stripped_user_name=no > encryption=none > cache_match=1 > port=389 > type=AD > host=10.10.10.10 > > [my_ad rule internal_access] > description=internal access > match=all > action0=set_role=internal_role > action1=set_access_duration=1D > > cat /usr/local/pf/conf/profiles.conf > [default] > description=Default Profile > logo=/captive-portal/content/assets/img/logo.gif > billing_engine=disabled > redirecturl=http://google.com<http://google.com/> > always_use_redirecturl=enabled > mandatory_fields=firstname,lastname,email > locale=en_US > nbregpages=0 > filter_match_style=any > block_interval=10m > sms_pin_retry_limit=0 > sms_request_limit=0 > login_attempt_limit=0 > dot1x_recompute_role_from_portal=enabled > reuse_dot1x_credentials=0 > sources=email,local > provisioners= > custom_fields_authentication_sources= > scans= > > [my_site] > description=internal site > login_attempt_limit=0 > dot1x_recompute_role_from_portal=0 > sms_pin_retry_limit=0 > locale=en_US > sms_request_limit=0 > nbregpages=0 > always_use_redirecturl=enabled > redirecturl=http://www.google.com<http://www.google.com/> > billing_engine=disabled > filter=network:10.10.0.0/24 > description=my site internal profile > mandatory_fields= > scans= > reuse_dot1x_credentials=0 > sources=my_ad,email,local > block_interval=12h > provisioners= > custom_fields_authentication_sources= > filter_match_style=any > > > ________________________________ > From: [email protected]<mailto:[email protected]> > Date: Tue, 9 Feb 2016 13:20:07 -0500 > To: > [email protected]<mailto:[email protected]> > > Subject: Re: [PacketFence-users] AD integration > > Hello Andy, > > When you are saying ‘AD integration’, did you configure the AD source > in PacketFence or you have joined you PacketFence server to your AD > domain ? > > Can you paste the output of those commands (hiding the passwords): > > cat /usr/local/pf/conf/authentication.conf > > cat /usr/local/pf/conf/profiles.conf > > Thanks, > > Ludovic Zammit > [email protected]<mailto:[email protected]><mailto:[email protected]> > :: +1.514.447.4918 (x145) > :: > www.inverse.ca<http://www.inverse.ca/><http://www.inverse.ca<http://www.inverse.ca/>> > > Inverse inc. :: Leaders behind SOGo > (http://www.sogo.nu<http://www.sogo.nu/>) and PacketFence > (http://packetfence.org<http://packetfence.org/>) > > > > > > Le 9 févr. 2016 à 12:22, Andy A > <[email protected]<mailto:[email protected]><mailto:[email protected]>> > > a écrit > : > > Hello. > > I am using PF 5.2 on Centos 6.x in inline mode. We are using AD > integration and it works fine to get people on the internet with just a > small issue. > The AD doesn't require the user's domain password to sign-in to the > internet as long as the username is a valid child within the AD object > tree. > > So basically 'userA' and 'userB' can type 'password' as their password > and still be authenticated as the AD is not considering the password at > all. > > Is this a correct behaviour? or have I missed a trick here and not > configured the AD properly? > > Thanks. > ------------------------------------------------------------------------------ > > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > ------------------------------------------------------------------------------ > > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 > _______________________________________________ PacketFence-users > mailing list [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > ------------------------------------------------------------------------------ > > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 > _______________________________________________ > PacketFence-users mailing list > [email protected]<mailto:[email protected]> > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > ------------------------------------------------------------------------------ > > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 > _______________________________________________ PacketFence-users > mailing list [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
