On Wed, Feb 10, 2016 at 10:48 PM, Andy A <[email protected]> wrote:
> pftest(30112) WARN: [my_ad] User CN=User User,OU=Users,OU=My
> Org,DC=dc,DC=local *cannot bind from OU=Users,OU=My Org,DC=dc,DC=local on
> 10.10.10.10:389 <http://10.10.10.10:389> *
> (pf::Authentication::Source::LDAPSource::authenticate)
>
Hi Andy,
This is the problem - it can't bind, which means either you're not using
the right host or username or OU.
Here's a useful command line test I use called ldapsearch for testing ldap
queries on linux - you'll have to install it on your packetfence box:
if ubuntu/debian: sudo apt-get install ldap-utils
if rhel/centos/oel: sudo yum install openldap-clients
For me, I run this command and get all ldap data associated with a user.
Its very useful for building filters:
ldapsearch -LLL -H ldap://activedirectory.waikato.ac.nz -b
dc=waikato,dc=ac,dc=nz -D [email protected] -W
"(sAMAccountName=TARGET)"
(changing the waikato.ac.nz bits for your environment, of course)
Replace BIND with a username you can use to connect to AD with - your own
for testing purposes works well.
Replace TARGET with the username you're interested in the details of.
for the entries you're given:
>> binddn=OU=Users,OU=My Org,DC=orgDC,DC=local <---- this looks wrong -
try changing to [email protected]
>> basedn=OU=Users,OU=My Org,DC=orgDC,DC=local <-- this also looks quite
wrong, perhaps just: OU=Users,OU=My Org,DC=org
>> usernameattribute=sAMAccountName
>> host=10.10.10.10
>> cache_match=1 <-- turn this off while trying to figure out this
problem - it might be caching an incorrect answer, maybe? Turn it on again
later once its sorted though.
For comparison purposes, my authentication.conf has this:
[StaffAD]
description=Staff Users
password=XXXXXXXX
scope=sub
[email protected]
basedn=DC=waikato,DC=ac,DC=nz
usernameattribute=sAMAccountName
connection_timeout=5
stripped_user_name=yes
encryption=none
port=389
type=AD
host=activedirectory.waikato.ac.nz
[StaffAD rule Staff]
description=
class=administration
match=any
action0=mark_as_sponsor=1
condition0=mail,is member of,CN=Staff,CN=Users,DC=waikato,DC=ac,DC=nz
The search string for condition0 argument above returns only members of the
staff group a match.
Finally, if you change conf/log.conf to debug + restart packetfence:
[root@packetfence / ]# cat /usr/local/pf/conf/log.conf
### Root/Parent (PacketFence) logger ###
# Will log everything (even categories defined to log in another appender)
unless
# specified using the additivity parameter
log4perl.rootLogger = DEBUG, LOGFILE
You'll get a bunch more logs in the packetfence.log file, which includes
the ldap connection its making and the output and decisions around those
logs.
You may also need to change other log files in the /usr/local/pf/
conf/log.conf.d/ directory to increase their verbosity as well.
This is essentially how I figured out what was going wrong. The next
deeper log level is TRACE. Good luck.
Hope this helps,
Cheers,
David
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
