Active Directory which comes with Windows Server 2012.
________________________________ > From: [email protected] > Date: Wed, 10 Feb 2016 16:34:47 -0500 > To: [email protected] > Subject: Re: [PacketFence-users] AD integration > > Hello Andy, > > Wich version of active directory are you using ? > > Thanks. > > Ludovic Zammit > [email protected]<mailto:[email protected]> :: +1.514.447.4918 (x145) :: > www.inverse.ca<http://www.inverse.ca> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > > > > > Le 10 févr. 2016 à 04:48, Andy A > <[email protected]<mailto:[email protected]>> a écrit > : > > Oh and here's the log for the same > > /usr/local/pf/bin/pftest authentication my_domain_user "" > > pftest(30112) ERROR: unable to read password file > '/usr/local/pf/conf/admin.conf' > (pf::Authentication::Source::HtpasswdSource::authenticate) > pftest(30112) INFO: Matched rule (catchall) in source email, returning > actions. (pf::Authentication::Source::match) > pftest(30112) WARN: [my_ad] User CN=User User,OU=Users,OU=My > Org,DC=dc,DC=local cannot bind from OU=Users,OU=My Org,DC=dc,DC=local > on 10.10.10.10:389 > (pf::Authentication::Source::LDAPSource::authenticate) > > /usr/local/pf/bin/pftest authentication my_domain_user > "random_wrong_password" > pftest(29775) ERROR: unable to read password file > '/usr/local/pf/conf/admin.conf' > (pf::Authentication::Source::HtpasswdSource::authenticate) > pftest(29775) INFO: Matched rule (catchall) in source email, returning > actions. (pf::Authentication::Source::match) > pftest(29775) INFO: [my_ad] Authentication successful > for my_domain_user (pf::Authentication::Source::LDAPSource::authenticate) > pftest(29775) INFO: [my_ad internal_access] Found a match (CN=User > User,OU=Users,OU=My Org,DC=dc,DC=local) > (pf::Authentication::Source::LDAPSource::match_in_subclass) > pftest(29775) INFO: Matched rule (internal_access) in source my_ad, > returning actions. (pf::Authentication::Source::match) > > So where's the problem do you think? > > PS: Just so you know for my > configuration '/usr/local/pf/conf/admin.conf' does not exist. > > ---------------------------------------- > From: [email protected]<mailto:[email protected]> > To: > [email protected]<mailto:[email protected]> > > Date: Wed, 10 Feb 2016 09:27:25 +0000 > Subject: Re: [PacketFence-users] AD integration > > Hi. > > Thanks for that little script. Didn't know about that. Very handy. I > was able to test it and can confirm something is really wrong either in > my config or the AD configuration itself. > When I test with no password at all the authentication fails - which is > what I would expect > > /usr/local/pf/bin/pftest authentication my_domain_user "" > Testing authentication for "my_domain_user" > > Authenticating against local > Authentication FAILED against local (Unable to authenticate > successfully using SQL.) > Did not match against local > > Authenticating against email > Authentication FAILED against email () > Matched against email > set_role : guest > set_access_duration : 1D > > Authenticating against my_ad > Authentication FAILED against my_ad (Invalid login or password) > Matched against my_ad > set_role : internal_role > set_access_duration : 1D > > But when I put any random password (not the correct password) the > authentication succeeds as long as there is some text present > > /usr/local/pf/bin/pftest authentication my_domain_user > "random_wrong_password" > Testing authentication for "my_domain_user" > > Authenticating against local > Authentication FAILED against local (Unable to authenticate > successfully using SQL.) > Did not match against local > > Authenticating against email > Authentication FAILED against email () > Matched against email > set_role : guest > set_access_duration : 1D > > Authenticating against my_ad > Authentication SUCCEEDED against my_ad (Authentication successful using LDAP) > Matched against my_ad > set_role : internal_role > set_access_duration : 1D > > > > ________________________________ > From: [email protected]<mailto:[email protected]> > Date: Tue, 9 Feb 2016 14:44:52 -0500 > To: > [email protected]<mailto:[email protected]> > > Subject: Re: [PacketFence-users] AD integration > > Andy, > > You can test an account in your ad with: > > /usr/local/pf/bin/pftest authentication administrator "" > > Authenticating against AD-Inverse > Authentication FAILED against AD-Inverse (Invalid login or password) > Matched against AD-Inverse for 'authentication' rules > set_role : default > set_access_duration : 5D > Matched against AD-Inverse for 'administration' rules > mark_as_sponsor : 1 > > /usr/local/pf/bin/pftest authentication administrator realpassword > > Authenticating against AD-Inverse > Authentication SUCCEEDED against AD-Inverse (Authentication successful.) > Matched against AD-Inverse for 'authentication' rules > set_role : default > set_access_duration : 5D > Matched against AD-Inverse for 'administration' rules > mark_as_sponsor : 1 > > Make sure that your are matching the correct portal profile into the > logs/packetfence.log > > Instantiate profile PORTAL-PROFILE-NAME > (pf::Portal::ProfileFactory::_from_profile) > > Thanks, > > Ludovic Zammit > [email protected]<mailto:[email protected]><mailto:[email protected]> > :: +1.514.447.4918 (x145) :: > www.inverse.ca<http://www.inverse.ca><http://www.inverse.ca> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and > PacketFence (http://packetfence.org) > > > > > > Le 9 févr. 2016 à 14:25, Andy A > <[email protected]<mailto:[email protected]><mailto:[email protected]>> > > a écrit > : > > Thanks for your reply. I have AD source that is configured in > PacketFence and the source talks to a AD server for my Domain. > > cat /usr/local/pf/conf/authentication.conf > [local] > description=Local Users > type=SQL > > [email] > description=Email-based registration > email_activation_timeout=10m > type=Email > create_local_account=yes > allow_localdomain=yes > > [my_ad] > description=My Active Directory > password=PASSWORD > scope=sub > binddn=OU=Users,OU=My Org,DC=orgDC,DC=local > basedn=OU=Users,OU=My Org,DC=orgDC,DC=local > usernameattribute=sAMAccountName > connection_timeout=15 > stripped_user_name=no > encryption=none > cache_match=1 > port=389 > type=AD > host=10.10.10.10 > > [my_ad rule internal_access] > description=internal access > match=all > action0=set_role=internal_role > action1=set_access_duration=1D > > cat /usr/local/pf/conf/profiles.conf > [default] > description=Default Profile > logo=/captive-portal/content/assets/img/logo.gif > billing_engine=disabled > redirecturl=http://google.com<http://google.com/> > always_use_redirecturl=enabled > mandatory_fields=firstname,lastname,email > locale=en_US > nbregpages=0 > filter_match_style=any > block_interval=10m > sms_pin_retry_limit=0 > sms_request_limit=0 > login_attempt_limit=0 > dot1x_recompute_role_from_portal=enabled > reuse_dot1x_credentials=0 > sources=email,local > provisioners= > custom_fields_authentication_sources= > scans= > > [my_site] > description=internal site > login_attempt_limit=0 > dot1x_recompute_role_from_portal=0 > sms_pin_retry_limit=0 > locale=en_US > sms_request_limit=0 > nbregpages=0 > always_use_redirecturl=enabled > redirecturl=http://www.google.com<http://www.google.com/> > billing_engine=disabled > filter=network:10.10.0.0/24 > description=my site internal profile > mandatory_fields= > scans= > reuse_dot1x_credentials=0 > sources=my_ad,email,local > block_interval=12h > provisioners= > custom_fields_authentication_sources= > filter_match_style=any > > > ________________________________ > From: > [email protected]<mailto:[email protected]><mailto:[email protected]> > Date: Tue, 9 Feb 2016 13:20:07 -0500 > To: > [email protected]<mailto:[email protected]><mailto:[email protected]> > > Subject: Re: [PacketFence-users] AD integration > > Hello Andy, > > When you are saying ‘AD integration’, did you configure the AD source > in PacketFence or you have joined you PacketFence server to your AD > domain ? > > Can you paste the output of those commands (hiding the passwords): > > cat /usr/local/pf/conf/authentication.conf > > cat /usr/local/pf/conf/profiles.conf > > Thanks, > > Ludovic Zammit > [email protected]<mailto:[email protected]><mailto:[email protected]><mailto:[email protected]> > > :: +1.514.447.4918 (x145) > :: > www.inverse.ca<http://www.inverse.ca><http://www.inverse.ca/><http://www.inverse.ca<http://www.inverse.ca/>> > > Inverse inc. :: Leaders behind SOGo > (http://www.sogo.nu<http://www.sogo.nu/>) and PacketFence > (http://packetfence.org<http://packetfence.org/>) > > > > > > Le 9 févr. 2016 à 12:22, Andy A > <[email protected]<mailto:[email protected]><mailto:[email protected]><mailto:[email protected]>> > > a écrit > : > > Hello. > > I am using PF 5.2 on Centos 6.x in inline mode. We are using AD > integration and it works fine to get people on the internet with just a > small issue. > The AD doesn't require the user's domain password to sign-in to the > internet as long as the username is a valid child within the AD object > tree. > > So basically 'userA' and 'userB' can type 'password' as their password > and still be authenticated as the AD is not considering the password at > all. > > Is this a correct behaviour? or have I missed a trick here and not > configured the AD properly? > > Thanks. > ------------------------------------------------------------------------------ > > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > ------------------------------------------------------------------------------ > > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 > _______________________________________________ PacketFence-users > mailing list [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > ------------------------------------------------------------------------------ > > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 > _______________________________________________ > PacketFence-users mailing list > [email protected]<mailto:[email protected]> > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > ------------------------------------------------------------------------------ > > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 > _______________________________________________ PacketFence-users > mailing list [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > ------------------------------------------------------------------------------ > > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > ------------------------------------------------------------------------------ > > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > ------------------------------------------------------------------------------ > > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 > _______________________________________________ PacketFence-users > mailing list [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
