Re: [PacketFence-users] authentication sources packetfence 9.3

Mon, 23 Mar 2020 07:50:48 -0700 

Good morning Fabrice,

Follows return of the informed command:

version: 1

#
# LDAPv3
# base <OU = Users, OU = Tabajara Headquarters, DC = tabajara, DC = com, DC
= br> with scope subtree
# filter: sAMAccountName = packetfence
# requesting: ALL
#

# packetfence, PacketFence, Service, Users, Tabajara Headquarters,
tabajara.com.br
dn: CN = packetfence, OU = PacketFence, OU = Service, OU = Users, OU =
Tabajara Sede, DC = taba
 jara, DC = com, DC = br
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: packetfence
givenName: packetfence
distinguishedName: CN = packetfence, OU = PacketFence, OU = Service, OU =
Users, OU = Table
 jara Headquarters, DC = tabajara, DC = com, DC = br
instanceType: 4
whenCreated: 20190522175834.0Z
whenChanged: 20200314212343.0Z
displayName: packetfence
uSNCreated: 332707737
memberOf: CN = Domain Admins, CN = Users, DC = tabajara, DC = com, DC = us
uSNChanged: 354881720
name: packetfence
objectGUID :: Gtp8SctV30ObE156O9onWA ==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 134565121389590252
lastLogon: 133465121436547757
pwdLastSet: 132030215143488213
primaryGroupID: 513
objectSid :: AQUAAAAAAAUVAAAAOEkycmN9EhxnEvQ3io7GNA ==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: packetfence
sAMAccountType: 805306368
userPrincipalName: packetfe...@tabajara.com.br
objectCategory: CN = Person, CN = Schema, CN = Configuration, DC =
tabajara, DC = com, DC = us
dSCorePropagationData: 16010101000000.0Z
mS-DS-ConsistencyGuid :: Gtp8SctV30ObE156O9onWA ==
lastLogonTimestamp: 132286946239647914

# search result

# numResponses: 2
# numEntries: 1

Sincerely,

Wagner

Em qui., 19 de mar. de 2020 às 23:45, Durand fabrice <fdur...@inverse.ca>
escreveu:

> If you stripped in radius in the realm ANA, it mean that packetfence is
> doing a ldap search with sAMAccountName=iran
>
> So try that from the cli:
>
> ldapsearch -h 10.10.10.70  -s sub -b "OU=Usuarios,OU=Tabajara
> Sede,DC=tabajara,DC=com,DC=br" -D
> "CN=packetfence,OU=PacketFence,OU=Servico,OU=Usuarios,OU=Tabajara
> Sede,DC=tabajara,DC=com,DC=br" -w whatyouarelookingfor -L
> "sAMAccountName=iran"
>
> and see if it return something.
>
> Regards
>
> Fabrice
>
>
> Le 20-03-19 à 14 h 42, Wagner Liegio a écrit :
>
> Good afternoon,
>
> I made the suggested adjustments by activating the strip in radius,
> created a new realm, and the error persists. User authentication searching
> for the domain only works, manually registering the node in the
> packetfence. Therefore, the error still remains in the database when trying
> to register auto.
> Below is the database error log:
>
> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759)
> INFO: [mac:d0:94:66:db:ae:77] handling radius autz request: from switch_ip
> => (10.95.10.1), connection_type => Ethernet-EAP,switch_mac =>
> (c8:0c:c8:f1:25:20), mac => [d0:94:66:db:ae:77], port => 78774, username =>
> "ANA\iran" (pf::radius::authorize)
> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759)
> INFO: [mac:d0:94:66:db:ae:77] Instantiate profile 802.1x
> (pf::Connection::ProfileFactory::_from_profile)
> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759)
> INFO: [mac:d0:94:66:db:ae:77] Found authentication source(s) : 'Ana' for
> realm 'default' (pf::config::util::filter_authentication_sources)
> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759)
> INFO: [mac:d0:94:66:db:ae:77] Using sources Ana for matching
> (pf::authentication::match2)
> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759)
> INFO: [mac:d0:94:66:db:ae:77] LDAP testing connection (pf::LDAP::expire_if)
> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759)
> WARN: [mac:d0:94:66:db:ae:77] No category computed for autoreg
> (pf::role::getNodeInfoForAutoReg)
> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759)
> WARN: [mac:d0:94:66:db:ae:77] No role specified or found for pid ANA\iran
> (MAC d0:94:66:db:ae:77); assume maximum number of registered nodes is
> reached (pf::node::is_max_reg_nodes_reached)
> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759)
> ERROR: [mac:d0:94:66:db:ae:77] max nodes per pid met or exceeded -
> registration of d0:94:66:db:ae:77 to ANA\iran failed
> (pf::registration::setup_node_for_registration)
> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759)
> ERROR: [mac:d0:94:66:db:ae:77] auto-registration of node failed max nodes
> per pid met or exceeded (pf::radius::authorize)
> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759)
> ERROR: [mac:d0:94:66:db:ae:77] Database query failed with non retryable
> error: Cannot add or update a child row: a foreign key constraint fails
> (`pf`.`node`, CONSTRAINT `0_57` FOREIGN KEY (`tenant_id`, `pid`) REFERENCES
> `person` (`tenant_id`, `pid`) ON DELETE CASCADE ON UPDATE CASCADE) (errno:
> 1452) [INSERT INTO `node` ( `autoreg`, `bandwidth_balance`,
> `bypass_role_id`, `bypass_vlan`, `category_id`, `computername`,
> `detect_date`, `device_class`, `device_manufacturer`, `device_score`,
> `device_type`, `device_version`, `dhcp6_enterprise`, `dhcp6_fingerprint`,
> `dhcp_fingerprint`, `dhcp_vendor`, `last_arp`, `last_dhcp`, `last_seen`,
> `lastskip`, `mac`, `machine_account`, `notes`, `pid`, `regdate`,
> `sessionid`, `status`, `tenant_id`, `time_balance`, `unregdate`,
> `user_agent`, `voip`) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
> ?, ?, ?, NOW(), ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? ) ON DUPLICATE KEY
> UPDATE `autoreg` = ?, `last_seen` = NOW(), `pid` = ?, `status` = ?,
> `tenant_id` = ?]{yes, NULL, NULL, NULL, NULL, NULL, 2020-03-19 18:15:11,
> NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0000-00-00 00:00:00,
> 0000-00-00 00:00:00, 0000-00-00 00:00:00, d0:94:66:db:ae:77, NULL, NULL,
> ANA\iran, 0000-00-00 00:00:00, NULL, reg, 1, NULL, 0000-00-00 00:00:00,
> NULL, no, yes, ANA\iran, reg, 1} (pf::dal::db_execute)
> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759)
> ERROR: [mac:d0:94:66:db:ae:77] Cannot save d0:94:66:db:ae:77 error (500)
> (pf::radius::authorize)
>
> Em qua., 18 de mar. de 2020 às 21:34, Durand fabrice via PacketFence-users
> <packetfence-users@lists.sourceforge.net> escreveu:
>
>> Try that:
>>
>> pftest authentication ANA\pereira ""
>>
>> and
>>
>> pftest authentication pereira ""
>>
>> to see if the user is found and if it match a rule.
>>
>> If the second one works then in the ANA realm enable strip in radius.
>>
>> Regards
>>
>> Fabrice
>>
>>
>> Le 20-03-18 à 20 h 13, Zacharry Williams via PacketFence-users a écrit :
>>
>> Gonna take a wild guess here, in your realms config turn on strip radius
>> for null and your domain and and try logging on with just your username and
>> password. I'm guessing your realms config isn't matching. For us we had
>> three domains and we had to add them all. For example COMPANY.ORG,
>> COMPANY.LAN, COMPANY.COM.
>>
>> On Wed, Mar 18, 2020, 12:43 PM Wagner Liegio via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> wrote:
>>
>>> Good afternoon,
>>>
>>> Follow the requested files attached.
>>>
>>> Em ter., 17 de mar. de 2020 às 14:16, Ludovic Zammit <lzam...@inverse.ca>
>>> escreveu:
>>>
>>>> Hello,
>>>>
>>>> Could you post the result fo those two commands:
>>>>
>>>> cat /usr/local/pf/conf/authentication.conf
>>>>
>>>> cat /usr/local/pf/conf/profiles.conf
>>>>
>>>> remove your informations.
>>>>
>>>> Thanks,
>>>>
>>>> Ludovic zammitlzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  
>>>> www.inverse.ca
>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
>>>> (http://packetfence.org)
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Mar 17, 2020, at 9:42 AM, Wagner Liegio via PacketFence-users <
>>>> packetfence-users@lists.sourceforge.net> wrote:
>>>>
>>>> Good Morning,
>>>>
>>>> The rules, functions are standard on the Zen packetfence 9.3 that I
>>>> downloaded from the site, I will send some images of how the configuration
>>>> is through the webgui, so I noticed everything is correct, what is
>>>> happening is that the function and the rule is not being applied for some
>>>> reason that I don't know.
>>>>
>>>> <image.png>
>>>>
>>>> <image.png>
>>>>
>>>> <image.png>
>>>>
>>>>
>>>>
>>>> Em ter., 17 de mar. de 2020 às 00:04, Zacharry Williams via
>>>> PacketFence-users <packetfence-users@lists.sourceforge.net> escreveu:
>>>>
>>>>> Check and make sure your realms are defined also.
>>>>>
>>>>> On Mon, Mar 16, 2020, 4:58 PM Brandt Winchell via PacketFence-users <
>>>>> packetfence-users@lists.sourceforge.net> wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I know when I ran into this issue, it had to do with the
>>>>>> authorization source for AD.  In the source, I had an authentication rule
>>>>>> that matched the sAMAccountName is member of “group name”.  The group 
>>>>>> name
>>>>>> must be the AD DN (distinguished name) of the group.  CN=%security group
>>>>>> you want%,OU=%OU the object resides in%,DC=%your domain%,DC=%domain 
>>>>>> suffix%
>>>>>>
>>>>>>
>>>>>>
>>>>>> *From:* Wagner Liegio via PacketFence-users <
>>>>>> packetfence-users@lists.sourceforge.net>
>>>>>> *Sent:* Monday, March 16, 2020 1:08 PM
>>>>>> *To:* packetfence-users@lists.sourceforge.net
>>>>>> *Cc:* Wagner Liegio <wagner.lie...@gmail.com>
>>>>>> *Subject:* [PacketFence-users] authentication sources packetfence 9.3
>>>>>>
>>>>>>
>>>>>>
>>>>>> Good afternoon, I'm facing the same problem only in version 9.3. I
>>>>>> have done everything I can think of, reconfigured the domain, the
>>>>>> connection profile, checked the rules and functions. The error follows: 
>>>>>> No
>>>>>> role specified or found for pid ANA \ pereira (MAC d0: 94: 66: db: ee: 
>>>>>> 7d);
>>>>>> assumes maximum number of registered nodes is reached (pf :: node ::
>>>>>> is_max_reg_nodes_reached)
>>>>>> plpcktfpdin01 packetfence_httpd.aaa: httpd.aaa (9837) ERROR: [mac:
>>>>>> d0: 94: 66: db: ee: 7d] max nodes per pid met or exceeded - registration 
>>>>>> of
>>>>>> d0: 94: 66: db: ae: 7d to ANA \ pereira failed
>>>>>> (pf :: registration :: setup_node_for_registration)
>>>>>>  plpcktfpdin01 packetfence_httpd.aaa: httpd.aaa (9837) ERROR: [mac:
>>>>>> d0: 94: 66: db: ee: 7d] auto-registration of node failed max nodes per 
>>>>>> pid
>>>>>> met or exceeded (pf :: radius :: authorize)
>>>>>>  plpcktfpdin01 packetfence_httpd.aaa: httpd.aaa (9837) ERROR: [mac:
>>>>>> d0: 94: 66: db: ee: 7d] Database query failed with non retryable error:
>>>>>> Cannot add or update a child row: a foreign key constraint fails
>>>>>> (pf.node, CONSTRAINT 0_57 FOREIGN KEY (tenant_id, pid) REFERENCES
>>>>>> person (tenant_id, pid) ON DELETE CASCADE ON UPDATE CASCADE) (errno: 
>>>>>> 1452)
>>>>>> [INSERT INTO node
>>>>>> (autoreg, bandwidth_balance, bypass_role_id, bypass_vlan,
>>>>>> category_id, computername, detect_date, device_class, 
>>>>>> device_manufacturer,
>>>>>> device_score, device_type,
>>>>>>  device_version, dhcp6_enterprise, dhcp6_fingerprint,
>>>>>> dhcp_fingerprint, dhcp_vendor, last_arp, last_dhcp, last_seen, lastskip,
>>>>>> mac, machine_account, notes, regdate, sessionid, status, tenant_id,
>>>>>> time_balance, void, user? ?,?,?,?,?,?,?,?,?,?,?,?,?,?, NOW
>>>>>> (),?,?,?,?,?,?,?,?,?, ?,?,?,?) ON DUPLICATE KEY UPDATE autoreg = ?,
>>>>>> Last_seen = NOW (), pid = ?, Status = ?, Tenant_id` =?] {Yes, NULL, NULL,
>>>>>> NULL, NULL, NULL, 2020 - 03-13 19:08:50, NULL, NULL, NULL, NULL, NULL,
>>>>>> NULL, NULL, NULL, NULL,
>>>>>>  0000-00-00 00:00:00, 0000-00-00 00:00:00, 0000-00-00 00:00:00, d0:
>>>>>> 94: 66: db: ae: 7d, NULL, NULL, ANA \ pereira, 0000-00-00 00:00:00, NULL,
>>>>>> reg, 1, NULL, 0000-00-00 00:00:00, NULL, no, yes, ANA \ pereira, reg, 1}
>>>>>>  (pf :: dal :: db_execute)
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> PacketFence-users mailing list
>>>>>> PacketFence-users@lists.sourceforge.net
>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>
>>>>> _______________________________________________
>>>>> PacketFence-users mailing list
>>>>> PacketFence-users@lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>
>>>> _______________________________________________
>>>> PacketFence-users mailing list
>>>> PacketFence-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>
>>>>
>>>> _______________________________________________
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>
>>
>> _______________________________________________
>> PacketFence-users mailing 
>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>> _______________________________________________
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users





























					Reply via email to