Re: [PacketFence-users] LDAP Authentication - Unable to Contact Server

[Zammit, Ludovic via PacketFence-users]

Hello Cory,

Normally no, it works like you described. It’s not normal that you see nothing 
going out of your PF server during and LDPS query or test bind.

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Aug 3, 2023, at 1:26 PM, Cory Robbins via PacketFence-users 
>  wrote:
> 
> Hello,
> 
> I have a fresh ISO install of PacketFence, and I am attempting to configure 
> Google Workspace LDAP as an Authentication Source.  I have configured it 
> following the documentation, and I have the certificates in place.  When I 
> test the bind password, I'm getting "Can't connect to server or bind with 
> 'GoogleCredentials' on 216.239.32.58:636 
> ."
>   I also don't see any traffic leaving the server through wireshark or my 
> PFSense firewall logs.  I install ldap-utils to perform an ldapsearch, and I 
> get this error: ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
> additional info: (unknown error code)
> 
> Am I supposed to manually install something for LDAP to work?  Again, there 
> is no traffic hitting my firewall or trying to exit the server.
> 
> Thanks for any help!
> 
>   
> Cory Robbins
> Network Administrator, West Fork Schools
> (479) 839-2231 Ext: 4044  | 
> crobb...@wftigers.org 
> https://westforkschools.org 
> 
> 359 School Ave. West Fork, AR 72774
>   
> 
> 
> 
> 
> 
> Create your own email signature 
> 
>  
> ‌
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!QE24_MlGBUZnTlcoMUQAFkKmU7qYA8-6IrwT2wr742XVl06rQUuK5vp5qzZAAj7YYgfc1u4RSLWPvZ92ItgnlA0QnvRsvcB2_n92eg$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] ldap authentication failed

[Zammit, Ludovic via PacketFence-users]

Hello there,

Once you enable the NTLM or the plain text stored password, did you reset the 
password?

You will need to because the db does not go over the password once you change 
the method of storage.

You can use the command:

/usr/local/pf/pftest authentication USERNAME PASSWORD local to verify if 
everything matches.

Thanks,

PS: make sure to restart radius processes as well.


Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us: <https://community.akamai.com/>  
<http://blogs.akamai.com/>  <https://twitter.com/akamai>  
<http://www.facebook.com/AkamaiTechnologies>  
<http://www.linkedin.com/company/akamai-technologies>  
<http://www.youtube.com/user/akamaitechnologies?feature=results_main>

> On Nov 23, 2022, at 11:51 PM, Nikunj Vacchani via PacketFence-users 
>  wrote:
> 
> Hello Fabrice,
>  
> My univention password settings is.
>  
> Password complexity: on
> Store plaintext passwords: off
> Password history length: 0
> Minimum password length: 8
> Minimum password age (days): 0
> Maximum password age (days): 0
> Account lockout duration (mins): 0
> Account lockout threshold (attempts): 0
> Reset account lockout after (mins): 30
>  
>  
>  
> Thanks & Regards,
> Nikunj Vachhani.
> Network Engineer.
> 99091 10490
>  
> From: Fabrice Durand mailto:oeufd...@gmail.com>> 
> Sent: 23 November 2022 07:25 PM
> To: packetfence-users@lists.sourceforge.net 
> <mailto:packetfence-users@lists.sourceforge.net>
> Cc: Nikunj Vacchani mailto:nikun...@allotgroup.com>>
> Subject: Re: [PacketFence-users] ldap authentication failed
>  
> CAUTION: This email originated from outside of the organization. Do not click 
> links or open attachments unless you recognize the sender and know the 
> content is safe.
>  
> Hello Nikunj, 
> you can use ldap for peap only if you can grab the password in clear text or 
> with NT-Hash
>  
> http://deployingradius.com/documents/protocols/compatibility.html 
> <https://urldefense.com/v3/__http://deployingradius.com/documents/protocols/compatibility.html__;!!GjvTz_vk!XjmcYyZGcoT7uEEOCV4xdJKgxsF2ebuYHzGXP1LSsPse49rNZJtXOaqp49sYhIEywyXdUvX0xeNggjqRvMKckiQaJkffg_xWIuwxjw$>
>  
> So how do you configure that ?
>  
> Or join the packetfence server to the domain.
>  
> Regards
> Fabrice
>  
>  
>  
> Le mer. 23 nov. 2022 à 08:47, Nikunj Vacchani via PacketFence-users 
>  <mailto:packetfence-users@lists.sourceforge.net>> a écrit :
> Hello
>  
> I m able to authenticate with local user but I m not able to authenticate 
> with my ldap server users,
>  
> I m facing error,
>  
> PacketFence-KeyBalanced = "1acc010ea4ece6928d7a7f0c37444c0f"
> PacketFence-Radius-Ip = "10.20.40.153"
> Event-Timestamp = "Nov 17 2022 12:42:35 IST"
> Acct-Session-Id = "05000132"
> NAS-Port = 53
> NAS-IP-Address = 11.11.11.240
> PacketFence-NTLMv2-Only = ""
> EAP-Message = 
> 0x020800431a0208003e319e88dd03b1c260dbc55155c80f85eed0eed23b3c6bbfe523b45578ae1d11d4211d136139d7394e6a005252555c74657374
> FreeRADIUS-Proxied-To = 127.0.0.1
> EAP-Type = MSCHAPv2
> MS-CHAP2-Response = 
> 0x08529e88dd03b1c260dbc55155c80f85eed0eed23b3c6bbfe523b45578ae1d11d4211d136139d7394e6a
> Calling-Station-Id = "54:05:db:0a:ae:a4"
> Stripped-User-Name = "test"
> User-Name = "RRU\\test"
> PacketFence-Outer-User = "RRU\\test"
> NAS-Port-Type = Ethernet
> PacketFence-Domain = "RRUAD01"
> MS-CHAP-Challenge = 0xa88d981c98c2e8b5e0512896662f75d3
> Realm = "default"
> MS-CHAP-User-Name = "RRU\\test"
> State = 0x0e2308c40e2b12014ce5e92689785f0a
> Module-Failure-Message = "chrooted_mschap: Program returned code (1) and 
> output 'The attempted logon is invalid. This is either due to a bad username 
> or authentication information. (0xc06d)'"
> Module-Failure-Message = "chrooted_mschap: External script says: The 
> attempted logon is invalid. This is either due to a bad username or 
> authentication information. (0xc06d)"
> Module-Failure-Message = "chrooted_mschap: MS-CHAP2-Response is incorrect"
> User-Password = "**"
> SQL-User-Name = "RRUtest"
> RADIUS Reply
> MS-CHAP-Error = "\010E=691 R=0 C=fefbe43603701f99844df4f72dfc01ac V=3 
> M=Authentication rejected"
> EAP-Message = 0x04080004
> Message-Authenticator = 0x
>  
>  
> Anyone have idea, how to resolve this error.
>  
> Thanks & Regards,
> Nikunj Vach

Re: [PacketFence-users] ldap authentication failed

[Nikunj Vacchani via PacketFence-users]

Hello all,

/user/local/pf/bin/pfcmd authentication username password

This working fine for local user and ldap user using this command.

But when we authenticate through the client laptop local user authentication 
successful but ldap user gives me error.

Thanks & Regards,
Nikunj Vachhani.
Network Engineer.
99091 10490

-Original Message-
From: Zammit, Ludovic 
Sent: 25 November 2022 03:10 AM
To: PacketFence-users 
Cc: Fabrice Durand ; Nikunj Vacchani 

Subject: Re: [PacketFence-users] ldap authentication failed

CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe.

DISCLAIMER : The content of this email is confidential and intended for the 
recipient specified in message only. It is strictly forbidden to share any part 
of this message with any third party, without a written consent of the sender. 
If you received this message by mistake, please reply to this message and 
follow with its deletion, so that we can ensure such a mistake does not occur 
in the future.


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] ldap authentication failed

[Nikunj Vacchani via PacketFence-users]

Hello Fabrice,

My univention password settings is.

Password complexity: on
Store plaintext passwords: off
Password history length: 0
Minimum password length: 8
Minimum password age (days): 0
Maximum password age (days): 0
Account lockout duration (mins): 0
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30



Thanks & Regards,
Nikunj Vachhani.
Network Engineer.
99091 10490

From: Fabrice Durand 
Sent: 23 November 2022 07:25 PM
To: packetfence-users@lists.sourceforge.net
Cc: Nikunj Vacchani 
Subject: Re: [PacketFence-users] ldap authentication failed

CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe.

Hello Nikunj,
you can use ldap for peap only if you can grab the password in clear text or 
with NT-Hash

http://deployingradius.com/documents/protocols/compatibility.html

So how do you configure that ?

Or join the packetfence server to the domain.

Regards
Fabrice



Le mer. 23 nov. 2022 à 08:47, Nikunj Vacchani via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 a écrit :
Hello

I m able to authenticate with local user but I m not able to authenticate with 
my ldap server users,

I m facing error,

PacketFence-KeyBalanced = "1acc010ea4ece6928d7a7f0c37444c0f"
PacketFence-Radius-Ip = "10.20.40.153"
Event-Timestamp = "Nov 17 2022 12:42:35 IST"
Acct-Session-Id = "05000132"
NAS-Port = 53
NAS-IP-Address = 11.11.11.240
PacketFence-NTLMv2-Only = ""
EAP-Message = 
0x020800431a0208003e319e88dd03b1c260dbc55155c80f85eed0eed23b3c6bbfe523b45578ae1d11d4211d136139d7394e6a005252555c74657374
FreeRADIUS-Proxied-To = 127.0.0.1
EAP-Type = MSCHAPv2
MS-CHAP2-Response = 
0x08529e88dd03b1c260dbc55155c80f85eed0eed23b3c6bbfe523b45578ae1d11d4211d136139d7394e6a
Calling-Station-Id = "54:05:db:0a:ae:a4"
Stripped-User-Name = "test"
User-Name = "RRU\\test"
PacketFence-Outer-User = "RRU\\test"
NAS-Port-Type = Ethernet
PacketFence-Domain = "RRUAD01"
MS-CHAP-Challenge = 0xa88d981c98c2e8b5e0512896662f75d3
Realm = "default"
MS-CHAP-User-Name = "RRU\\test"
State = 0x0e2308c40e2b12014ce5e92689785f0a
Module-Failure-Message = "chrooted_mschap: Program returned code (1) and output 
'The attempted logon is invalid. This is either due to a bad username or 
authentication information. (0xc06d)'"
Module-Failure-Message = "chrooted_mschap: External script says: The attempted 
logon is invalid. This is either due to a bad username or authentication 
information. (0xc06d)"
Module-Failure-Message = "chrooted_mschap: MS-CHAP2-Response is incorrect"
User-Password = "**"
SQL-User-Name = "RRUtest"
RADIUS Reply
MS-CHAP-Error = "\010E=691 R=0 C=fefbe43603701f99844df4f72dfc01ac V=3 
M=Authentication rejected"
EAP-Message = 0x04080004
Message-Authenticator = 0x


Anyone have idea, how to resolve this error.

Thanks & Regards,
Nikunj Vachhani.
Network Engineer.
99091 10490

From: Nikunj Vacchani via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
Sent: 16 November 2022 07:29 PM
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Cc: Nikunj Vacchani mailto:nikun...@allotgroup.com>>
Subject: [PacketFence-users] ldap authentication failed

CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe.

Hello everyone,

I m facing issue when I m trying to authenticate with LDAP user.

ERROR,

chrooted_mschap: Program returned code (1) and output 'The attempted logon is 
invalid. This is either due to a bad username or authentication information. 
(0xc06d)'

how to resolve this issue.

Thanks & Regards,
Nikunj Vachhani.
Network Engineer.
99091 10490

DISCLAIMER : The content of this email is confidential and intended for the 
recipient specified in message only. It is strictly forbidden to share any part 
of this message with any third party, without a written consent of the sender. 
If you received this message by mistake, please reply to this message and 
follow with its deletion, so that we can ensure such a mistake does not occur 
in the future.
DISCLAIMER : The content of this email is confidential and intended for the 
recipient specified in message only. It is strictly forbidden to share any part 
of this message with any third party, without a written consent of the sender. 
If you received this message by mistake, please reply to this message and 
follow with its deletion, so that we can ensure such a mistake does not occur 
in the future.
___
PacketFence-users mailing list
Pa

Re: [PacketFence-users] ldap authentication failed

[Fabrice Durand via PacketFence-users]

Hello Nikunj,
you can use ldap for peap only if you can grab the password in clear text
or with NT-Hash

http://deployingradius.com/documents/protocols/compatibility.html

So how do you configure that ?

Or join the packetfence server to the domain.

Regards
Fabrice



Le mer. 23 nov. 2022 à 08:47, Nikunj Vacchani via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello
>
>
>
> I m able to authenticate with local user but I m not able to authenticate
> with my ldap server users,
>
>
>
> I m facing error,
>
>
>
> PacketFence-KeyBalanced = "1acc010ea4ece6928d7a7f0c37444c0f"
>
> PacketFence-Radius-Ip = "10.20.40.153"
>
> Event-Timestamp = "Nov 17 2022 12:42:35 IST"
>
> Acct-Session-Id = "05000132"
>
> NAS-Port = 53
>
> NAS-IP-Address = 11.11.11.240
>
> PacketFence-NTLMv2-Only = ""
>
> EAP-Message =
> 0x020800431a0208003e319e88dd03b1c260dbc55155c80f85eed0eed23b3c6bbfe523b45578ae1d11d4211d136139d7394e6a005252555c74657374
>
> FreeRADIUS-Proxied-To = 127.0.0.1
>
> EAP-Type = MSCHAPv2
>
> MS-CHAP2-Response =
> 0x08529e88dd03b1c260dbc55155c80f85eed0eed23b3c6bbfe523b45578ae1d11d4211d136139d7394e6a
>
> Calling-Station-Id = "54:05:db:0a:ae:a4"
>
> Stripped-User-Name = "test"
>
> User-Name = "RRU\\test"
>
> PacketFence-Outer-User = "RRU\\test"
>
> NAS-Port-Type = Ethernet
>
> PacketFence-Domain = "RRUAD01"
>
> MS-CHAP-Challenge = 0xa88d981c98c2e8b5e0512896662f75d3
>
> Realm = "default"
>
> MS-CHAP-User-Name = "RRU\\test"
>
> State = 0x0e2308c40e2b12014ce5e92689785f0a
>
> Module-Failure-Message = "chrooted_mschap: Program returned code (1) and
> output 'The attempted logon is invalid. This is either due to a bad
> username or authentication information. (0xc06d)'"
>
> Module-Failure-Message = "chrooted_mschap: External script says: The
> attempted logon is invalid. This is either due to a bad username or
> authentication information. (0xc06d)"
>
> Module-Failure-Message = "chrooted_mschap: MS-CHAP2-Response is incorrect"
>
> User-Password = "**"
>
> SQL-User-Name = "RRUtest"
>
> RADIUS Reply
>
> MS-CHAP-Error = "\010E=691 R=0 C=fefbe43603701f99844df4f72dfc01ac V=3
> M=Authentication rejected"
>
> EAP-Message = 0x04080004
>
> Message-Authenticator = 0x
>
>
>
>
>
> Anyone have idea, how to resolve this error.
>
>
>
> Thanks & Regards,
>
> Nikunj Vachhani.
>
> Network Engineer.
>
> 99091 10490
>
>
>
> *From:* Nikunj Vacchani via PacketFence-users <
> packetfence-users@lists.sourceforge.net>
> *Sent:* 16 November 2022 07:29 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Nikunj Vacchani 
> *Subject:* [PacketFence-users] ldap authentication failed
>
>
>
> CAUTION: This email originated from outside of the organization. Do not
> click links or open attachments unless you recognize the sender and know
> the content is safe.
>
>
>
> Hello everyone,
>
>
>
> I m facing issue when I m trying to authenticate with LDAP user.
>
>
>
> ERROR,
>
>
>
> chrooted_mschap: Program returned code (1) and output 'The attempted logon
> is invalid. This is either due to a bad username or authentication
> information. (0xc06d)'
>
>
>
> how to resolve this issue.
>
>
>
> Thanks & Regards,
>
> Nikunj Vachhani.
>
> Network Engineer.
>
> 99091 10490
>
>
>
> DISCLAIMER : The content of this email is confidential and intended for
> the recipient specified in message only. It is strictly forbidden to share
> any part of this message with any third party, without a written consent of
> the sender. If you received this message by mistake, please reply to this
> message and follow with its deletion, so that we can ensure such a mistake
> does not occur in the future.
> DISCLAIMER : The content of this email is confidential and intended for
> the recipient specified in message only. It is strictly forbidden to share
> any part of this message with any third party, without a written consent of
> the sender. If you received this message by mistake, please reply to this
> message and follow with its deletion, so that we can ensure such a mistake
> does not occur in the future.
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] ldap authentication failed

[Nikunj Vacchani via PacketFence-users]

Hello

I m able to authenticate with local user but I m not able to authenticate with 
my ldap server users,

I m facing error,

PacketFence-KeyBalanced = "1acc010ea4ece6928d7a7f0c37444c0f"
PacketFence-Radius-Ip = "10.20.40.153"
Event-Timestamp = "Nov 17 2022 12:42:35 IST"
Acct-Session-Id = "05000132"
NAS-Port = 53
NAS-IP-Address = 11.11.11.240
PacketFence-NTLMv2-Only = ""
EAP-Message = 
0x020800431a0208003e319e88dd03b1c260dbc55155c80f85eed0eed23b3c6bbfe523b45578ae1d11d4211d136139d7394e6a005252555c74657374
FreeRADIUS-Proxied-To = 127.0.0.1
EAP-Type = MSCHAPv2
MS-CHAP2-Response = 
0x08529e88dd03b1c260dbc55155c80f85eed0eed23b3c6bbfe523b45578ae1d11d4211d136139d7394e6a
Calling-Station-Id = "54:05:db:0a:ae:a4"
Stripped-User-Name = "test"
User-Name = "RRU\\test"
PacketFence-Outer-User = "RRU\\test"
NAS-Port-Type = Ethernet
PacketFence-Domain = "RRUAD01"
MS-CHAP-Challenge = 0xa88d981c98c2e8b5e0512896662f75d3
Realm = "default"
MS-CHAP-User-Name = "RRU\\test"
State = 0x0e2308c40e2b12014ce5e92689785f0a
Module-Failure-Message = "chrooted_mschap: Program returned code (1) and output 
'The attempted logon is invalid. This is either due to a bad username or 
authentication information. (0xc06d)'"
Module-Failure-Message = "chrooted_mschap: External script says: The attempted 
logon is invalid. This is either due to a bad username or authentication 
information. (0xc06d)"
Module-Failure-Message = "chrooted_mschap: MS-CHAP2-Response is incorrect"
User-Password = "**"
SQL-User-Name = "RRUtest"
RADIUS Reply
MS-CHAP-Error = "\010E=691 R=0 C=fefbe43603701f99844df4f72dfc01ac V=3 
M=Authentication rejected"
EAP-Message = 0x04080004
Message-Authenticator = 0x


Anyone have idea, how to resolve this error.

Thanks & Regards,
Nikunj Vachhani.
Network Engineer.
99091 10490

From: Nikunj Vacchani via PacketFence-users 

Sent: 16 November 2022 07:29 PM
To: packetfence-users@lists.sourceforge.net
Cc: Nikunj Vacchani 
Subject: [PacketFence-users] ldap authentication failed

CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe.

Hello everyone,

I m facing issue when I m trying to authenticate with LDAP user.

ERROR,

chrooted_mschap: Program returned code (1) and output 'The attempted logon is 
invalid. This is either due to a bad username or authentication information. 
(0xc06d)'

how to resolve this issue.

Thanks & Regards,
Nikunj Vachhani.
Network Engineer.
99091 10490

DISCLAIMER : The content of this email is confidential and intended for the 
recipient specified in message only. It is strictly forbidden to share any part 
of this message with any third party, without a written consent of the sender. 
If you received this message by mistake, please reply to this message and 
follow with its deletion, so that we can ensure such a mistake does not occur 
in the future.
DISCLAIMER : The content of this email is confidential and intended for the 
recipient specified in message only. It is strictly forbidden to share any part 
of this message with any third party, without a written consent of the sender. 
If you received this message by mistake, please reply to this message and 
follow with its deletion, so that we can ensure such a mistake does not occur 
in the future.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] LDAP SSL Authentication Source

[Ludovic Zammit via PacketFence-users]

Hello Chad,

PacketFence ignores the certificate by default, so just configure the port 636 
on the AD LDAP source and it should be good.

Thanks,

Ludovic Zammit
lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu ) 
and PacketFence (http://packetfence.org ) 




> On May 7, 2020, at 4:05 PM, Chad Jemison via PacketFence-users 
>  wrote:
> 
> Hello,
>  
> I am trying to enable LDAP SSL in my authentication source. I have a Windows 
> PKI and have imported the certificate, key, and intermediate certificates for 
> both HTTP and RADIUS now. Is there something I am missing to enable secure 
> LDAP lookups with Packetfence?  
>  
> My domain controllers have certificates from our internal CA. I am able to 
> test using ldp.exe on my desktop with port 636 to my DC and it connects and 
> shows that SSL is enabled.
>  
>  
>  
>  
> ---
> Chad Jemison
> Director of IT
> Seneca Gaming Authority 
> 345 Third Street, Suite 404
> Niagara Falls, New York 14303
> 716-299-1246 x267
>  
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users 
> 
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] LDAP Admin Portal Login

[Nicholas Pier via PacketFence-users]

Hi Stuart

Yes, I've accomplished something similar in a few situations. AD
credentials can be leveraged for this purpose. I'd setup an AD
authentication source and point it to a local domain controller.

Configuration -> Policies and Access Control -> Authentication Sources ->
Internal -> Active Directory

Fill out the typical bind information. I'd recommend creating a new user in
AD for this. Also, the ldp.exe tool can be helpful if the LDAP DN strings
are a pain to type.

You can test the LDAP Bind with a button on the page in ver 9.0.1. It may
be available in previous versions too.

Towards the bottom, you can configure authentication and administration
rules.

Authentication -> These rules are great for use with captive portals and
who can register a device.
Administration -> These control what level of admin privileges are assigned
to users when they authentication. You probably want to assign a condition
here.

Make sure to use Actions to specify roles and durations.

Conditions gave me trouble at first. I tried using "memberOf" to match
groups with the "contains" option. Save yourself a troubleshooting headache
and use regex instead. Something like ^.Domain Admins.* should do the
trick. Then you can specify different permissions per AD group.

Last, add this auth policy to a connection profile. If you're using the
default, this is easy.

I hope this is helpful,

Nick Pier


On Thu, Jun 6, 2019 at 3:02 AM Stuart Gendron via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hey all,
>
> Wondering if it's possible to login with your AD credentials to the admin
> portal?
>
> Idea is we would have some users login and manage the roles they have
> assigned to their nodes. Since the update I've seen you can lock users down
> to certain roles, so this would be great as we would allow certain VPN
> networks that aren't corporate.
>
> Thanks!
>
> --
>
> *Stuart Gendron*
> IT Support Specialist
>
> *You.i Labs*
> 307 Legget Drive, Kanata, ON, K2K 3C8
> 
> t (613) 228-9107 x258 | c (613) 697-6853
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope are not followed.

[Fabrice Durand via PacketFence-users]

Hello Benjamin,

can you try that:

https://github.com/inverse-inc/packetfence/compare/fix/unset_role_on_autoreg.diff

Regards

Fabrice


Le 19-01-22 à 09 h 05, Fabrice Durand via PacketFence-users a écrit :

Hello Benjamin,

what i can do is to add an connection profile option that will unset 
the role of the device if no sources return a role.


It will be something like "unset the role if no sources compute one".

I will let you know when it will be done.

Regards

Fabrice


Le 19-01-21 à 15 h 46, Brenek, Benjamin a écrit :

Hello Fabrice,

Sorry for the delayed reply. I did as you requested and removed the 
role from a device and tried logging in with an account that should 
not work. It does appear that now the account is getting rejected 
properly.


Is there a catchall rule that can be applied so that this does not 
happen in production, or is there another solution that can be used? 
It is not desirable for us to have users potentially be able to login 
with out-of-scope accounts.


Thank you,

Ben

-Original Message-
From: Fabrice Durand via PacketFence-users 


Sent: Wednesday, January 16, 2019 9:42 AM
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand 
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN 
and Scope are not followed.


CAUTION: This email originated from outside of BAYADA. Beware of 
links and attachments.



Hello Benjamin,

so i think i know what happen, you are using the ldap source just for 
authorization and if there is no rules that match then packetfence 
will use the role of the device.


Can you try to remove the role of the device and make another try ?

Thanks

Fabrice


Le 19-01-15 à 21 h 07, Durand fabrice via PacketFence-users a écrit :

Hello Benjamin,

it looks ok so i will do some test tomorrow and let you know.

Regards

Fabrice


Le 19-01-15 à 14 h 29, Brenek, Benjamin a écrit :

Hello Fabrice,

Sorry for the delay.

We are using an external captive portal (Aerohive) that authenticates
using PacketFence. PacketFence is configured with a radius proxy in
/usr/local/pf/raddb/proxy.conf that forwards to our radius servers
for authorization. Then we use the LDAP authentication source to
auto-register the device.

I have attached:
authentication.conf
profiles.conf
proxy.conf

Thank you,

Benjamin Brenek
BAYADA Home Health Care | Intern, Support (NES)
4300 Haddonfield Road | Pennsuaken, NJ 08109
O: 856-380-3008 | Ext: 0527-13 | bayada.com

-Original Message-
From: Durand fabrice 
Sent: Friday, January 11, 2019 6:49 PM
To: Brenek, Benjamin ;
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN
and Scope are not followed.

CAUTION: This email originated from outside of BAYADA. Beware of
links and attachments.


Hello Benjamin,

just one thing to be sure to understand correctly, do you
authenticate on the portal or is it autoreg via radius ?

Can you send me the authentication.conf and profiles.conf file ?

Thanks

Regards

Fabrice


Le 19-01-11 à 09 h 44, Brenek, Benjamin a écrit :

Hi Fabrice,

I did as requested and ran a capture for ldap traffic between
PacketFence and the ldap source. The BaseDN is correct (ou=Company
Users,dc=subdomain,dc=domain,dc=com) and the scope was correct
(subtree => wholeSubtree). It also appears that all searchRequests
return 0 results, which makes it seem like PacketFence is doing
something even though it shouldn't.

Thank you,

Benjamin Brenek
BAYADA Home Health Care | Intern, Support (NES)
4300 Haddonfield Road | Pennsuaken, NJ 08109
O: 856-380-3008 | Ext: 0527-13 | bayada.com

-Original Message-
From: Durand fabrice via PacketFence-users

Sent: Thursday, January 10, 2019 6:30 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice 
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN
and Scope are not followed.

CAUTION: This email originated from outside of BAYADA. Beware of
links and attachments.


Hello Benjamin,

what you can do is to capture the ldap traffic between PacketFence
and the ldap source and see with wireshark if the scope/base dn is
what you set in the authentication source.

In the code it does a search for the dn of the user and try to bind
with this dn.

So if the user is not in or under the basedn then the search should
not return anything and the authentication should fail.

So take the capture and see what happen exactly.

Regards

Fabrice



Le 19-01-10 à 10 h 38, Brenek, Benjamin via PacketFence-users a 
écrit :

Hi Nicolas,

Our authentication rules under the LDAP sources do not check LDAP
attributes, as expected/assumed functionality of the LDAP Source
would be to restrict authorization to the specified Base DN. Is
this expectation/assumption incorrect?

Thank you,

Benjamin Brenek
BAYADA Home Health Care | Intern, Support (NES)
4300 Haddonfield Road | Pennsuaken, NJ 08109
O: 856-380-3008 | Ext: 0527-13 | bayada.com

-Original Message-
From: Nicolas Quiniou

Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope are not followed.

[Fabrice Durand via PacketFence-users]

Hello Benjamin,

what i can do is to add an connection profile option that will unset the 
role of the device if no sources return a role.


It will be something like "unset the role if no sources compute one".

I will let you know when it will be done.

Regards

Fabrice


Le 19-01-21 à 15 h 46, Brenek, Benjamin a écrit :

Hello Fabrice,

Sorry for the delayed reply. I did as you requested and removed the role from a 
device and tried logging in with an account that should not work. It does 
appear that now the account is getting rejected properly.

Is there a catchall rule that can be applied so that this does not happen in 
production, or is there another solution that can be used? It is not desirable 
for us to have users potentially be able to login with out-of-scope accounts.

Thank you,

Ben

-Original Message-
From: Fabrice Durand via PacketFence-users 

Sent: Wednesday, January 16, 2019 9:42 AM
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand 
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope 
are not followed.

CAUTION: This email originated from outside of BAYADA. Beware of links and 
attachments.


Hello Benjamin,

so i think i know what happen, you are using the ldap source just for 
authorization and if there is no rules that match then packetfence will use the 
role of the device.

Can you try to remove the role of the device and make another try ?

Thanks

Fabrice


Le 19-01-15 à 21 h 07, Durand fabrice via PacketFence-users a écrit :

Hello Benjamin,

it looks ok so i will do some test tomorrow and let you know.

Regards

Fabrice


Le 19-01-15 à 14 h 29, Brenek, Benjamin a écrit :

Hello Fabrice,

Sorry for the delay.

We are using an external captive portal (Aerohive) that authenticates
using PacketFence. PacketFence is configured with a radius proxy in
/usr/local/pf/raddb/proxy.conf that forwards to our radius servers
for authorization. Then we use the LDAP authentication source to
auto-register the device.

I have attached:
authentication.conf
profiles.conf
proxy.conf

Thank you,

Benjamin Brenek
BAYADA Home Health Care | Intern, Support (NES)
4300 Haddonfield Road | Pennsuaken, NJ 08109
O: 856-380-3008 | Ext: 0527-13 | bayada.com

-Original Message-
From: Durand fabrice 
Sent: Friday, January 11, 2019 6:49 PM
To: Brenek, Benjamin ;
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN
and Scope are not followed.

CAUTION: This email originated from outside of BAYADA. Beware of
links and attachments.


Hello Benjamin,

just one thing to be sure to understand correctly, do you
authenticate on the portal or is it autoreg via radius ?

Can you send me the authentication.conf and profiles.conf file ?

Thanks

Regards

Fabrice


Le 19-01-11 à 09 h 44, Brenek, Benjamin a écrit :

Hi Fabrice,

I did as requested and ran a capture for ldap traffic between
PacketFence and the ldap source. The BaseDN is correct (ou=Company
Users,dc=subdomain,dc=domain,dc=com) and the scope was correct
(subtree => wholeSubtree). It also appears that all searchRequests
return 0 results, which makes it seem like PacketFence is doing
something even though it shouldn't.

Thank you,

Benjamin Brenek
BAYADA Home Health Care | Intern, Support (NES)
4300 Haddonfield Road | Pennsuaken, NJ 08109
O: 856-380-3008 | Ext: 0527-13 | bayada.com

-Original Message-
From: Durand fabrice via PacketFence-users

Sent: Thursday, January 10, 2019 6:30 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice 
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN
and Scope are not followed.

CAUTION: This email originated from outside of BAYADA. Beware of
links and attachments.


Hello Benjamin,

what you can do is to capture the ldap traffic between PacketFence
and the ldap source and see with wireshark if the scope/base dn is
what you set in the authentication source.

In the code it does a search for the dn of the user and try to bind
with this dn.

So if the user is not in or under the basedn then the search should
not return anything and the authentication should fail.

So take the capture and see what happen exactly.

Regards

Fabrice



Le 19-01-10 à 10 h 38, Brenek, Benjamin via PacketFence-users a écrit :

Hi Nicolas,

Our authentication rules under the LDAP sources do not check LDAP
attributes, as expected/assumed functionality of the LDAP Source
would be to restrict authorization to the specified Base DN. Is
this expectation/assumption incorrect?

Thank you,

Benjamin Brenek
BAYADA Home Health Care | Intern, Support (NES)
4300 Haddonfield Road | Pennsuaken, NJ 08109
O: 856-380-3008 | Ext: 0527-13 | bayada.com

-Original Message-
From: Nicolas Quiniou-Briand 
Sent: Thursday, January 10, 2019 10:20 AM
To: Brenek, Benjamin ;
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN
and Scope are not followed.

CAUTIO

Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope are not followed.

[Brenek, Benjamin via PacketFence-users]

Hello Fabrice,

Sorry for the delayed reply. I did as you requested and removed the role from a 
device and tried logging in with an account that should not work. It does 
appear that now the account is getting rejected properly.

Is there a catchall rule that can be applied so that this does not happen in 
production, or is there another solution that can be used? It is not desirable 
for us to have users potentially be able to login with out-of-scope accounts.

Thank you,

Ben

-Original Message-
From: Fabrice Durand via PacketFence-users 
 
Sent: Wednesday, January 16, 2019 9:42 AM
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand 
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope 
are not followed.

CAUTION: This email originated from outside of BAYADA. Beware of links and 
attachments.


Hello Benjamin,

so i think i know what happen, you are using the ldap source just for 
authorization and if there is no rules that match then packetfence will use the 
role of the device.

Can you try to remove the role of the device and make another try ?

Thanks

Fabrice


Le 19-01-15 à 21 h 07, Durand fabrice via PacketFence-users a écrit :
> Hello Benjamin,
>
> it looks ok so i will do some test tomorrow and let you know.
>
> Regards
>
> Fabrice
>
>
> Le 19-01-15 à 14 h 29, Brenek, Benjamin a écrit :
>> Hello Fabrice,
>>
>> Sorry for the delay.
>>
>> We are using an external captive portal (Aerohive) that authenticates 
>> using PacketFence. PacketFence is configured with a radius proxy in 
>> /usr/local/pf/raddb/proxy.conf that forwards to our radius servers 
>> for authorization. Then we use the LDAP authentication source to 
>> auto-register the device.
>>
>> I have attached:
>> authentication.conf
>> profiles.conf
>> proxy.conf
>>
>> Thank you,
>>
>> Benjamin Brenek
>> BAYADA Home Health Care | Intern, Support (NES)
>> 4300 Haddonfield Road | Pennsuaken, NJ 08109
>> O: 856-380-3008 | Ext: 0527-13 | bayada.com
>>
>> -Original Message-----
>> From: Durand fabrice 
>> Sent: Friday, January 11, 2019 6:49 PM
>> To: Brenek, Benjamin ; 
>> packetfence-users@lists.sourceforge.net
>> Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN 
>> and Scope are not followed.
>>
>> CAUTION: This email originated from outside of BAYADA. Beware of 
>> links and attachments.
>>
>>
>> Hello Benjamin,
>>
>> just one thing to be sure to understand correctly, do you 
>> authenticate on the portal or is it autoreg via radius ?
>>
>> Can you send me the authentication.conf and profiles.conf file ?
>>
>> Thanks
>>
>> Regards
>>
>> Fabrice
>>
>>
>> Le 19-01-11 à 09 h 44, Brenek, Benjamin a écrit :
>>> Hi Fabrice,
>>>
>>> I did as requested and ran a capture for ldap traffic between 
>>> PacketFence and the ldap source. The BaseDN is correct (ou=Company
>>> Users,dc=subdomain,dc=domain,dc=com) and the scope was correct 
>>> (subtree => wholeSubtree). It also appears that all searchRequests 
>>> return 0 results, which makes it seem like PacketFence is doing 
>>> something even though it shouldn't.
>>>
>>> Thank you,
>>>
>>> Benjamin Brenek
>>> BAYADA Home Health Care | Intern, Support (NES)
>>> 4300 Haddonfield Road | Pennsuaken, NJ 08109
>>> O: 856-380-3008 | Ext: 0527-13 | bayada.com
>>>
>>> -Original Message-
>>> From: Durand fabrice via PacketFence-users 
>>> 
>>> Sent: Thursday, January 10, 2019 6:30 PM
>>> To: packetfence-users@lists.sourceforge.net
>>> Cc: Durand fabrice 
>>> Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN 
>>> and Scope are not followed.
>>>
>>> CAUTION: This email originated from outside of BAYADA. Beware of 
>>> links and attachments.
>>>
>>>
>>> Hello Benjamin,
>>>
>>> what you can do is to capture the ldap traffic between PacketFence 
>>> and the ldap source and see with wireshark if the scope/base dn is 
>>> what you set in the authentication source.
>>>
>>> In the code it does a search for the dn of the user and try to bind 
>>> with this dn.
>>>
>>> So if the user is not in or under the basedn then the search should 
>>> not return anything and the authentication should fail.
>>>
>>> So take the capture and see what happen exactly.
>>>
>>> Regards
>>>
>>> Fabrice
>>>
>

Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope are not followed.

[Fabrice Durand via PacketFence-users]

Hello Benjamin,

so i think i know what happen, you are using the ldap source just for 
authorization and if there is no rules that match then packetfence will 
use the role of the device.


Can you try to remove the role of the device and make another try ?

Thanks

Fabrice


Le 19-01-15 à 21 h 07, Durand fabrice via PacketFence-users a écrit :

Hello Benjamin,

it looks ok so i will do some test tomorrow and let you know.

Regards

Fabrice


Le 19-01-15 à 14 h 29, Brenek, Benjamin a écrit :

Hello Fabrice,

Sorry for the delay.

We are using an external captive portal (Aerohive) that authenticates 
using PacketFence. PacketFence is configured with a radius proxy in 
/usr/local/pf/raddb/proxy.conf that forwards to our radius servers 
for authorization. Then we use the LDAP authentication source to 
auto-register the device.


I have attached:
authentication.conf
profiles.conf
proxy.conf

Thank you,

Benjamin Brenek
BAYADA Home Health Care | Intern, Support (NES)
4300 Haddonfield Road | Pennsuaken, NJ 08109
O: 856-380-3008 | Ext: 0527-13 | bayada.com

-Original Message-
From: Durand fabrice 
Sent: Friday, January 11, 2019 6:49 PM
To: Brenek, Benjamin ; 
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN 
and Scope are not followed.


CAUTION: This email originated from outside of BAYADA. Beware of 
links and attachments.



Hello Benjamin,

just one thing to be sure to understand correctly, do you 
authenticate on the portal or is it autoreg via radius ?


Can you send me the authentication.conf and profiles.conf file ?

Thanks

Regards

Fabrice


Le 19-01-11 à 09 h 44, Brenek, Benjamin a écrit :

Hi Fabrice,

I did as requested and ran a capture for ldap traffic between 
PacketFence and the ldap source. The BaseDN is correct (ou=Company 
Users,dc=subdomain,dc=domain,dc=com) and the scope was correct 
(subtree => wholeSubtree). It also appears that all searchRequests 
return 0 results, which makes it seem like PacketFence is doing 
something even though it shouldn't.


Thank you,

Benjamin Brenek
BAYADA Home Health Care | Intern, Support (NES)
4300 Haddonfield Road | Pennsuaken, NJ 08109
O: 856-380-3008 | Ext: 0527-13 | bayada.com

-Original Message-
From: Durand fabrice via PacketFence-users

Sent: Thursday, January 10, 2019 6:30 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice 
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN 
and Scope are not followed.


CAUTION: This email originated from outside of BAYADA. Beware of 
links and attachments.



Hello Benjamin,

what you can do is to capture the ldap traffic between PacketFence 
and the ldap source and see with wireshark if the scope/base dn is 
what you set in the authentication source.


In the code it does a search for the dn of the user and try to bind 
with this dn.


So if the user is not in or under the basedn then the search should 
not return anything and the authentication should fail.


So take the capture and see what happen exactly.

Regards

Fabrice



Le 19-01-10 à 10 h 38, Brenek, Benjamin via PacketFence-users a écrit :

Hi Nicolas,

Our authentication rules under the LDAP sources do not check LDAP 
attributes, as expected/assumed functionality of the LDAP Source 
would be to restrict authorization to the specified Base DN. Is 
this expectation/assumption incorrect?


Thank you,

Benjamin Brenek
BAYADA Home Health Care | Intern, Support (NES)
4300 Haddonfield Road | Pennsuaken, NJ 08109
O: 856-380-3008 | Ext: 0527-13 | bayada.com

-Original Message-
From: Nicolas Quiniou-Briand 
Sent: Thursday, January 10, 2019 10:20 AM
To: Brenek, Benjamin ;
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN 
and Scope are not followed.


CAUTION: This email originated from outside of BAYADA. Beware of 
links and attachments.



Hello Benjamin,

On 2019-01-10 3:54 p.m., Brenek, Benjamin wrote:

Hi Nicolas,

I did as requested. It looks like the authentication comes back 
with no matches, yet still authenticates the user. Attached is the 
part of the log that relates to authentication of the user.

I saw this:
```
Matched condition SSID equals Company_Employee
(pf::Authentication::Source::match_rule)
[..]
Matched condition SSID equals Company_Employee
(pf::Authentication::Source::match_rule)
```
for both LDAP sources.

Did you have rules on your LDAP sources that check the SSID value 
in place of an LDAP attribute ?

--
Nicolas Quiniou-Briand
n...@inverse.ca  ::  +1.514.447.4918 *140  ::
https://link.zixcentral.com/u/1c747c88/kiOYMOsU6RG3087ChnsoMg?u=https
% 3A%2F%2Finverse.ca Inverse inc. :: Leaders behind SOGo
(https://link.zixcentral.com/u/b29309fb/OHiYMOsU6RG3087ChnsoMg?u=http
s
%3A%2F%2Fsogo.nu), PacketFence
(https://link.zixcentral.com/u/a0bbc547/SNGYMOsU6RG3087ChnsoMg?u=http
s
%3A%2F%2Fpacketfence.org) and Fingerbank
(https://link.zixcentral.com/u/ded69

Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope are not followed.

[Durand fabrice via PacketFence-users]

Hello Benjamin,

it looks ok so i will do some test tomorrow and let you know.

Regards

Fabrice


Le 19-01-15 à 14 h 29, Brenek, Benjamin a écrit :

Hello Fabrice,

Sorry for the delay.

We are using an external captive portal (Aerohive) that authenticates using 
PacketFence. PacketFence is configured with a radius proxy in 
/usr/local/pf/raddb/proxy.conf that forwards to our radius servers for 
authorization. Then we use the LDAP authentication source to auto-register the 
device.

I have attached:
authentication.conf
profiles.conf
proxy.conf

Thank you,

Benjamin Brenek
BAYADA Home Health Care | Intern, Support (NES)
4300 Haddonfield Road | Pennsuaken, NJ 08109
O: 856-380-3008 | Ext: 0527-13 | bayada.com

-Original Message-
From: Durand fabrice 
Sent: Friday, January 11, 2019 6:49 PM
To: Brenek, Benjamin ; 
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope 
are not followed.

CAUTION: This email originated from outside of BAYADA. Beware of links and 
attachments.


Hello Benjamin,

just one thing to be sure to understand correctly, do you authenticate on the 
portal or is it autoreg via radius ?

Can you send me the authentication.conf and profiles.conf file ?

Thanks

Regards

Fabrice


Le 19-01-11 à 09 h 44, Brenek, Benjamin a écrit :

Hi Fabrice,

I did as requested and ran a capture for ldap traffic between PacketFence and the 
ldap source. The BaseDN is correct (ou=Company 
Users,dc=subdomain,dc=domain,dc=com) and the scope was correct (subtree => 
wholeSubtree). It also appears that all searchRequests return 0 results, which 
makes it seem like PacketFence is doing something even though it shouldn't.

Thank you,

Benjamin Brenek
BAYADA Home Health Care | Intern, Support (NES)
4300 Haddonfield Road | Pennsuaken, NJ 08109
O: 856-380-3008 | Ext: 0527-13 | bayada.com

-Original Message-
From: Durand fabrice via PacketFence-users

Sent: Thursday, January 10, 2019 6:30 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice 
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope 
are not followed.

CAUTION: This email originated from outside of BAYADA. Beware of links and 
attachments.


Hello Benjamin,

what you can do is to capture the ldap traffic between PacketFence and the ldap 
source and see with wireshark if the scope/base dn is what you set in the 
authentication source.

In the code it does a search for the dn of the user and try to bind with this 
dn.

So if the user is not in or under the basedn then the search should not return 
anything and the authentication should fail.

So take the capture and see what happen exactly.

Regards

Fabrice



Le 19-01-10 à 10 h 38, Brenek, Benjamin via PacketFence-users a écrit :

Hi Nicolas,

Our authentication rules under the LDAP sources do not check LDAP attributes, 
as expected/assumed functionality of the LDAP Source would be to restrict 
authorization to the specified Base DN. Is this expectation/assumption 
incorrect?

Thank you,

Benjamin Brenek
BAYADA Home Health Care | Intern, Support (NES)
4300 Haddonfield Road | Pennsuaken, NJ 08109
O: 856-380-3008 | Ext: 0527-13 | bayada.com

-Original Message-
From: Nicolas Quiniou-Briand 
Sent: Thursday, January 10, 2019 10:20 AM
To: Brenek, Benjamin ;
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope 
are not followed.

CAUTION: This email originated from outside of BAYADA. Beware of links and 
attachments.


Hello Benjamin,

On 2019-01-10 3:54 p.m., Brenek, Benjamin wrote:

Hi Nicolas,

I did as requested. It looks like the authentication comes back with no 
matches, yet still authenticates the user. Attached is the part of the log that 
relates to authentication of the user.

I saw this:
```
Matched condition SSID equals Company_Employee
(pf::Authentication::Source::match_rule)
[..]
Matched condition SSID equals Company_Employee
(pf::Authentication::Source::match_rule)
```
for both LDAP sources.

Did you have rules on your LDAP sources that check the SSID value in place of 
an LDAP attribute ?
--
Nicolas Quiniou-Briand
n...@inverse.ca  ::  +1.514.447.4918 *140  ::
https://link.zixcentral.com/u/1c747c88/kiOYMOsU6RG3087ChnsoMg?u=https
% 3A%2F%2Finverse.ca Inverse inc. :: Leaders behind SOGo
(https://link.zixcentral.com/u/b29309fb/OHiYMOsU6RG3087ChnsoMg?u=http
s
%3A%2F%2Fsogo.nu), PacketFence
(https://link.zixcentral.com/u/a0bbc547/SNGYMOsU6RG3087ChnsoMg?u=http
s
%3A%2F%2Fpacketfence.org) and Fingerbank
(https://link.zixcentral.com/u/ded69fd5/cDWZMOsU6RG3087ChnsoMg?u=http
%
3A%2F%2Ffingerbank.org)

-
-
-- Links contained in this email have been replaced by ZixProtect
Link Protection. If you click on a link in the email above, the link will be 
analyzed for known threats. If a known threat is found, you will not be able to 
proc

Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope are not followed.

[Brenek, Benjamin via PacketFence-users]

Hello Fabrice,

Sorry for the delay. 

We are using an external captive portal (Aerohive) that authenticates using 
PacketFence. PacketFence is configured with a radius proxy in 
/usr/local/pf/raddb/proxy.conf that forwards to our radius servers for 
authorization. Then we use the LDAP authentication source to auto-register the 
device.

I have attached:
authentication.conf
profiles.conf
proxy.conf

Thank you,

Benjamin Brenek
BAYADA Home Health Care | Intern, Support (NES)
4300 Haddonfield Road | Pennsuaken, NJ 08109
O: 856-380-3008 | Ext: 0527-13 | bayada.com

-Original Message-
From: Durand fabrice  
Sent: Friday, January 11, 2019 6:49 PM
To: Brenek, Benjamin ; 
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope 
are not followed.

CAUTION: This email originated from outside of BAYADA. Beware of links and 
attachments.


Hello Benjamin,

just one thing to be sure to understand correctly, do you authenticate on the 
portal or is it autoreg via radius ?

Can you send me the authentication.conf and profiles.conf file ?

Thanks

Regards

Fabrice


Le 19-01-11 à 09 h 44, Brenek, Benjamin a écrit :
> Hi Fabrice,
>
> I did as requested and ran a capture for ldap traffic between PacketFence and 
> the ldap source. The BaseDN is correct (ou=Company 
> Users,dc=subdomain,dc=domain,dc=com) and the scope was correct (subtree => 
> wholeSubtree). It also appears that all searchRequests return 0 results, 
> which makes it seem like PacketFence is doing something even though it 
> shouldn't.
>
> Thank you,
>
> Benjamin Brenek
> BAYADA Home Health Care | Intern, Support (NES)
> 4300 Haddonfield Road | Pennsuaken, NJ 08109
> O: 856-380-3008 | Ext: 0527-13 | bayada.com
>
> -Original Message-
> From: Durand fabrice via PacketFence-users 
> 
> Sent: Thursday, January 10, 2019 6:30 PM
> To: packetfence-users@lists.sourceforge.net
> Cc: Durand fabrice 
> Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope 
> are not followed.
>
> CAUTION: This email originated from outside of BAYADA. Beware of links and 
> attachments.
>
>
> Hello Benjamin,
>
> what you can do is to capture the ldap traffic between PacketFence and the 
> ldap source and see with wireshark if the scope/base dn is what you set in 
> the authentication source.
>
> In the code it does a search for the dn of the user and try to bind with this 
> dn.
>
> So if the user is not in or under the basedn then the search should not 
> return anything and the authentication should fail.
>
> So take the capture and see what happen exactly.
>
> Regards
>
> Fabrice
>
>
>
> Le 19-01-10 à 10 h 38, Brenek, Benjamin via PacketFence-users a écrit :
>> Hi Nicolas,
>>
>> Our authentication rules under the LDAP sources do not check LDAP 
>> attributes, as expected/assumed functionality of the LDAP Source would be to 
>> restrict authorization to the specified Base DN. Is this 
>> expectation/assumption incorrect?
>>
>> Thank you,
>>
>> Benjamin Brenek
>> BAYADA Home Health Care | Intern, Support (NES)
>> 4300 Haddonfield Road | Pennsuaken, NJ 08109
>> O: 856-380-3008 | Ext: 0527-13 | bayada.com
>>
>> -Original Message-
>> From: Nicolas Quiniou-Briand 
>> Sent: Thursday, January 10, 2019 10:20 AM
>> To: Brenek, Benjamin ; 
>> packetfence-users@lists.sourceforge.net
>> Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN and 
>> Scope are not followed.
>>
>> CAUTION: This email originated from outside of BAYADA. Beware of links and 
>> attachments.
>>
>>
>> Hello Benjamin,
>>
>> On 2019-01-10 3:54 p.m., Brenek, Benjamin wrote:
>>> Hi Nicolas,
>>>
>>> I did as requested. It looks like the authentication comes back with no 
>>> matches, yet still authenticates the user. Attached is the part of the log 
>>> that relates to authentication of the user.
>> I saw this:
>> ```
>> Matched condition SSID equals Company_Employee
>> (pf::Authentication::Source::match_rule)
>> [..]
>> Matched condition SSID equals Company_Employee
>> (pf::Authentication::Source::match_rule)
>> ```
>> for both LDAP sources.
>>
>> Did you have rules on your LDAP sources that check the SSID value in place 
>> of an LDAP attribute ?
>> --
>> Nicolas Quiniou-Briand
>> n...@inverse.ca  ::  +1.514.447.4918 *140  ::
>> https://link.zixcentral.com/u/1c747c88/kiOYMOsU6RG3087ChnsoMg?u=https
>> % 3A%2F%2Finverse.ca Inverse inc. :: Leaders behind SOGo 
>> (https://link.zixcentral.com/u/b29309fb/OHiYMOsU6RG3087ChnsoMg?u=ht

Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope are not followed.

[Durand fabrice via PacketFence-users]

Hello Benjamin,

just one thing to be sure to understand correctly, do you authenticate 
on the portal or is it autoreg via radius ?


Can you send me the authentication.conf and profiles.conf file ?

Thanks

Regards

Fabrice


Le 19-01-11 à 09 h 44, Brenek, Benjamin a écrit :

Hi Fabrice,

I did as requested and ran a capture for ldap traffic between PacketFence and the 
ldap source. The BaseDN is correct (ou=Company 
Users,dc=subdomain,dc=domain,dc=com) and the scope was correct (subtree => 
wholeSubtree). It also appears that all searchRequests return 0 results, which 
makes it seem like PacketFence is doing something even though it shouldn't.

Thank you,

Benjamin Brenek
BAYADA Home Health Care | Intern, Support (NES)
4300 Haddonfield Road | Pennsuaken, NJ 08109
O: 856-380-3008 | Ext: 0527-13 | bayada.com

-Original Message-
From: Durand fabrice via PacketFence-users 

Sent: Thursday, January 10, 2019 6:30 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice 
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope 
are not followed.

CAUTION: This email originated from outside of BAYADA. Beware of links and 
attachments.


Hello Benjamin,

what you can do is to capture the ldap traffic between PacketFence and the ldap 
source and see with wireshark if the scope/base dn is what you set in the 
authentication source.

In the code it does a search for the dn of the user and try to bind with this 
dn.

So if the user is not in or under the basedn then the search should not return 
anything and the authentication should fail.

So take the capture and see what happen exactly.

Regards

Fabrice



Le 19-01-10 à 10 h 38, Brenek, Benjamin via PacketFence-users a écrit :

Hi Nicolas,

Our authentication rules under the LDAP sources do not check LDAP attributes, 
as expected/assumed functionality of the LDAP Source would be to restrict 
authorization to the specified Base DN. Is this expectation/assumption 
incorrect?

Thank you,

Benjamin Brenek
BAYADA Home Health Care | Intern, Support (NES)
4300 Haddonfield Road | Pennsuaken, NJ 08109
O: 856-380-3008 | Ext: 0527-13 | bayada.com

-Original Message-
From: Nicolas Quiniou-Briand 
Sent: Thursday, January 10, 2019 10:20 AM
To: Brenek, Benjamin ;
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope 
are not followed.

CAUTION: This email originated from outside of BAYADA. Beware of links and 
attachments.


Hello Benjamin,

On 2019-01-10 3:54 p.m., Brenek, Benjamin wrote:

Hi Nicolas,

I did as requested. It looks like the authentication comes back with no 
matches, yet still authenticates the user. Attached is the part of the log that 
relates to authentication of the user.

I saw this:
```
Matched condition SSID equals Company_Employee
(pf::Authentication::Source::match_rule)
[..]
Matched condition SSID equals Company_Employee
(pf::Authentication::Source::match_rule)
```
for both LDAP sources.

Did you have rules on your LDAP sources that check the SSID value in place of 
an LDAP attribute ?
--
Nicolas Quiniou-Briand
n...@inverse.ca  ::  +1.514.447.4918 *140  ::
https://link.zixcentral.com/u/1c747c88/kiOYMOsU6RG3087ChnsoMg?u=https%
3A%2F%2Finverse.ca Inverse inc. :: Leaders behind SOGo
(https://link.zixcentral.com/u/b29309fb/OHiYMOsU6RG3087ChnsoMg?u=https
%3A%2F%2Fsogo.nu), PacketFence
(https://link.zixcentral.com/u/a0bbc547/SNGYMOsU6RG3087ChnsoMg?u=https
%3A%2F%2Fpacketfence.org) and Fingerbank
(https://link.zixcentral.com/u/ded69fd5/cDWZMOsU6RG3087ChnsoMg?u=http%
3A%2F%2Ffingerbank.org)

--
-- Links contained in this email have been replaced by ZixProtect
Link Protection. If you click on a link in the email above, the link will be 
analyzed for known threats. If a known threat is found, you will not be able to 
proceed to the destination.  If suspicious content is detected, you will see a 
warning.
--
--

Our employees' reviews made us a Best Place to 
Work<https://link.zixcentral.com/u/73e0453c/qv2j1C8V6RGE_MLShnsoMg?u=https%3A%2F%2Fwww.glassdoor.com%2Fsurvey%2Fstart_input.htm%3FshowSurvey%3DREVIEWS%26employerId%3D153924%26contentOriginHook%3DPAGE_SRCH_COMPANIES>
 in 2018 &2019!
Spread the word and earn a bonus by referring a
friend.<http://hs.bayada.com/talent-scout-ilwid?utm_source=email%20sig
nature_medium=email_campaign=Glassdoor%20Award>

[Compassion, Excellence,
Reliability]<https://link.zixcentral.com/u/0527fcad/4kKk1C8V6RGE_MLShn
soMg?u=http%3A%2F%2Fbhhc.co%2FBAYemail_site>

[Facebook]<https://link.zixcentral.com/u/d16f1b07/im2k1C8V6RGE_MLShnso
Mg?u=http%3A%2F%2Fbhhc.co%2FBAYemail_fb> [Twitter]
<https://link.zixcentral.com/u/e7fb629f/lJWk1C8V6RGE_MLShnsoMg?u=http%
3A%2F%2Fbhhc.co%2FBAYemail_tw>  [LinkedIn]
<https://link.zixcentral.com/u/79dba119/MsCk1C

Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope are not followed.

[Brenek, Benjamin via PacketFence-users]

Hi Fabrice,

I did as requested and ran a capture for ldap traffic between PacketFence and 
the ldap source. The BaseDN is correct (ou=Company 
Users,dc=subdomain,dc=domain,dc=com) and the scope was correct (subtree => 
wholeSubtree). It also appears that all searchRequests return 0 results, which 
makes it seem like PacketFence is doing something even though it shouldn't.

Thank you,

Benjamin Brenek
BAYADA Home Health Care | Intern, Support (NES)
4300 Haddonfield Road | Pennsuaken, NJ 08109
O: 856-380-3008 | Ext: 0527-13 | bayada.com

-Original Message-
From: Durand fabrice via PacketFence-users 
 
Sent: Thursday, January 10, 2019 6:30 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice 
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope 
are not followed.

CAUTION: This email originated from outside of BAYADA. Beware of links and 
attachments.


Hello Benjamin,

what you can do is to capture the ldap traffic between PacketFence and the ldap 
source and see with wireshark if the scope/base dn is what you set in the 
authentication source.

In the code it does a search for the dn of the user and try to bind with this 
dn.

So if the user is not in or under the basedn then the search should not return 
anything and the authentication should fail.

So take the capture and see what happen exactly.

Regards

Fabrice



Le 19-01-10 à 10 h 38, Brenek, Benjamin via PacketFence-users a écrit :
> Hi Nicolas,
>
> Our authentication rules under the LDAP sources do not check LDAP attributes, 
> as expected/assumed functionality of the LDAP Source would be to restrict 
> authorization to the specified Base DN. Is this expectation/assumption 
> incorrect?
>
> Thank you,
>
> Benjamin Brenek
> BAYADA Home Health Care | Intern, Support (NES)
> 4300 Haddonfield Road | Pennsuaken, NJ 08109
> O: 856-380-3008 | Ext: 0527-13 | bayada.com
>
> -Original Message-
> From: Nicolas Quiniou-Briand 
> Sent: Thursday, January 10, 2019 10:20 AM
> To: Brenek, Benjamin ; 
> packetfence-users@lists.sourceforge.net
> Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope 
> are not followed.
>
> CAUTION: This email originated from outside of BAYADA. Beware of links and 
> attachments.
>
>
> Hello Benjamin,
>
> On 2019-01-10 3:54 p.m., Brenek, Benjamin wrote:
>> Hi Nicolas,
>>
>> I did as requested. It looks like the authentication comes back with no 
>> matches, yet still authenticates the user. Attached is the part of the log 
>> that relates to authentication of the user.
> I saw this:
> ```
> Matched condition SSID equals Company_Employee
> (pf::Authentication::Source::match_rule)
> [..]
> Matched condition SSID equals Company_Employee
> (pf::Authentication::Source::match_rule)
> ```
> for both LDAP sources.
>
> Did you have rules on your LDAP sources that check the SSID value in place of 
> an LDAP attribute ?
> --
> Nicolas Quiniou-Briand
> n...@inverse.ca  ::  +1.514.447.4918 *140  ::  
> https://link.zixcentral.com/u/1c747c88/kiOYMOsU6RG3087ChnsoMg?u=https%
> 3A%2F%2Finverse.ca Inverse inc. :: Leaders behind SOGo 
> (https://link.zixcentral.com/u/b29309fb/OHiYMOsU6RG3087ChnsoMg?u=https
> %3A%2F%2Fsogo.nu), PacketFence
> (https://link.zixcentral.com/u/a0bbc547/SNGYMOsU6RG3087ChnsoMg?u=https
> %3A%2F%2Fpacketfence.org) and Fingerbank 
> (https://link.zixcentral.com/u/ded69fd5/cDWZMOsU6RG3087ChnsoMg?u=http%
> 3A%2F%2Ffingerbank.org)
>
> --
> -- Links contained in this email have been replaced by ZixProtect 
> Link Protection. If you click on a link in the email above, the link will be 
> analyzed for known threats. If a known threat is found, you will not be able 
> to proceed to the destination.  If suspicious content is detected, you will 
> see a warning.
> --
> --
>
> Our employees' reviews made us a Best Place to 
> Work<https://link.zixcentral.com/u/73e0453c/qv2j1C8V6RGE_MLShnsoMg?u=https%3A%2F%2Fwww.glassdoor.com%2Fsurvey%2Fstart_input.htm%3FshowSurvey%3DREVIEWS%26employerId%3D153924%26contentOriginHook%3DPAGE_SRCH_COMPANIES>
>  in 2018 &2019!
> Spread the word and earn a bonus by referring a 
> friend.<http://hs.bayada.com/talent-scout-ilwid?utm_source=email%20sig
> nature_medium=email_campaign=Glassdoor%20Award>
>
> [Compassion, Excellence, 
> Reliability]<https://link.zixcentral.com/u/0527fcad/4kKk1C8V6RGE_MLShn
> soMg?u=http%3A%2F%2Fbhhc.co%2FBAYemail_site>
>
> [Facebook]<https://link.zixcentral.com/u/d16f1b07/im2k1C8V6RGE_MLShnso
> Mg?u=http%3A%2F%2Fbhhc.co%2FBAYemail_fb> [Twitter] 
> <https://link.zixcentral.com/u/e7

Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope are not followed.

[Durand fabrice via PacketFence-users]

Hello Benjamin,

what you can do is to capture the ldap traffic between PacketFence and 
the ldap source and see with wireshark if the scope/base dn is what you 
set in the authentication source.


In the code it does a search for the dn of the user and try to bind with 
this dn.


So if the user is not in or under the basedn then the search should not 
return anything and the authentication should fail.


So take the capture and see what happen exactly.

Regards

Fabrice



Le 19-01-10 à 10 h 38, Brenek, Benjamin via PacketFence-users a écrit :

Hi Nicolas,

Our authentication rules under the LDAP sources do not check LDAP attributes, 
as expected/assumed functionality of the LDAP Source would be to restrict 
authorization to the specified Base DN. Is this expectation/assumption 
incorrect?

Thank you,

Benjamin Brenek
BAYADA Home Health Care | Intern, Support (NES)
4300 Haddonfield Road | Pennsuaken, NJ 08109
O: 856-380-3008 | Ext: 0527-13 | bayada.com

-Original Message-
From: Nicolas Quiniou-Briand 
Sent: Thursday, January 10, 2019 10:20 AM
To: Brenek, Benjamin ; 
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope 
are not followed.

CAUTION: This email originated from outside of BAYADA. Beware of links and 
attachments.


Hello Benjamin,

On 2019-01-10 3:54 p.m., Brenek, Benjamin wrote:

Hi Nicolas,

I did as requested. It looks like the authentication comes back with no 
matches, yet still authenticates the user. Attached is the part of the log that 
relates to authentication of the user.

I saw this:
```
Matched condition SSID equals Company_Employee
(pf::Authentication::Source::match_rule)
[..]
Matched condition SSID equals Company_Employee
(pf::Authentication::Source::match_rule)
```
for both LDAP sources.

Did you have rules on your LDAP sources that check the SSID value in place of 
an LDAP attribute ?
--
Nicolas Quiniou-Briand
n...@inverse.ca  ::  +1.514.447.4918 *140  ::  
https://link.zixcentral.com/u/1c747c88/kiOYMOsU6RG3087ChnsoMg?u=https%3A%2F%2Finverse.ca
Inverse inc. :: Leaders behind SOGo 
(https://link.zixcentral.com/u/b29309fb/OHiYMOsU6RG3087ChnsoMg?u=https%3A%2F%2Fsogo.nu),
 PacketFence
(https://link.zixcentral.com/u/a0bbc547/SNGYMOsU6RG3087ChnsoMg?u=https%3A%2F%2Fpacketfence.org)
 and Fingerbank 
(https://link.zixcentral.com/u/ded69fd5/cDWZMOsU6RG3087ChnsoMg?u=http%3A%2F%2Ffingerbank.org)


Links contained in this email have been replaced by ZixProtect Link Protection. 
If you click on a link in the email above, the link will be analyzed for known 
threats. If a known threat is found, you will not be able to proceed to the 
destination.  If suspicious content is detected, you will see a warning.


Our employees' reviews made us a Best Place to 
Work<https://www.glassdoor.com/survey/start_input.htm?showSurvey=REVIEWS=153924=PAGE_SRCH_COMPANIES>
 in 2018 &2019!
Spread the word and earn a bonus by referring a 
friend.<http://hs.bayada.com/talent-scout-ilwid?utm_source=email%20signature_medium=email_campaign=Glassdoor%20Award>

[Compassion, Excellence, Reliability]<http://bhhc.co/BAYemail_site>

[Facebook]<http://bhhc.co/BAYemail_fb> [Twitter] <http://bhhc.co/BAYemail_tw>  [LinkedIn] 
<http://bhhc.co/BAYemail_LI>  [YouTube] <http://bhhc.co/BAYemail_yt>  [Bayada] 
<http://bhhc.co/BAYemail_site>

CONFIDENTIALITY NOTICE: This email may contain information belonging to BAYADA 
and is protected by law. Do not forward, copy, or otherwise disclose to anyone 
unless permitted by BAYADA or required by law. If you are not the intended 
recipient, please notify the sender immediately.




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope are not followed.

[Brenek, Benjamin via PacketFence-users]

Hi Nicolas,

Our authentication rules under the LDAP sources do not check LDAP attributes, 
as expected/assumed functionality of the LDAP Source would be to restrict 
authorization to the specified Base DN. Is this expectation/assumption 
incorrect?

Thank you,

Benjamin Brenek
BAYADA Home Health Care | Intern, Support (NES)
4300 Haddonfield Road | Pennsuaken, NJ 08109
O: 856-380-3008 | Ext: 0527-13 | bayada.com

-Original Message-
From: Nicolas Quiniou-Briand 
Sent: Thursday, January 10, 2019 10:20 AM
To: Brenek, Benjamin ; 
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope 
are not followed.

CAUTION: This email originated from outside of BAYADA. Beware of links and 
attachments.


Hello Benjamin,

On 2019-01-10 3:54 p.m., Brenek, Benjamin wrote:
> Hi Nicolas,
>
> I did as requested. It looks like the authentication comes back with no 
> matches, yet still authenticates the user. Attached is the part of the log 
> that relates to authentication of the user.

I saw this:
```
Matched condition SSID equals Company_Employee
(pf::Authentication::Source::match_rule)
[..]
Matched condition SSID equals Company_Employee
(pf::Authentication::Source::match_rule)
```
for both LDAP sources.

Did you have rules on your LDAP sources that check the SSID value in place of 
an LDAP attribute ?
--
Nicolas Quiniou-Briand
n...@inverse.ca  ::  +1.514.447.4918 *140  ::  
https://link.zixcentral.com/u/1c747c88/kiOYMOsU6RG3087ChnsoMg?u=https%3A%2F%2Finverse.ca
Inverse inc. :: Leaders behind SOGo 
(https://link.zixcentral.com/u/b29309fb/OHiYMOsU6RG3087ChnsoMg?u=https%3A%2F%2Fsogo.nu),
 PacketFence
(https://link.zixcentral.com/u/a0bbc547/SNGYMOsU6RG3087ChnsoMg?u=https%3A%2F%2Fpacketfence.org)
 and Fingerbank 
(https://link.zixcentral.com/u/ded69fd5/cDWZMOsU6RG3087ChnsoMg?u=http%3A%2F%2Ffingerbank.org)


Links contained in this email have been replaced by ZixProtect Link Protection. 
If you click on a link in the email above, the link will be analyzed for known 
threats. If a known threat is found, you will not be able to proceed to the 
destination.  If suspicious content is detected, you will see a warning.


Our employees' reviews made us a Best Place to 
Work<https://www.glassdoor.com/survey/start_input.htm?showSurvey=REVIEWS=153924=PAGE_SRCH_COMPANIES>
 in 2018 &2019!
Spread the word and earn a bonus by referring a 
friend.<http://hs.bayada.com/talent-scout-ilwid?utm_source=email%20signature_medium=email_campaign=Glassdoor%20Award>

[Compassion, Excellence, Reliability]<http://bhhc.co/BAYemail_site>

[Facebook]<http://bhhc.co/BAYemail_fb> [Twitter] <http://bhhc.co/BAYemail_tw>  
[LinkedIn] <http://bhhc.co/BAYemail_LI>  [YouTube] <http://bhhc.co/BAYemail_yt> 
 [Bayada] <http://bhhc.co/BAYemail_site>

CONFIDENTIALITY NOTICE: This email may contain information belonging to BAYADA 
and is protected by law. Do not forward, copy, or otherwise disclose to anyone 
unless permitted by BAYADA or required by law. If you are not the intended 
recipient, please notify the sender immediately.




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope are not followed.

[Nicolas Quiniou-Briand via PacketFence-users]

Hello Benjamin,

On 2019-01-10 3:54 p.m., Brenek, Benjamin wrote:

Hi Nicolas,

I did as requested. It looks like the authentication comes back with no 
matches, yet still authenticates the user. Attached is the part of the log that 
relates to authentication of the user.


I saw this:
```
Matched condition SSID equals Company_Employee 
(pf::Authentication::Source::match_rule)

[..]
Matched condition SSID equals Company_Employee 
(pf::Authentication::Source::match_rule)

```
for both LDAP sources.

Did you have rules on your LDAP sources that check the SSID value in 
place of an LDAP attribute ?

--
Nicolas Quiniou-Briand
n...@inverse.ca  ::  +1.514.447.4918 *140  ::  https://inverse.ca
Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence 
(https://packetfence.org) and Fingerbank (http://fingerbank.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope are not followed.

[Brenek, Benjamin via PacketFence-users]

Hi Nicolas,

I did as requested. It looks like the authentication comes back with no 
matches, yet still authenticates the user. Attached is the part of the log that 
relates to authentication of the user.

Thank you,

Ben

-Original Message-
From: Nicolas Quiniou-Briand via PacketFence-users 

Sent: Thursday, January 10, 2019 2:53 AM
To: packetfence-users@lists.sourceforge.net
Cc: Nicolas Quiniou-Briand 
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope 
are not followed.

CAUTION: This email originated from outside of BAYADA. Beware of links and 
attachments.


Hello Benjamin,

On 2019-01-09 3:13 p.m., Brenek, Benjamin via PacketFence-users wrote:
> Can anyone possibly provide some insight into why this issue is occurring?

Try to increase log level from INFO to DEBUG at first line of 
/usr/local/pf/conf/log.conf.d/httpd.aaa.conf. Then do a 
`/usr/local/pf/bin/pfcmd service httpd.aaa restart`

In packetfence.log, you should see more details on your LDAP queries.
Otherwise, you can try to capture LDAP traffic between your PF and LDAP servers.
--
Nicolas Quiniou-Briand
n...@inverse.ca  ::  +1.514.447.4918 *140  ::  
https://link.zixcentral.com/u/efc94e4f/7qeg76wU6RGULYDG9e_1Kg?u=https%3A%2F%2Finverse.ca
Inverse inc. :: Leaders behind SOGo 
(https://link.zixcentral.com/u/7151f5af/ZMOg76wU6RGULYDG9e_1Kg?u=https%3A%2F%2Fsogo.nu),
 PacketFence
(https://link.zixcentral.com/u/6e117212/nNug76wU6RGULYDG9e_1Kg?u=https%3A%2F%2Fpacketfence.org)
 and Fingerbank 
(https://link.zixcentral.com/u/b6c692ce/tvOg76wU6RGULYDG9e_1Kg?u=http%3A%2F%2Ffingerbank.org)


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://link.zixcentral.com/u/f951f560/SAyh76wU6RGULYDG9e_1Kg?u=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fpacketfence-users


Links contained in this email have been replaced by ZixProtect Link Protection. 
If you click on a link in the email above, the link will be analyzed for known 
threats. If a known threat is found, you will not be able to proceed to the 
destination.  If suspicious content is detected, you will see a warning.


Our employees' reviews made us a Best Place to 
Work<https://www.glassdoor.com/survey/start_input.htm?showSurvey=REVIEWS=153924=PAGE_SRCH_COMPANIES>
 in 2018 &2019!
Spread the word and earn a bonus by referring a 
friend.<http://hs.bayada.com/talent-scout-ilwid?utm_source=email%20signature_medium=email_campaign=Glassdoor%20Award>

[Compassion, Excellence, Reliability]<http://bhhc.co/BAYemail_site>

[Facebook]<http://bhhc.co/BAYemail_fb> [Twitter] <http://bhhc.co/BAYemail_tw>  
[LinkedIn] <http://bhhc.co/BAYemail_LI>  [YouTube] <http://bhhc.co/BAYemail_yt> 
 [Bayada] <http://bhhc.co/BAYemail_site>

CONFIDENTIALITY NOTICE: This email may contain information belonging to BAYADA 
and is protected by law. Do not forward, copy, or otherwise disclose to anyone 
unless permitted by BAYADA or required by law. If you are not the intended 
recipient, please notify the sender immediately.

Jan 10 09:03:02 drpacketfence01.subdomain.domain.com auth[1440]: rlm_rest 
(rest): Opening additional connection (3), 1 of 64 pending slots used
Jan 10 09:03:02 drpacketfence01.subdomain.domain.com 
packetfence_httpd.aaa[22028]: httpd.aaa(22011) DEBUG: [mac:[undef]] 
application/json (pf::WebAPI::handler)
Jan 10 09:03:02 drpacketfence01.subdomain.domain.com 
packetfence_httpd.aaa[22028]: httpd.aaa(22011) DEBUG: [mac:[undef]] 
instantiating new pf::radius object (pf::radius::new)
Jan 10 09:03:02 drpacketfence01.subdomain.domain.com 
packetfence_httpd.aaa[22028]: httpd.aaa(22011) DEBUG: [mac:[undef]] 
instantiating switch (pf::radius::authorize)
Jan 10 09:03:02 drpacketfence01.subdomain.domain.com haproxy[875]: 
127.0.0.1:49262 [10/Jan/2019:09:03:02.157] main mysql/MySQL0 1/0/1 104 -- 
24/23/22/22/0 0/0
Jan 10 09:03:02 drpacketfence01.subdomain.domain.com haproxy[875]: 
127.0.0.1:49258 [10/Jan/2019:09:03:02.154] main mysql/MySQL0 1/0/4 104 -- 
23/22/21/21/0 0/0
Jan 10 09:03:02 drpacketfence01.subdomain.domain.com haproxy[875]: 
127.0.0.1:49266 [10/Jan/2019:09:03:02.160] main mysql/MySQL0 1/0/1 183 -- 
23/22/21/21/0 0/0
Jan 10 09:03:02 drpacketfence01.subdomain.domain.com 
packetfence_httpd.aaa[22028]: httpd.aaa(22011) DEBUG: [mac:[undef]] cache get 
for namespace='switch.overlay', key='192.168.222.11', cache='DBI', time='1ms': 
MISS (not in cache) (CHI::Driver::_log_get_result)
Jan 10 09:03:02 drpacketfence01.subdomain.domain.com 
packetfence_httpd.aaa[22028]: httpd.aaa(22011) DEBUG: [mac:[undef]] creating 
new pf::Switch::AeroHIVE::AP object (pf::SwitchFactory::instantiate)
Jan 10 09:03:02 drpacketfence01.subdomain.domain.com 
packetfence_httpd.aaa[22028]: httpd.aaa(22011) DEBUG: [mac:[undef

Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope are not followed.

[Nicolas Quiniou-Briand via PacketFence-users]

Hello Benjamin,

On 2019-01-09 3:13 p.m., Brenek, Benjamin via PacketFence-users wrote:

Can anyone possibly provide some insight into why this issue is occurring?


Try to increase log level from INFO to DEBUG at first line of 
/usr/local/pf/conf/log.conf.d/httpd.aaa.conf. Then do a 
`/usr/local/pf/bin/pfcmd service httpd.aaa restart`


In packetfence.log, you should see more details on your LDAP queries. 
Otherwise, you can try to capture LDAP traffic between your PF and LDAP 
servers.

--
Nicolas Quiniou-Briand
n...@inverse.ca  ::  +1.514.447.4918 *140  ::  https://inverse.ca
Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence 
(https://packetfence.org) and Fingerbank (http://fingerbank.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] LDAP

[Jason 'XenoPhage' Frisvold via PacketFence-users]

This is intended to be temporary anyway, so will push through with this since I 
have it at least partially working.

---
Jason 'XenoPhage' Frisvold
xenoph...@godshell.com
---

"A common mistake that people make when trying to design something
completely foolproof is to underestimate the ingenuity of complete
fools."
- The Hitchhikers Guide to the Galaxy

> On May 31, 2018, at 11:54, Ludovic Marcotte via PacketFence-users 
>  wrote:
> 
> On 2018-05-31 11:49 AM, Jason 'XenoPhage' Frisvold via PacketFence-users 
> wrote:
> 
>> 802.1x would be for enhanced security, but we’re limited to either cleartext 
>> or a crappy hash?  I understand this isn’t your issue…  Still sucks though.
> Alternatively you can use Samba4 instead of OpenLDAP and use ntlm_auth just 
> like you would do with AD. Samba4 also includes a LDAP service.
> 
> --
> Ludovic Marcotte
> lmarco...@inverse.ca  ::  +1.514.755.3630  ::  http://inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://sogo.nu), PacketFence 
> (http://packetfence.org) and Fingerbank (http://fingerbank.org)
> 
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users



signature.asc
Description: Message signed with OpenPGP
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] LDAP

[Jason 'XenoPhage' Frisvold via PacketFence-users]

Yuck.

802.1x would be for enhanced security, but we’re limited to either cleartext or 
a crappy hash?  I understand this isn’t your issue…  Still sucks though.

---
Jason 'XenoPhage' Frisvold
xenoph...@godshell.com
---

"Any sufficiently advanced magic is indistinguishable from technology."
- Niven's Inverse of Clarke's Third Law

> On May 29, 2018, at 21:16, Durand fabrice via PacketFence-users 
>  wrote:
> 
> Hello Jason,
> Is it for 802.1x ?
> 
> If yes then it should be a clear text password or a nthash. 
> (http://deployingradius.com/documents/protocols/compatibility.html)
> And you will need to configure radius with something like that: 
> https://github.com/inverse-inc/packetfence/tree/devel/addons/nthash_AD_attribute#freeradius-configuration.
> 
> If it's not for 802.1x then a simple bind is enough and it doesn't really 
> matter the hash you will use.
> Regards
> 
> Fabrice
> 
> 
> 
> Le 2018-05-29 à 17:38, Jason 'XenoPhage' Frisvold via PacketFence-users a 
> écrit :
>> Docker to the rescue.  Was able to get a simple openLDAP container up and 
>> running pretty quickly.  Using phpLdapAdmin to get the initial stuff set up, 
>> then I’ll nuke that container with fire.  :)
>> 
>> So, with LDAP in place, what sort of hash do I need to use within LDAP in 
>> order to make everything with with Packetfence?  Can I use something like 
>> SHA512 or, better yet, blowfish?  Or do I have to use something else?  How 
>> do I specify what I’m using within Packetfence?
>> 
>> From what I remember, this was tied to RADIUS.  I think it had to match 
>> whatever RADIUS was using, but I can’t remember how to get that information.
>> 
>> Thanks,
>> 
>> ---
>> Jason 'XenoPhage' Frisvold
>> 
>> xenoph...@godshell.com
>> 
>> ---
>> 
>> "A common mistake that people make when trying to design something
>> completely foolproof is to underestimate the ingenuity of complete
>> fools."
>> - The Hitchhikers Guide to the Galaxy
>> 
>> 
>>> On May 24, 2018, at 09:50, David Harvey via PacketFence-users 
>>> 
>>>  wrote:
>>> 
>>> Not sure how much the standalone 389 directory lets you do from it's admin 
>>> interface, but a simple FreeIPA install (which includes 389) is also pretty 
>>> quick and easy to setup, and has a very comprehensive interface.  It may 
>>> contain way more features than you want though!
>>> Alternatively, I know QNAP NAS' have some builtin LDAP server bits, as I  
>>> imagine other NAS' would do, so if you have one on premise may be worth 
>>> checking out..
>>> 
>>> On Wed, May 23, 2018 at 11:38 PM, Durand fabrice via PacketFence-users
>>> 
>>>  wrote:
>>> I think about this one
>>> http://directory.fedoraproject.org/
>>>  who is coming with an admin interface.
>>> 
>>> 
>>> https://www.ehowstuff.com/setup-389-directory-server-on-centos-7/
>>> 
>>> 
>>> Le 2018-05-23 à 15:56, Jason 'XenoPhage' Frisvold via PacketFence-users a 
>>> écrit :
>>> 
 Hi all,
 
I’m looking for a quick and simple LDAP install I can use with 
 packetfence as a temporary authentication source.  Before I stand up an 
 openldap server, or perhaps openldap in a container, is anyone using 
 something that’s quicker to stand up and get running?  I’d love something 
 with an interface I can use to add users, change passwords, etc.
 
 Thanks,
 
 ---
 Jason 'XenoPhage' Frisvold
 
 
 xenoph...@godshell.com
 
 
 ---
 
 "Any sufficiently advanced magic is indistinguishable from technology."
 - Niven's Inverse of Clarke's Third Law
 
 
 
 
 
 --
 Check out the vibrant tech community on one of the world's most
 engaging tech sites, Slashdot.org!
 
 http://sdm.link/slashdot
 
 
 
 __
 _
 PacketFence-users mailing list
 
 
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>> 
>>> --
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org!
>>> http://sdm.link/slashdot
>>> 
>>> ___
>>> PacketFence-users mailing list
>>> 
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>> 
>>> 
>>> 
>>> --
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org!
>>> http://sdm.link/slashdot___
>>> 
>>> PacketFence-users mailing list
>>> 
>>> PacketFence-users@lists.sourceforge.net
>>> 

Re: [PacketFence-users] LDAP

[Jason 'XenoPhage' Frisvold via PacketFence-users]

Docker to the rescue.  Was able to get a simple openLDAP container up and 
running pretty quickly.  Using phpLdapAdmin to get the initial stuff set up, 
then I’ll nuke that container with fire.  :)

So, with LDAP in place, what sort of hash do I need to use within LDAP in order 
to make everything with with Packetfence?  Can I use something like SHA512 or, 
better yet, blowfish?  Or do I have to use something else?  How do I specify 
what I’m using within Packetfence?

From what I remember, this was tied to RADIUS.  I think it had to match 
whatever RADIUS was using, but I can’t remember how to get that information.

Thanks,

---
Jason 'XenoPhage' Frisvold
xenoph...@godshell.com
---

"A common mistake that people make when trying to design something
completely foolproof is to underestimate the ingenuity of complete
fools."
- The Hitchhikers Guide to the Galaxy

> On May 24, 2018, at 09:50, David Harvey via PacketFence-users 
>  wrote:
> 
> Not sure how much the standalone 389 directory lets you do from it's admin 
> interface, but a simple FreeIPA install (which includes 389) is also pretty 
> quick and easy to setup, and has a very comprehensive interface.  It may 
> contain way more features than you want though!
> Alternatively, I know QNAP NAS' have some builtin LDAP server bits, as I  
> imagine other NAS' would do, so if you have one on premise may be worth 
> checking out..
> 
> On Wed, May 23, 2018 at 11:38 PM, Durand fabrice via PacketFence-users 
>  wrote:
> I think about this one http://directory.fedoraproject.org/ who is coming with 
> an admin interface.
> 
> https://www.ehowstuff.com/setup-389-directory-server-on-centos-7/
> 
> Le 2018-05-23 à 15:56, Jason 'XenoPhage' Frisvold via PacketFence-users a 
> écrit :
>> Hi all,
>> 
>>  I’m looking for a quick and simple LDAP install I can use with 
>> packetfence as a temporary authentication source.  Before I stand up an 
>> openldap server, or perhaps openldap in a container, is anyone using 
>> something that’s quicker to stand up and get running?  I’d love something 
>> with an interface I can use to add users, change passwords, etc.
>> 
>> Thanks,
>> 
>> ---
>> Jason 'XenoPhage' Frisvold
>> 
>> xenoph...@godshell.com
>> 
>> ---
>> 
>> "Any sufficiently advanced magic is indistinguishable from technology."
>> - Niven's Inverse of Clarke's Third Law
>> 
>> 
>> 
>> 
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org!
>> http://sdm.link/slashdot
>> 
>> 
>> __
>> _
>> PacketFence-users mailing list
>> 
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> 
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> 
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! 
> http://sdm.link/slashdot___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users



signature.asc
Description: Message signed with OpenPGP
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] LDAP

[David Harvey via PacketFence-users]

Not sure how much the standalone 389 directory lets you do from it's admin
interface, but a simple FreeIPA install (which includes 389) is also pretty
quick and easy to setup, and has a very comprehensive interface.  It may
contain way more features than you want though!
Alternatively, I know QNAP NAS' have some builtin LDAP server bits, as I
imagine other NAS' would do, so if you have one on premise may be worth
checking out..

On Wed, May 23, 2018 at 11:38 PM, Durand fabrice via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> I think about this one http://directory.fedoraproject.org/ who is coming
> with an admin interface.
>
> https://www.ehowstuff.com/setup-389-directory-server-on-centos-7/
>
> Le 2018-05-23 à 15:56, Jason 'XenoPhage' Frisvold via PacketFence-users a
> écrit :
>
> Hi all,
>
>   I’m looking for a quick and simple LDAP install I can use with 
> packetfence as a temporary authentication source.  Before I stand up an 
> openldap server, or perhaps openldap in a container, is anyone using 
> something that’s quicker to stand up and get running?  I’d love something 
> with an interface I can use to add users, change passwords, etc.
>
> Thanks,
>
> ---
> Jason 'XenoPhage' frisvoldxenoph...@godshell.com
> ---
>
> "Any sufficiently advanced magic is indistinguishable from technology."
> - Niven's Inverse of Clarke's Third Law
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] LDAP

[Durand fabrice via PacketFence-users]

I think about this one http://directory.fedoraproject.org/ who is coming 
with an admin interface.


https://www.ehowstuff.com/setup-389-directory-server-on-centos-7/


Le 2018-05-23 à 15:56, Jason 'XenoPhage' Frisvold via PacketFence-users 
a écrit :

Hi all,

I’m looking for a quick and simple LDAP install I can use with 
packetfence as a temporary authentication source.  Before I stand up an 
openldap server, or perhaps openldap in a container, is anyone using something 
that’s quicker to stand up and get running?  I’d love something with an 
interface I can use to add users, change passwords, etc.

Thanks,

---
Jason 'XenoPhage' Frisvold
xenoph...@godshell.com
---

"Any sufficiently advanced magic is indistinguishable from technology."
- Niven's Inverse of Clarke's Third Law



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] LDAP Source Problem

[Fabrice Durand via PacketFence-users]

Hello Nathan,

does the LDAP server have the password in clear text or in nthash format ?

If it's not the case then it will not work but if it's the case then it
will be similar than an freeradius edirectory configuration.

Regards

Fabrice



Le 2018-04-06 à 10:35, Nathan, Josh via PacketFence-users a écrit :
> OK, I tried defining my LDAP source separately in the mod-available
> section (and of course adding the sym link in mods-enabled).  Made
> sure the references within the packetfence-tunnel file had ldap
> enabled as well.  For what it's worth, I've also moved this to a
> test-bed running PacketFence 7.4.0.
>
> At this point, it seems to at least be attempting the LDAP
> authentication, but the radius logs show:
>
> Apr  6 14:29:17 PacketFence-ZEN auth[7892]: rlm_ldap (ldap): Bind
> with uid=adminuser,ou=Users,o=,dc=jumpcloud,dc=com to
> ldaps://ldap.jumpcloud.com:636 
> failed: Can't contact LDAP server
> Apr  6 14:29:17 PacketFence-ZEN auth[7892]: rlm_ldap (ldap):
> Opening connection failed (5)
> Apr  6 14:29:17 PacketFence-ZEN auth[7892]: (79)   Invalid user:
> [josh.nathan] (from client 172.20.242.214/16
>  port 0 cli a8:7c:01:a2:60:6f via TLS
> tunnel)
> Apr  6 14:29:17 PacketFence-ZEN auth[7892]: (80) eap_peap:   This
> means you need to read the PREVIOUS messages in the debug output
> Apr  6 14:29:17 PacketFence-ZEN auth[7892]: (80) eap_peap:   to
> find out the reason why the user was rejected
> Apr  6 14:29:17 PacketFence-ZEN auth[7892]: (80) eap_peap:   Look
> for "reject" or "fail".  Those earlier messages will tell you
> Apr  6 14:29:17 PacketFence-ZEN auth[7892]: (80) eap_peap:   what
> went wrong, and how to fix the problem
> Apr  6 14:29:17 PacketFence-ZEN auth[7892]: (80) Login incorrect
> (eap_peap: The users session was previously rejected: returning
> reject (again.)): [josh.nathan] (from client 172.20.242.214/16
>  port 0 cli a8:7c:01:a2:60:6f)
> Apr  6 14:29:17 PacketFence-ZEN auth[7892]:
> [mac:a8:7c:01:a2:60:6f] Rejected user: josh.nathan
>
>
> Once again, the part that throws me off is that from the admin
> console, the test bind is successful using SSL.  So the message about
> not being able to contact the LDAP server is a little confusing to me.
>
> Any help with next direction to look?  I'm pretty new to trying to use
> LDAP at all, and am testing JumpCloud's LDAP service to see if it
> would be a good fit.
>
>
>   
> Joshua Nathan
> *IT Supervisor*
> Black Forest Academy
>
> p:+49 (0) 7626 9161 630 m: +49 (0) 152 3452 0056
> a:
> w:Hammersteiner Straße 50, 79400 Kandern
> bfacademy.de 
>
>   
>
>
>
> On Wed, Mar 21, 2018 at 4:36 PM, Nathan, Josh
> > wrote:
>
> Hello,
>
> So, I'm having some trouble setting up an LDAP authentication
> source in PacketFence version 6.0.1.
>
> It tests successfully, and doing an ldapsearch test comes back
> without issue.  In fact, from the registration VLAN, through the
> PacketFence Captive Portal it works!
>
> However, with the username and password, it's not connecting to
> our 802.1X (WPA2-Enterprise) wireless network.  It comes back
> saying that the username/password is invalid.  We've been using a
> separate RADIUS database for user management, but actually using
> LDAP is of course a much better option.  I've tried looking at the
> logs, but I'm not readily finding anything.
>
> Why would it work in the captive portal, but not from an 802.1X
> handshake?
>
> I will note that I'm using SSL over port 636, and a self-signed
> certificate in these tests if that makes a difference.
>
> Thanks for helping point me in the right direction!
>
>   
> Joshua Nathan
> *IT Supervisor*
> Black Forest Academy
>
> p:+49 (0) 7626 9161 630 m: +49 (0) 152 3452 0056
> a:
> w:Hammersteiner Straße 50, 79400 Kandern
> bfacademy.de 
>
>   
>
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! 

Re: [PacketFence-users] LDAP Source Problem

[Nathan, Josh via PacketFence-users]

OK, I tried defining my LDAP source separately in the mod-available section
(and of course adding the sym link in mods-enabled).  Made sure the
references within the packetfence-tunnel file had ldap enabled as well.
For what it's worth, I've also moved this to a test-bed running PacketFence
7.4.0.

At this point, it seems to at least be attempting the LDAP authentication,
but the radius logs show:

Apr  6 14:29:17 PacketFence-ZEN auth[7892]: rlm_ldap (ldap): Bind with
uid=adminuser,ou=Users,o=,dc=jumpcloud,dc=com to ldaps://
ldap.jumpcloud.com:636 failed: Can't contact LDAP server
Apr  6 14:29:17 PacketFence-ZEN auth[7892]: rlm_ldap (ldap): Opening
connection failed (5)
Apr  6 14:29:17 PacketFence-ZEN auth[7892]: (79)   Invalid user:
[josh.nathan] (from client 172.20.242.214/16 port 0 cli a8:7c:01:a2:60:6f
via TLS tunnel)
Apr  6 14:29:17 PacketFence-ZEN auth[7892]: (80) eap_peap:   This means you
need to read the PREVIOUS messages in the debug output
Apr  6 14:29:17 PacketFence-ZEN auth[7892]: (80) eap_peap:   to find out
the reason why the user was rejected
Apr  6 14:29:17 PacketFence-ZEN auth[7892]: (80) eap_peap:   Look for
"reject" or "fail".  Those earlier messages will tell you
Apr  6 14:29:17 PacketFence-ZEN auth[7892]: (80) eap_peap:   what went
wrong, and how to fix the problem
Apr  6 14:29:17 PacketFence-ZEN auth[7892]: (80) Login incorrect (eap_peap:
The users session was previously rejected: returning reject (again.)):
[josh.nathan] (from client 172.20.242.214/16 port 0 cli a8:7c:01:a2:60:6f)
Apr  6 14:29:17 PacketFence-ZEN auth[7892]: [mac:a8:7c:01:a2:60:6f]
Rejected user: josh.nathan


Once again, the part that throws me off is that from the admin console, the
test bind is successful using SSL.  So the message about not being able to
contact the LDAP server is a little confusing to me.

Any help with next direction to look?  I'm pretty new to trying to use LDAP
at all, and am testing JumpCloud's LDAP service to see if it would be a
good fit.


Joshua Nathan
*IT Supervisor*
Black Forest Academy

p: +49 (0) 7626 9161 630 m: +49 (0) 152 3452 0056
a:
w: Hammersteiner Straße 50, 79400 Kandern
bfacademy.de



On Wed, Mar 21, 2018 at 4:36 PM, Nathan, Josh 
wrote:

> Hello,
>
> So, I'm having some trouble setting up an LDAP authentication source in
> PacketFence version 6.0.1.
>
> It tests successfully, and doing an ldapsearch test comes back without
> issue.  In fact, from the registration VLAN, through the PacketFence
> Captive Portal it works!
>
> However, with the username and password, it's not connecting to our 802.1X
> (WPA2-Enterprise) wireless network.  It comes back saying that the
> username/password is invalid.  We've been using a separate RADIUS database
> for user management, but actually using LDAP is of course a much better
> option.  I've tried looking at the logs, but I'm not readily finding
> anything.
>
> Why would it work in the captive portal, but not from an 802.1X handshake?
>
> I will note that I'm using SSL over port 636, and a self-signed
> certificate in these tests if that makes a difference.
>
> Thanks for helping point me in the right direction!
>
> Joshua Nathan
> *IT Supervisor*
> Black Forest Academy
>
> p: +49 (0) 7626 9161 630 m: +49 (0) 152 3452 0056
> a:
> w: Hammersteiner Straße 50, 79400 Kandern
> bfacademy.de
>
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] LDAP authentication

[Tomasz Karczewski via PacketFence-users]

Propably you’re hitting wrong portal profile.

 

From: Luís Torres via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Tuesday, September 5, 2017 4:20 PM
To: packetfence-users@lists.sourceforge.net
Cc: Luís Torres
Subject: [PacketFence-users] LDAP authentication

 

Hello,

 

just setup aswell to user authentication on captive portal to ldap. But I got 
this error when I login on the portal:

 

"you do not have the permission to register a device with this username"

 

where can I change the "permissions" for all authenticated ldap users, in order 
to add devices?

 

Regards

 



smime.p7s
Description: S/MIME cryptographic signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] ldap/ad source with SSL

[Antoine Amacher]

Hello Andi,

What you looking for is 
https://packetfence.org/doc/PacketFence_Administration_Guide.html#_authentication 
section 9.2.1


There is no certificate to configure for the source LDAP in itself.

SSL/Start TLS depends on how your LDAP is configured to receive the 
connection for binding.


The configuration of the certificate to authenticate(RADIUS) has to be 
configured /usr/local/pf/conf/radiusd/eap.conf under the section TLS.


Thanks


On 11/25/2016 04:36 AM, Morris, Andi wrote:


Hi all,

Hopefully just a quick one. I can’t find a mention anywhere of how to 
setup LDAPS as a source. I can see that you can select SSL as part of 
the AD source, however I’m not sure where to configure the certificate 
for this. Any pointers?


Cheers,

Andi

-

Andi Morris

IT Security Officer
Cardiff Metropolitan University

T: 02920 205720
E: amor...@cardiffmet.ac.uk 

Skype for Business: amor...@cardiffmet.ac.uk

--



Cardiff Metropolitan University - Queens Anniversary Prizes 2015 
 




--


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] ldap failover

[Tim DeNike]

Just set the server to the base domain name of your dc. It'll DNS round robin.

Sent from my iPhone

 On Apr 30, 2015, at 6:13 AM, heupink heup...@gmail.com wrote:

 Hi,

 We are running a samba4 AD with three DC's. How would we implement
 failover authentication in packetfence?

 Perhaps define multiple usersources, all identical except ip address?

 It would be nice if we were able to enter multiple ip addresses for
 domain controllers, under one single AD user source.

 MJ

 --
 One dashboard for servers and applications across Physical-Virtual-Cloud
 Widest out-of-the-box monitoring support with 50+ applications
 Performance metrics, stats and reports that give you Actionable Insights
 Deep dive visibility with transaction tracing using APM Insight.
 http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] ldap failover

[mourik jan c heupink]

Hi Tim,

Super. Thanks!

On 30 April 2015 at 12:20, Tim DeNike tim.den...@mcc.edu wrote:

 Just set the server to the base domain name of your dc. It'll DNS round
 robin.

 Sent from my iPhone

  On Apr 30, 2015, at 6:13 AM, heupink heup...@gmail.com wrote:
 
  Hi,
 
  We are running a samba4 AD with three DC's. How would we implement
  failover authentication in packetfence?
 
  Perhaps define multiple usersources, all identical except ip address?
 
  It would be nice if we were able to enter multiple ip addresses for
  domain controllers, under one single AD user source.
 
  MJ
 
 
 --
  One dashboard for servers and applications across Physical-Virtual-Cloud
  Widest out-of-the-box monitoring support with 50+ applications
  Performance metrics, stats and reports that give you Actionable Insights
  Deep dive visibility with transaction tracing using APM Insight.
  http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
  ___
  PacketFence-users mailing list
  PacketFence-users@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/packetfence-users


 --
 One dashboard for servers and applications across Physical-Virtual-Cloud
 Widest out-of-the-box monitoring support with 50+ applications
 Performance metrics, stats and reports that give you Actionable Insights
 Deep dive visibility with transaction tracing using APM Insight.
 http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] LDAP source error

[luca comes]

Hi Fabrice,
you are right. I configured the DN of the group and now it is working fine.

Thank you 

Luca

Date: Thu, 24 Jul 2014 09:50:32 -0400
From: fdur...@inverse.ca
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] LDAP source error


  

  
  
Hi Luca,

  

  condition0=memberOf,is member of,Sponsor is not correct, it´s
  probably the dn of the Sponsor group.

  

  Regards

  Fabrice

  

  Le 2014-07-24 09:31, luca comes a écrit :



  
  Hi All,

I have a new issue with Active Directory sources. I'm trying to
authenticate users through sponsorship getting information for
the authorized sponsor email from an AD group. The problem is
that the group is not read and a catchall rule is returned so
anyone is authorized as sponsor (a similar thing happen if I try
admin authentication with AD sources, anyone on my domain is
enabled to login the WEB UI). My authentication.conf is:





[DC1DM]

description=Accesso admin ICT

password=*

scope=sub

binddn=CN=ldapuser,OU=DMGROUP,DC=dm,DC=loc

basedn=OU=DMGROUP,DC=dm,DC=loc

usernameattribute=sAMAccountName

encryption=none

type=AD

host=dc1dm.dm.loc



[DC1DM rule admin_ICT]

description=Accesso admin ICT

match=any

action0=mark_as_sponsor=1

condition0=memberOf,is member of,Sponsor





In Packetfence.log the output is:



Jul 24 15:26:11 httpd.portal(13167) INFO: mac :
70:f3:95:e2:63:95
(captiveportal::PacketFence::Controller::CaptivePortal::validateMac)

Jul 24 15:26:11 httpd.portal(13167) INFO: Updating node
70:f3:95:e2:63:95 user_agent with useragent: 'Mozilla/5.0
(Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0'
(captiveportal::PacketFence::Controller::CaptivePortal::nodeRecordUserAgent)

Jul 24 15:26:11 httpd.portal(13167) INFO: 70:f3:95:e2:63:95
redirected to guest
(captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister)

Jul 24 15:26:11 httpd.portal(13167) INFO: 70:f3:95:e2:63:95
redirected to authentication page
(captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister)

Jul 24 15:26:13 httpd.portal(13167) INFO: mac :
70:f3:95:e2:63:95
(captiveportal::PacketFence::Controller::CaptivePortal::validateMac)

Jul 24 15:26:42 httpd.portal(13321) INFO: mac :
70:f3:95:e2:63:95
(captiveportal::PacketFence::Controller::CaptivePortal::validateMac)

Jul 24 15:26:42 httpd.portal(13321) ERROR: [DC1DM] Unable to
execute search (|(member=CN=Comes
Luca,OU=Genova,OU=DMHRM,OU=DMGROUP,DC=dm,DC=loc)(uniqueMember=CN=Comes

Luca,OU=Genova,OU=DMHRM,OU=DMGROUP,DC=dm,DC=loc)(memberUid=CN=ossim_admin,OU=Utenti
- Gruppi Funzionali,DC=dm,DC=loc)) from Sponsor on
dc1dm.dm.loc:389, we skip the condition (208F: NameErr:
DSID-031001F7, problem 2006 (BAD_NAME), data 8350, best match
of:

'Sponsor'

). (pf::Authentication::Source::LDAPSource::match_in_subclass)

Jul 24 15:26:42 httpd.portal(13321) INFO: [DC1DM admin_ICT]
Found a match (CN=Comes
Luca,OU=Genova,OU=DMHRM,OU=DMGROUP,DC=dm,DC=loc)
(pf::Authentication::Source::LDAPSource::match_in_subclass)

Jul 24 15:26:42 httpd.portal(13321) INFO: Matched rule
(admin_ICT) in source DC1DM, returning actions.
(pf::Authentication::Source::match)

Jul 24 15:26:42 httpd.portal(13321) INFO: registering
70:f3:95:e2:63:95 guest through a sponsor
(captiveportal::PacketFence::Controller::Signup::doSponsorSelfRegistration)

Jul 24 15:26:42 httpd.portal(13321) INFO: person
lucaco...@hotmail.it modified to lucaco...@hotmail.it
(pf::person::person_modify)

Jul 24 15:26:42 httpd.portal(13321) INFO: Adding guest person
lucaco...@hotmail.it
(captiveportal::PacketFence::Controller::Signup::doSponsorSelfRegistration)

Jul 24 15:26:42 httpd.portal(13321) INFO: Matched rule
(catchall) in source sponsor, returning actions.
(pf::Authentication::Source::match)

Jul 24 15:26:42 httpd.portal(13321) INFO: Matched rule
(catchall) in source sponsor, returning actions.
(pf::Authentication::Source::match)

Jul 24 15:26:42 httpd.portal(13321) INFO: new activation code
successfully generated (pf::activation::create)

Jul 24 15:26:43 httpd.portal(13321) INFO: Email sent to
luca.comes.con...@datamanagementhrm.it (dm.loc: Guest access
request) (pf::activation::__ANON__)

Jul 24 15:26:43 httpd.portal(13321) INFO: mac :
70:f3:95:e2:63:95
(captiveportal::PacketFence

Re: [PacketFence-users] LDAP authentication issue

[Derek Wuelfrath]

 The biggest problem I am having is that I can't figure out how to take the 
 username from the Captive-Portal and compare it to the LDAP uid field.

Create an LDAP authentication source ?

Cheers!
dw.

--
dwuelfr...@inverse.ca :: +1.514.447.4918 (x110) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

On 2013-06-27, at 11:20 AM, David Rice rice.dav...@gmail.com wrote:

 Hello,
 I am having trouble getting my LDAP users to authenticate in PacketFence, 
 version 4.0.1.  I am pretty new to PacketFence and I have been searching 
 forums for help with this process to no avail.  The biggest problem I am 
 having is that I can't figure out how to take the username from the 
 Captive-Portal and compare it to the LDAP uid field.
 
 Any help would be appreciated,
 -- 
 David Rice
 System Engineer
 --
 This SF.net email is sponsored by Windows:
 
 Build for Windows Store.
 
 http://p.sf.net/sfu/windows-dev2dev___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] LDAP Question

[remi . desgrange]

This message talk about the LDAP in admin portal, not in  
conf/authentication/ldap.pm




Bulanda, Dave G dgbula...@indianatech.edu a écrit :

 I have a working version  of PacketFence 1.6.2 (Yeah I know it's  
 that old), in which LDAP Authentication works. I am standing up a  
 new box with the latest version 3.4.0.

 I have entered the ldap info per the documentation, in the file  
 /conf/authentication/ldap.pm

 When I restart packetfence I get the following message:

 Not searching LDAP since ldap-server, ldap-port and ldap-base-dn  
 were not specified in the config file

 Not sure where I am going wrong...

 Thanks

 David Bulanda
 Network Services Manager
 dgbula...@indianatech.edumailto:dgbula...@indianatech.edu
 Indiana Techhttp://www.indianatech.edu/






--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] LDAP Question

[Bulanda, Dave G]

Thanks for that...  Found error about binding to the CN in the log.

Still working through that one.

Dave


-Original Message-
From: remi.desgra...@telecom-bretagne.eu 
[mailto:remi.desgra...@telecom-bretagne.eu] 
Sent: Thursday, June 14, 2012 12:47 PM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] LDAP Question

This message talk about the LDAP in admin portal, not in  
conf/authentication/ldap.pm




Bulanda, Dave G dgbula...@indianatech.edu a écrit :

 I have a working version  of PacketFence 1.6.2 (Yeah I know it's  
 that old), in which LDAP Authentication works. I am standing up a  
 new box with the latest version 3.4.0.

 I have entered the ldap info per the documentation, in the file  
 /conf/authentication/ldap.pm

 When I restart packetfence I get the following message:

 Not searching LDAP since ldap-server, ldap-port and ldap-base-dn  
 were not specified in the config file

 Not sure where I am going wrong...

 Thanks

 David Bulanda
 Network Services Manager
 dgbula...@indianatech.edumailto:dgbula...@indianatech.edu
 Indiana Techhttp://www.indianatech.edu/






--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [Packetfence-users] LDAP Groups

[Francois Gaudreault]

Hi Jordan,

There is a default ldap authentication module for the captive portal. 
You should have a look at it.  The file is located in 
/usr/local/pf/conf/authentication.  You will be able to see what's 
needed to enable it (proper user base, proper bind DN and password, 
group membership, etc)

If you want to enable LDAP authentication on the portal, make sure you 
have ldap in registration.auth in pf.conf

On 12-02-02 11:54 AM, Jordan Hinman wrote:
 Hi there,

 Does anyone know of a way to limit the ability to register a device only
 to LDAP users in a specific ou or group? The reason being is that we
 have some generic LDAP accounts and we don't want users registering
 their device using those accounts. Thanks for any advice!!!

 --
 *Jordan Hinman*
 Network Analyst | Technology Services | Elk Island Catholic Schools
 T: (780) 449-6484 ext. 222 | E: jord...@eics.ab.ca
 mailto:jord...@eics.ab.ca



 --
 Keep Your Developer Skills Current with LearnDevNow!
 The most comprehensive online learning library for Microsoft developers
 is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
 Metro Style Apps, more. Free future releases when you subscribe now!
 http://p.sf.net/sfu/learndevnow-d2d



 ___
 Packetfence-users mailing list
 Packetfence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users


-- 
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
___
Packetfence-users mailing list
Packetfence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [Packetfence-users] LDAP auth for webui issue in PF 2.2.1

[Ritter, Nicholas]

I did some more checking on this, the tcpdump captures I just did show
that regardless of typing in a password, PF is connected to the AD-based
LDAP store and looking for the username. I am also seeing that the LDAP
finds the username, and then I see PF do a rebind as the username, and I
am seeing the bind come back successful.

 

I am seeing the password itself in the packet capture.

 

I did two captures, one with using a password, one without. Both LDAP
conversations work, the second LDAP query (where a password was not used
in the PF login screen) works without the password. It appears that
AD-based LDAP does allow a password-less bind when a valid username is
supplied. I have read mixed views on this being a true anonymous bind or
not. In my thinking, this is not an anonymous bind.

 

Anyway, so the one thing that seems broken is the check for null data in
the password field in PF. 

 

It also appears to be the case that any user in the same LDAP search
base will also be able to login regardless of PF permission setup. To
explain this better by example:

 

1)  user nritter and user jblow are both in the InformationSystems
LDAP search base. 

2)  User nritter is configured in admin_perm.conf, but jblow is not

3)  Currently, both nritter and jblow are able to login to the
webui.

-  User jblow ends up having the default permissions level as
specified in the default_role= of admin.perm

 

Separate from the null data field validation issue, is there a
configuration in PF that needs to be made to change how jblow user
scenarios like I mentioned above are dealt with?

 

Nick

 

From: Francois Gaudreault [mailto:fgaudrea...@inverse.ca] 
Sent: Thursday, June 30, 2011 12:14 PM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [Packetfence-users] LDAP auth for webui issue in PF 2.2.1

 

HI Nicholas,




I updated to PF 2.2.1 last night, everything is working great with the
exception that the PF admin WebUI login is requiring a valid username
from the context I have specified in admin_ldap.conf, but ignoring the
password entered, and a password does not even need to be entered. A
tcpdump on the PF server confirms that PF is checking the username
against the LDAP server.

That's seems quite weird to me, it should also check that the password
is working by binding to the LDAP server with the user credentials.



 

In checking the documentation, I have no user.conf anywhere. I also
noticed in the PF 2.2.1 source distro that there is a ui.conf that I
don't have in my RPM updated 2.2.1 install (although I don't know that
that file plays any role in the WebUI setup/authentication.

user.conf is for the captive portal authentication, not the admin UI.




 

Upon further testing, I noticed the following when authentication to the
admin webui:

 

The username must be in the LDAP source specified in the admin_ldap.conf

The username does not also need to be specified in admin.perm

None of the usernames in the LDAP source exist in the admin.conf file

The username used works with and without the use of a password

 

 

Because of items 3 and 4 above, it seems that some functionality in
login.php is not work properlyI noticed that there is a function
that is supposed to check for null passwords, which does not seem to be
working. The function for validating the username against a local flat
file when no result comes from LDAP seems to not be working correctly.
AD/LDAP does not permit anonymous binds, yet somehow LDAP is being used
to some degree as revealed by tcpdump captures.

If you put no password, it should try to do an anonymous bind and fail.
If it passes, that mean that the anonymous bind pass.  Can you show us
using an ldapsearch that the anonymous binds are NOT working? 




-- 
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org) 
--
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2___
Packetfence-users mailing list
Packetfence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [Packetfence-users] LDAP auth for webui issue in PF 2.2.1

[Ritter, Nicholas]

Anonymous binds are not permitted. See below:

 

 

[root@pfence01 conf]# ldapsearch -h 10.10.0.26 -p 389 -x -b
OU=IS,OU=Users,OU=American OUs,dc=ds,dc=atv

# extended LDIF

#

# LDAPv3

# base OU=IS,OU=Users,OU=American OUs,dc=ds,dc=atv with scope subtree

# filter: (objectclass=*)

# requesting: ALL

#

 

# search result

search: 2

result: 1 Operations error

text: : LdapErr: DSID-0C090627, comment: In order to perform
this ope

ration a successful bind must be completed on the connection., data 0,
vece

 

# numResponses: 1

[root@pfence01 conf]# 

[root@pfence01 conf]# ldapsearch -h 10.10.0.26 -x -b
OU=IS,OU=Users,OU=American OUs,dc=ds,dc=atv

# extended LDIF

#

# LDAPv3

# base OU=IS,OU=Users,OU=American OUs,dc=ds,dc=atv with scope subtree

# filter: (objectclass=*)

# requesting: ALL

#

 

# search result

search: 2

result: 1 Operations error

text: : LdapErr: DSID-0C090627, comment: In order to perform
this ope

ration a successful bind must be completed on the connection., data 0,
vece

 

# numResponses: 1

 

 

From: Francois Gaudreault [mailto:fgaudrea...@inverse.ca] 
Sent: Thursday, June 30, 2011 12:14 PM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [Packetfence-users] LDAP auth for webui issue in PF 2.2.1

 

HI Nicholas,




I updated to PF 2.2.1 last night, everything is working great with the
exception that the PF admin WebUI login is requiring a valid username
from the context I have specified in admin_ldap.conf, but ignoring the
password entered, and a password does not even need to be entered. A
tcpdump on the PF server confirms that PF is checking the username
against the LDAP server.

That's seems quite weird to me, it should also check that the password
is working by binding to the LDAP server with the user credentials.



 

In checking the documentation, I have no user.conf anywhere. I also
noticed in the PF 2.2.1 source distro that there is a ui.conf that I
don't have in my RPM updated 2.2.1 install (although I don't know that
that file plays any role in the WebUI setup/authentication.

user.conf is for the captive portal authentication, not the admin UI.




 

Upon further testing, I noticed the following when authentication to the
admin webui:

 

The username must be in the LDAP source specified in the admin_ldap.conf

The username does not also need to be specified in admin.perm

None of the usernames in the LDAP source exist in the admin.conf file

The username used works with and without the use of a password

 

 

Because of items 3 and 4 above, it seems that some functionality in
login.php is not work properlyI noticed that there is a function
that is supposed to check for null passwords, which does not seem to be
working. The function for validating the username against a local flat
file when no result comes from LDAP seems to not be working correctly.
AD/LDAP does not permit anonymous binds, yet somehow LDAP is being used
to some degree as revealed by tcpdump captures.

If you put no password, it should try to do an anonymous bind and fail.
If it passes, that mean that the anonymous bind pass.  Can you show us
using an ldapsearch that the anonymous binds are NOT working? 




-- 
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org) 
--
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2___
Packetfence-users mailing list
Packetfence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [Packetfence-users] LDAP webadmin auth and ActiveDirectory with special chars

[Olivier Bilodeau]

 That patch worked. Thanks!

No problem.


 One thing I noticed, that is not relevant to the password problem and
 patch, is a URL issue after login. When the user logs in to the webadmin
 interface, the URL in the browser is:
 https://pfence01.bnk.ds.atv:1443/status/dashboard which gives a 404
 error for /status/dashboard not found on server. Removing the
 dashboard from the end of the URL fixes the error.

 The question is, what is going wrong, and how to fix it so that the user
 does not have to remove dashboard from the URL. The admin user does
 have the problem at all.

As I said in a separate message just a few minutes ago, this was a long 
standing bug that I had problems reproducing here. Finally able to and 
it's fixed now. Already corrupted accounts will not be magically 
repaired by the fix. So you should perform the workaround:

If you have a corrupted account, when you get the error message, just
add .php to the address bar then press enter and you will have access to
the administration interface.

To fix your account, you can:
a) fix the user's preferences by going to Administration - UI Options
and select Status - Dashboard as the home page this will overwrite the
old corrupted value.
b) if you don't care losing your account preferences, delete corrupted
users' preference file located at conf/users/username.

See:
http://www.packetfence.org/bugs/view.php?id=1196

Cheers!
-- 
Olivier Bilodeau
obilod...@inverse.ca  ::  +1.514.447.4918 *115  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
___
Packetfence-users mailing list
Packetfence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [Packetfence-users] LDAP webadmin auth and ActiveDirectory with special chars

[Olivier Bilodeau]

On 12/04/11 5:30 PM, Ritter, Nicholas wrote:

I just tested a PCI-related password change for a username that is
authenticated against ActiveDirectory when accessing the PF 2.1.0 web
admin interface. If the password contains a special character (or
specifically in this case an exclamation point), the login fails. The
web interface says (in the top left corner) “Invalid sensitive
parameter”


There's some aggressive validation of the fields in the login form. I 
don't really know why they are there.. Overly agressive anti-xss I guess..


For passwords, here's the regexp: /^[\@a-zA-Z0-9_\:\,\(\)]/ so starting 
with a ! will pose problem.



Any thoughts/fixes/suggestions?


I simplified the validation. Can you apply the attached patch and let me 
know if it works? I haven't tested it since I don't have the proper lab 
config right now.


--
Olivier Bilodeau
obilod...@inverse.ca  ::  +1.514.447.4918 *115  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)
#
# old_revision [1da8589bbf4abb9ec9d61e3834fd02138a23cc2c]
#
# patch pf/html/admin/login.php
#  from [b49c4bb30396db34b77174aa942eaf95ba04f23d]
#to [fec32738105d32d6088c4c252465b14b3c3becb4]
#

--- pf/html/admin/login.php b49c4bb30396db34b77174aa942eaf95ba04f23d
+++ pf/html/admin/login.php fec32738105d32d6088c4c252465b14b3c3becb4
@@ -38,18 +38,16 @@ function check_input($input){
   }
 } 
 
-//TODO are we being too difficult on what we accept as a password? ie: pass 
starting with ; is invalid
-function check_sensitive_input($input){
-  if(preg_match(/^[\@a-zA-Z0-9_\:\,\(\)]/, $input)  strlen($input) = 15){
+# rejecting NULLs because they end-up doing an anonymous LDAP bind
+function check_password($input){
+  if (isset($input)) {
 return true;
-  }
-  else{
-print Invalid sensitive parameterbr;
+  } else {
+print Invalid passwordbr;
 return false;
   }
 }
 
-
 // First we try to authenticate users through LDAP if LDAP config file is there
 // if the LDAP config file is not defined or if the LDAP auth fails then we 
authenticate through the local file
 # TODO: have a better integration of admin auth parameters in config files or 
admin interface
@@ -216,7 +214,7 @@ else {
 }
   }
 
-  if (isset($_POST['username'], $_POST['password'])  
check_input($_POST['username'])  check_sensitive_input($_POST['password'])) {
+  if (isset($_POST['username'], $_POST['password'])  
check_input($_POST['username'])  check_password($_POST['password'])) {
 $hash = validate_user($_POST['username'], $_POST['password']);
 if(!$hash || !isset($_COOKIE['test'])){
   $failed = true;
--
Benefiting from Server Virtualization: Beyond Initial Workload 
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve 
application availability and disaster protection. Learn more about boosting 
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev___
Packetfence-users mailing list
Packetfence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [Packetfence-users] LDAP webadmin auth and ActiveDirectory with special chars

[Ritter, Nicholas]

That patch worked. Thanks!

One thing I noticed, that is not relevant to the password problem and
patch, is a URL issue after login. When the user logs in to the webadmin
interface, the URL in the browser is:
https://pfence01.bnk.ds.atv:1443/status/dashboard which gives a 404
error for /status/dashboard not found on server. Removing the
dashboard from the end of the URL fixes the error.

The question is, what is going wrong, and how to fix it so that the user
does not have to remove dashboard from the URL. The admin user does
have the problem at all.

Nick


-Original Message-
From: Olivier Bilodeau [mailto:obilod...@inverse.ca] 
Sent: Friday, April 15, 2011 8:49 AM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [Packetfence-users] LDAP webadmin auth and ActiveDirectory
with special chars

On 12/04/11 5:30 PM, Ritter, Nicholas wrote:
 I just tested a PCI-related password change for a username that is 
 authenticated against ActiveDirectory when accessing the PF 2.1.0 web 
 admin interface. If the password contains a special character (or 
 specifically in this case an exclamation point), the login fails. The 
 web interface says (in the top left corner) Invalid sensitive 
 parameter

There's some aggressive validation of the fields in the login form. I
don't really know why they are there.. Overly agressive anti-xss I
guess..

For passwords, here's the regexp: /^[\@a-zA-Z0-9_\:\,\(\)]/ so starting
with a ! will pose problem.

 Any thoughts/fixes/suggestions?

I simplified the validation. Can you apply the attached patch and let me
know if it works? I haven't tested it since I don't have the proper lab
config right now.

--
Olivier Bilodeau
obilod...@inverse.ca  ::  +1.514.447.4918 *115  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)

--
Benefiting from Server Virtualization: Beyond Initial Workload 
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve 
application availability and disaster protection. Learn more about boosting 
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
___
Packetfence-users mailing list
Packetfence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users