OPENLDAP as AAA

bheda.laxman — Mon, 11 Mar 2019 01:17:00 GMT

Hi,

I'm trying to configure OpenLDAP server as a AAA authentication group. Below is the configuration.

aaa group server ldap aaaldap

server aaaldap

ldap server aaaldap

ipv4 10.10.1.5

bind authenticate root-dn cn=admin,dc=test,dc=com password 7 082059490118121608

base-dn dc=test,dc=com

search-filter user-object-type People

search-filter user-object-type person

authentication bind-first

authentication compare

When I test this configuration with "test" command I get error as (No such object)

I have enabled the debug and tried to figure out the error but it seems to be the error in search filter of user-object-type.

The documentation states that we have to refer ObjectClass name in search user-object-type but I think its for Microsoft AD and I'm trying to authenticate it with OpenLDAP server. Is it the same with OpenLdap as well or what should be the attribute instead of ObjectClass?

Debug is as below

Test-HO_1#test aaa group aaaldap cisco cisco new-code

User rejected

Test-HO_1#

Aug 7 17:04:13.539: LDAP: LDAP: Queuing AAA request 0 for processing

Aug 7 17:04:13.539: LDAP: Received queue event, new AAA request

Aug 7 17:04:13.539: LDAP: LDAP authentication request

Aug 7 17:04:13.539: LDAP: Attempting first next available LDAP server

Aug 7 17:04:13.539: LDAP: Got next LDAP server :aaaldap

Aug 7 17:04:13.539: LDAP: First Task: Send compare req

Aug 7 17:04:13.539: LDAP: Authentication policy: bind-first

(Compare password first)

Aug 7 17:04:13.539: LDAP: Check the default map for aaa type=username

Aug 7 17:04:13.539: LDAP: Check the default map for aaa type=password

Aug 7 17:04:13.539: LDAP: ldap_compare: ld=731840120, user_dn=cn=cisco,dc=test,dc=com, passwd_attr_name=userPasswordldap_req_encode

Doing socket write

Aug 7 17:04:13.539: LDAP: LDAP compare request sent successfully (reqid=47)

Aug 7 17:04:13.539: LDAP: Sent the LDAP request to server

Aug 7 17:04:13.539: LDAP: Received socket event

Aug 7 17:04:13.539: LDAP: Checking the conn status

Aug 7 17:04:13.539: LDAP: Socket read event socket=1

Aug 7 17:04:13.539: LDAP: Found socket ctx

Aug 7 17:04:13.539: LDAP: Receive event: read=1, errno=9 (Bad file number)

Aug 7 17:04:13.539: LDAP: Passing the client ctx=2B9EFE78ldap_result

wait4msg (timeout 0 sec, 1 usec)

ldap_select_fd_wait (select)

ldap_read_activity lc 0x2BD43BC4

Doing socket read

LDAP-TCP:Bytes read = 31

ldap_match_request succeeded for msgid 8 h 0

changing lr 0x312A300C to COMPLETE as no continuations

removing request 0x312A300C from list as lm 0x313D30C4 all 0

ldap_msgfree

Aug 7 17:04:13.539: LDAP: LDAP Messages to be processed: 1

Aug 7 17:04:13.539: LDAP: LDAP Message type: 111

Aug 7 17:04:13.539: LDAP: Got ldap transaction context from reqid 47ldap_parse_result

Aug 7 17:04:13.543: LDAP: resultCode: 32 (No such object)

Aug 7 17:04:13.543: LDAP: Received Compare Responseldap_parse_result

ldap_err2string

Aug 7 17:04:13.543: LDAP: Ldap Result Msg: FAILED:No such object, Result code =32

Aug 7 17:04:13.543: LDAP: LDAP Compare operation result : failedldap_msgfree

Aug 7 17:04:13.543: LDAP: Closing transaction and reporting error to AAA

Aug 7 17:04:13.543: LDAP: Transaction context removed from list [ldap reqid=47]

Aug 7 17:04:13.543: LDAP: Notifying AAA: REQUEST FAILED

Aug 7 17:04:13.543: LDAP: Received socket event

topic OPENLDAP as AAA in Network Access Control

OPENLDAP as AAA