topic Re: ISE LDAP integration without Groups? in Network Access Control

ISE LDAP integration without Groups?

Arne Bier — Mon, 29 Jan 2018 23:02:52 GMT

Hello ISE LDAP experts,

I am integrating to an LDAP directory that does not contain any groups. I have also been given a restricted view of the users in the directory (I can only see their UID). When I bind to this directory using ISE 2.3 patch 2, I get:

Ldap bind succeeded to iddiraaa.education.local:636

Subject search ended with an error.Please check search base configured properly

Group search ended with an error.Please check search base configured properly

Response time 265ms

My Subject Search Base: CN=Person,DC=IDDir

My Group Search Base: CN=Person,DC=IDDir

If I click on the button "Naming Contexts..." next to each search base, ISE reports "No suggestions from server"

When I bind using Windows ldaps with same credentials, I can view the users just fine.

I read in the ISE Admin Guide that ISE expects to see Groups in the LDAP directory:

Is there any way around that? Do I need a dummy group perhaps and make all users members of that dummy group?
Is there a log I can trawl to see what's going on under the covers?

Re: ISE LDAP integration without Groups?

hslai — Mon, 29 Jan 2018 23:15:51 GMT

Try DEBUG on prrt-JNI, AAA-runtime, AAA-config. And, check prrt-server.log.

Re: ISE LDAP integration without Groups?

Arne Bier — Mon, 29 Jan 2018 23:47:26 GMT

thanks for that!

After some scratching of my head I figured out this had to be done on the PAN, and not the PSN 😛

I ran debug while clicking on "Test Bind to Server"

The two lines in bold look promising - but doesn't give me much to go on.

Crypto,2018-01-30 09:40:29,305,DEBUG,0x7f3f03c96700,NIL-CONTEXT,Crypto::Result=0, Crypto.SSLConnection.writeData - success,SSLConnection.cpp:1077

ConnectionHandler,2018-01-30 09:40:29,308,DEBUG,0x7f3f03c96700,LdapTestBindConnectionHandler::handle_input called,LdapTestBindConnectionHandler.cpp:109

ConnectionHandler,2018-01-30 09:40:29,308,DEBUG,0x7f3f03c96700,LdapTestBindConnectionHandler::fetchBindResponse called,LdapTestBindConnectionHandler.cpp:391

Crypto,2018-01-30 09:40:29,308,DEBUG,0x7f3f03c96700,NIL-CONTEXT,Crypto::Result=0, Crypto.SSLConnection.readData - nInDataSize=0, entity=client,SSLConnection.cpp:835

Crypto,2018-01-30 09:40:29,308,DEBUG,0x7f3f03c96700,NIL-CONTEXT,Crypto::Result=0, Crypto.SSLConnection.readData - output-size=22,SSLConnection.cpp:917

Connection,2018-01-30 09:40:29,308,DEBUG,0x7f3f03c96700,LdapBindResponse::update: bind result = 0 (Success),LdapConnectionResponses.cpp:106

Connection,2018-01-30 09:40:29,309,DEBUG,0x7f3f03c96700,LdapBindResponse::update: password policy control is not returned by the server,LdapConnectionResponses.cpp:140

Connection,2018-01-30 09:40:29,309,INFO ,0x7f3f03c96700,LdapSslConnectionContext:sslConnectionEstablished: flag certificate send is true,LdapSslConnectionContext.cpp:402

ConnectionHandler,2018-01-30 09:40:29,309,DEBUG,0x7f3f03c96700,LdapTestBindConnectionHandler::fetchBindResponse::onInput(id = 1102): bind succeeded,LdapTestBindConnectionHandler.cpp:437

Connection,2018-01-30 09:40:29,309,DEBUG,0x7f3f03c96700,LdapConnectionContext::sendSearchRequest(id = 1102): base = CN=Person,DC=IDDir, filter = (objectClass=Group),LdapConnectionContext.cpp:516

Crypto,2018-01-30 09:40:29,309,DEBUG,0x7f3f03c96700,NIL-CONTEXT,Crypto::Result=0, Crypto.SSLConnection.writeData - nInDataSize=71, entity=client,SSLConnection.cpp:970

Crypto,2018-01-30 09:40:29,309,DEBUG,0x7f3f03c96700,NIL-CONTEXT,Crypto::Result=0, Crypto.SSLConnection.writeData - success,SSLConnection.cpp:1077

ConnectionHandler,2018-01-30 09:40:29,313,DEBUG,0x7f3f03c96700,LdapTestBindConnectionHandler::handle_input called,LdapTestBindConnectionHandler.cpp:109

ConnectionHandler,2018-01-30 09:40:29,313,DEBUG,0x7f3f03c96700,LdapTestBindConnectionHandler::fetchGroupSearchResponse called,LdapTestBindConnectionHandler.cpp:575

Crypto,2018-01-30 09:40:29,313,DEBUG,0x7f3f03c96700,NIL-CONTEXT,Crypto::Result=0, Crypto.SSLConnection.readData - nInDataSize=0, entity=client,SSLConnection.cpp:835

Crypto,2018-01-30 09:40:29,313,DEBUG,0x7f3f03c96700,NIL-CONTEXT,Crypto::Result=0, Crypto.SSLConnection.readData - output-size=126,SSLConnection.cpp:917

Connection,2018-01-30 09:40:29,313,DEBUG,0x7f3f03c96700,LdapSearchResponse::update: SDK result = 32(No such object),LdapConnectionResponses.cpp:265

ConnectionHandler,2018-01-30 09:40:29,313,ERROR,0x7f3f03c96700,LdapTestBindConnectionHandler::fetchSearchResponse::onInput(id = 1102): search ended with an error: 150,LdapTestBindConnectionHandler.cpp:596

Crypto,2018-01-30 09:40:29,313,DEBUG,0x7f3f03c96700,NIL-CONTEXT,Crypto::Result=0, Crypto.SSLConnection.pvDone,SSLConnection.cpp:278

Crypto,2018-01-30 09:40:29,313,DEBUG,0x7f3f03c96700,NIL-CONTEXT,shutting session id

Re: ISE LDAP integration without Groups?

Craig Hyps — Mon, 29 Jan 2018 23:59:57 GMT

You would need to customize the LDAP server settings so that ISE can apply group membership to some attribute, even if not a traditional group attribute.

Re: ISE LDAP integration without Groups?

Arne Bier — Tue, 30 Jan 2018 00:19:37 GMT

Just to be clear on the wording, when you say "so that ISE can apply group membership", what is meant by can apply? Is ISE going to modify something in the LDAP directory (i.e. need write access) or, did you mean that there has to exist a Group in the LDAP, and each user MUST be a member of that Group? If so, would any Group suffice?

Sorry for my lack of LDAP understanding. I am relating as best as I can to how I understand Active Directory to work (Users and Groups, and their relationship).

Re: ISE LDAP integration without Groups?

hslai — Tue, 30 Jan 2018 01:09:48 GMT

Take a look at Slide 17 of ISE 1.3-2.1 Sponsor Authorization on Secondary Attributes

For example, the LDAP schema "Active Directory" in ISE are using the attribute memberOf for groups, but you may map it to another attribute in your LDAP.

Re: ISE LDAP integration without Groups?

Craig Hyps — Tue, 30 Jan 2018 01:16:39 GMT

Maybe a better word would be "reconcile" rather than assign. As shown in AD example below, there are pointers telling ISE how to exampne the scheme and extract group objects and members, a fundamental part of defining the LDAP store.

If you do not have the specified group or member attribute defined, then it is possible this will cause LDAP lookup to fail. Note that these are mandatory attributes.

Thanks Hsing. I was thinking of referencing that doc as well as an example of how to manipulate group references. In that doc, I showed how to have ISE treat a different attribute as if it was a group object.

Craig

Re: ISE LDAP integration without Groups?

Arne Bier — Tue, 06 Feb 2018 23:35:17 GMT

The customer doesn't want to budge on this point. They are questioning why ISE requires this Group concept when any generic LDAP browser will happily bind and traverse the LDAP directory they've created (which only contains a single attribute). This directory was designed and built for simplicity and speed and it works well with other applications they have.

Is there a way around this mandatory Group Map attribute and Group Name attribute in ISE?

Re: ISE LDAP integration without Groups?

Craig Hyps — Wed, 07 Feb 2018 05:20:27 GMT

Arnie, Have you tried using default values for groups? I just tested with invalid object names for groups and even for search space and was able to bind successfully and perform a test auth against LDAP server. I was not able to add groups, but attributes did appear and were retrieved in test auth.

That said, if existing behavior not working and requesting change in the design, then suggest submitting an enhancement request to Tal Surasky as the PM for AAA and Id Stores.

Re: ISE LDAP integration without Groups?

Arne Bier — Mon, 12 Feb 2018 02:05:12 GMT

Hi Craig

I tried various permutations but I think my lack of LDAP understanding is causing me to stumble.

I don't have admin access to the LDAP directory itself to see how it's configured.

But I can browse the directory using Windows Server command ldp. When I search the thing I can see the following

The uid contains the username that I am allowed to query on. That's it. Million dollar question is how to configure ISE to allow me to do so.

My ISE config is as follows:

I can bind, but get error

Ldap bind succeeded to I*********.local:636

Subject search ended with an error.Please check search base configured properly

Group search ended with an error.Please check search base configured properly

Response time 496ms

As far as the Genera tab is concerned, I don't know whether it resembles what you were talking about? i.e. using Dummy values for the Group Map and Group Name attributes?

Nothing I do seems to work.

Re: ISE LDAP integration without Groups?

hslai — Mon, 12 Feb 2018 03:00:42 GMT

Try saving it away and then re-do the test binding.

I got similar errors as you did and it went ok after saving it.

I followed Ldp Examples: Active Directory to perform search tests on our test AD instance.

Re: ISE LDAP integration without Groups?

Arne Bier — Mon, 12 Feb 2018 06:07:47 GMT

thanks for that. It turns out that I was given the incorrect Subject ObjectClass and as soon as I substituted that with a wildcard, I was able to move forward (this was also the value I gave the Windows ldp tool in my previous example).

thanks for all the assistance with this. I somehow have an aversion to LDAP and I think it will still haunt me beyond the grave ...

Re: ISE LDAP integration without Groups?

Craig Hyps — Mon, 12 Feb 2018 13:30:42 GMT

Glad you were able to work things out. I was going to provide some examples of some common LDAP records as your earlier examples do not reflect typical schema and objectclass definitions...