04-24-2003 06:53 PM
Once again seems I am the first one to use a new product. I have a CE565 that I am trying to get to work with MS LDAP. Anyone had any luck doing this? Cisco TAC is having difficult time tracing down problem.
ce565#sho ldap
LDAP Configuration:
-------------------
LDAP Authentication is enabled
Allow mode: disabled
Base DN: DC=domain,DC=com
Filter: <none>
Retransmits: 2
Timeout: 5 seconds
UID Attribute: uid
Group Attribute: memberOf
Administrative DN: <none>
Administrative Password: <none>
LDAP version: 3
LDAP port: 389
Server Status
--------------- ---------
192.168.99.7 primary
<none> secondary
ce565#debug authe http
Apr 24 22:44:56 ce565 http_authmod: pam_sm_authenticate:2498 ***pam_ldap: Begin
Apr 24 22:44:56 ce565 http_authmod: pam_sm_authenticate:2502 *** pam_ldap: Got username ralldread
Apr 24 22:44:56 ce565 http_authmod: _pam_ldap_get_session:1977 *** pam_ldap: Begin
Apr 24 22:44:56 ce565 http_authmod: _read_config:570 ***pam_ldap: Reading configuration
Apr 24 22:44:56 ce565 http_authmod: ldap_server_validate:1928 ***pam_ldap: === Host[0] 192.168.99.7 ===
Apr 24 22:44:56 ce565 http_authmod: ldap_server_isalive:1851 ***pam_ldap: Connecting...
Apr 24 22:44:56 ce565 http_authmod: ldap_server_isalive:1867 ***pam_ldap: Socket timeout 5
Apr 24 22:44:56 ce565 http_authmod: ldap_server_isalive:1891 ***pam_ldap: Connected to 192.168.99.7
Apr 24 22:44:56 ce565 http_authmod: ldap_server_validate:1948 ***pam_ldap: ServerAlive [1] (up=1, down=0)
Apr 24 22:44:56 ce565 http_authmod: pam_sm_authenticate:2508 *** pam_ldap: Got session
Apr 24 22:44:56 ce565 http_authmod: pam_sm_authenticate:2519 *** pam_ldap: Do authentication
Apr 24 22:44:56 ce565 http_authmod: _get_user_info:1672 *** pam_ldap: Begin user ralldread
Apr 24 22:44:56 ce565 http_authmod: _connect_anonymously:1059 *** pam_ldap: Host 192.168.99.7
Apr 24 22:44:56 ce565 http_authmod: _connect_anonymously:1063 *** pam_ldap: Open session
Apr 24 22:44:56 ce565 http_authmod: _open_session:927 *** pam_ldap: Begin
Apr 24 22:44:56 ce565 http_authmod: _connect_anonymously:1074 *** pam_ldap: Binding...
Apr 24 22:44:56 ce565 http_authmod: _get_user_info:1676 *** pam_ldap: Connected anonymously
Apr 24 22:44:56 ce565 http_authmod: _get_user_info:1699 *** pam_ldap: Filter (uid=ralldread)
Apr 24 22:44:56 ce565 http_authmod: pam_sm_authenticate:2522 *** pam_ldap: Done authentication FAILURE
Any thoughts?
04-30-2003 12:24 PM
There could be a problem with the LDAP server. If possible try a different server. You may want to reconfigure the CE again in case there is something that did not get configured correctly the first time.
05-01-2003 04:55 AM
I got it working. I did 2 things. One, I rebuilt the the server to make sure Active Directory was working correctly. Two, I changed the DC=domain to be dc=domain. I havent had a chance to test which one actually fixed it, but here it the config that I am using.
ce565#sho run
device mode content-engine
!
hostname ce565
!
!
http authentication header 407
http authentication cache timeout 1
http authentication cache max-entries 32000
http proxy incoming 8888
!
!
clock timezone EST -5 0
!
!
!
ip domain-name demodomain
!
!
!
https proxy incoming 8888
!
!
interface GigabitEthernet 1/0
ip address 10.10.220.71 255.255.255.0
exit
interface GigabitEthernet 2/0
shutdown
exit
!
!
ip default-gateway 10.10.220.1
!
primary-interface GigabitEthernet 1/0
!
!
no auto-register enable
!
!
!
!
ip name-server 10.10.220.80
!
!
!
!
!
pre-load enable
pre-load depth-level-default 2
pre-load resume
pre-load traverse-other-domains
pre-load url-list-file ftp://ftpuser:ftpuser@10.10.220.80/ce-preload.txt
!
!
!
!
!
!
!
!
transaction-logs enable
transaction-logs log-windows-domain
transaction-logs archive interval every-hour every 10
transaction-logs sanitize
transaction-logs export enable
transaction-logs export interval every-hour every 10
transaction-logs export ftp-server 10.10.220.80 ftpuser ftpuser /
transaction-logs format extended-squid
!
!
username admin password 1 bVmDmMMmZAPjY
username admin privilege 15
!
!
!
ldap server base "dc=demodomain"
ldap server userid-attribute cn
ldap server host 10.10.220.80 primary
ldap server administrative-dn "cn=administrator,cn=users,dc=demodomain"
ldap server administrative-passwd ****
ldap server active-directory-group enable
ldap server version 3
ldap server enable
!
authentication login local enable primary
authentication configuration local enable primary
!
!
!
!
!
url-filter http smartfilter enable
!
!
!
cdm ip 10.10.220.70
cms enable
!
!
09-27-2003 03:53 AM
I managed to get the LDAP authentication working however... It only accepts the cn and password.
ie: My username is peter and my cn is peter jones, so I can`t log in with peter, I have to use peter jones. And the issue arises when smartfilter doesn`t seem to accept a space in the username so the user gets pased to the default policy. I need to get the authentication working with the normal username in order for smartfilter to work correctly. Any ideas?
Heres my config:
cache#sh run
hostname cache
!
!
http authentication header 407
http proxy incoming 8080
http proxy outgoing host 10.10.0.21 8080 primary
!
ftp proxy incoming 8080
ftp proxy outgoing host 10.10.0.21 8080
!
!
!
!
ip domain-name lab.cache.net
!
!
!
https proxy incoming 8080
https proxy outgoing host 10.10.0.21 8080
!
!
interface GigabitEthernet 1/0
ip address 10.10.0.99 255.255.254.0
exit
interface GigabitEthernet 2/0
shutdown
exit
!
!
ip default-gateway 10.10.0.1
!
!
!
no auto-register enable
!
!
!
!
ip name-server 10.10.1.200
!
!
!
!
!
!
!
!
!
!
!
!
!
transaction-logs enable
transaction-logs archive interval every-hour at 0
transaction-logs file-marker
transaction-logs sanitize
transaction-logs export enable
transaction-logs export interval every-hour at 0
transaction-logs export ftp-server 10.10.1.200 administrator **** /proxy/logs
!
!
username admin password 1 .faKN7JYcIVSQ
username admin privilege 15
username Chris password 1 /w9qtoF4qJK0I uid 2001
username Chris privilege 0
!
!
!
ldap server base "dc=lab,dc=cache,dc=net"
ldap server userid-attribute cn
ldap server host 10.10.1.200 primary
ldap server administrative-dn "cn=administrator,cn=users,dc=lab,dc=cache,dc=net"
ldap server administrative-passwd ****
ldap server version 3
ldap server active-directory-group enable
ldap server enable
!
authentication login local enable primary
authentication configuration local enable primary
!
!
!
!
!
url-filter http smartfilter enable
!
!
!
!
cache#
02-17-2004 07:07 AM
try to use as user-attribute sAMAccountName. In Microsoft Active Directory it corresponds uid:
ldap server userid-attribute sAMAccountName
I hope it will help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide