Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1024
Views
0
Helpful
0
Replies

OPENLDAP as AAA

bheda.laxman
Level 1
Level 1

‎08-07-2011 10:05 AM - edited ‎03-10-2019 06:17 PM

Hi,

I'm trying to configure OpenLDAP server as a AAA authentication group. Below is the configuration.

aaa group server ldap aaaldap

server aaaldap

ldap server aaaldap

ipv4 10.10.1.5

bind authenticate root-dn cn=admin,dc=test,dc=com password 7 082059490118121608

base-dn dc=test,dc=com

search-filter user-object-type People

search-filter user-object-type person

authentication bind-first

authentication compare

When I test this configuration with "test" command I get error as (No such object)

I have enabled the debug and tried to figure out the error but it seems to be the error in search filter of user-object-type.

The documentation states that we have to refer ObjectClass name in search user-object-type but I think its for Microsoft AD and I'm trying to authenticate it with OpenLDAP server. Is it the same with OpenLdap as well or what should be the attribute instead of ObjectClass?

Debug is as below

Test-HO_1#test aaa group aaaldap cisco cisco new-code

User rejected

Test-HO_1#

Aug  7 17:04:13.539: LDAP: LDAP: Queuing AAA request 0 for processing

Aug  7 17:04:13.539: LDAP: Received queue event, new AAA request

Aug  7 17:04:13.539: LDAP: LDAP authentication request

Aug  7 17:04:13.539: LDAP: Attempting first  next available LDAP server

Aug  7 17:04:13.539: LDAP: Got next LDAP server :aaaldap

Aug  7 17:04:13.539: LDAP: First Task: Send compare req

Aug  7 17:04:13.539: LDAP: Authentication policy: bind-first

                        (Compare password first)

Aug  7 17:04:13.539: LDAP: Check the default map for aaa type=username

Aug  7 17:04:13.539: LDAP: Check the default map for aaa type=password

Aug  7 17:04:13.539: LDAP: ldap_compare: ld=731840120, user_dn=cn=cisco,dc=test,dc=com, passwd_attr_name=userPasswordldap_req_encode

Doing socket write

Aug  7 17:04:13.539: LDAP:  LDAP compare request sent successfully (reqid=47)

Aug  7 17:04:13.539: LDAP: Sent the LDAP request to server

Aug  7 17:04:13.539: LDAP: Received socket event

Aug  7 17:04:13.539: LDAP: Checking the conn status

Aug  7 17:04:13.539: LDAP: Socket read event socket=1

Aug  7 17:04:13.539: LDAP: Found socket ctx

Aug  7 17:04:13.539: LDAP: Receive event: read=1, errno=9 (Bad file number)

Aug  7 17:04:13.539: LDAP: Passing the client ctx=2B9EFE78ldap_result

wait4msg (timeout 0 sec, 1 usec)

ldap_select_fd_wait (select)

ldap_read_activity lc 0x2BD43BC4

Doing socket read

LDAP-TCP:Bytes read = 31

ldap_match_request succeeded for msgid 8 h 0

changing lr 0x312A300C to COMPLETE as no continuations

removing request 0x312A300C from list as lm 0x313D30C4 all 0

ldap_msgfree

ldap_msgfree

Aug  7 17:04:13.539: LDAP: LDAP Messages to be processed: 1

Aug  7 17:04:13.539: LDAP: LDAP Message type: 111

Aug  7 17:04:13.539: LDAP: Got ldap transaction context from reqid 47ldap_parse_result

Aug  7 17:04:13.543: LDAP: resultCode:    32     (No such object)

Aug  7 17:04:13.543: LDAP: Received Compare Responseldap_parse_result

ldap_err2string

Aug  7 17:04:13.543: LDAP: Ldap Result Msg: FAILED:No such object, Result code =32

Aug  7 17:04:13.543: LDAP: LDAP Compare operation result : failedldap_msgfree

Aug  7 17:04:13.543: LDAP: Closing transaction and reporting error to AAA

Aug  7 17:04:13.543: LDAP: Transaction context removed from list [ldap reqid=47]

Aug  7 17:04:13.543: LDAP: Notifying AAA: REQUEST FAILED

Aug  7 17:04:13.543: LDAP: Received socket event

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents