08-20-2011 10:15 AM - edited 03-10-2019 06:20 PM
Here is a snippet of my proposed config for LDAP
aaa group server ldap AD
server TESTSERVER
ldap attribute-map ADTEST
ldap server TESTSERVER
ipv4 192.168.0.20
bind authenticate root-dn testuser password testpw
base-dn DC=testdomain,DC=local
The username and password exist and can auth to AD directly. I get the logs below when I try to hit from VPN. Does anyone have this working that can give me some pointers?
000293: Aug 20 10:37:42: AAA/BIND(00000E04): Bind i/f
000294: Aug 20 10:37:42: AAA/AUTHEN/LOGIN (00000E04): Pick method list 'AD'
000295: Aug 20 10:37:42: %AAA-3-BADSERVERTYPEERROR: Cannot process authenticatio
n server type *invalid_group_handle*
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M1, REL
EASE SOFTWARE (fc1)
System image file is "flash:c1900-universalk9-mz.SPA.151-4.M1.bin"
Gulf-Inet#
000296: Aug 20 10:48:00: LDAP: Received socket event
000297: Aug 20 10:48:00: LDAP: Checking the conn status
000298: Aug 20 10:48:00: LDAP: Socket read event socket=0
000299: Aug 20 10:48:00: LDAP: Found socket ctx
000300: Aug 20 10:48:00: LDAP: Receive event: read=0, errno=11 (Resource tempora
rily unavailable)
000301: Aug 20 10:48:00: LDAP: Connection closed remotely !!
000302: Aug 20 10:48:00: LDAP: ldap tcp transport closing on socket 0
000303: Aug 20 10:48:00: LDAP: Protocol received transport down notification
000304: Aug 20 10:48:00: LDAP: Server-GULFBASCO connection going down !!!
000305: Aug 20 10:48:00: LDAP: Clearing all ldap transactions
000306: Aug 20 10:48:00: LDAP: Connection state: UP => DOWN
000307: Aug 20 10:48:00: LDAP: Connection state: DOWN => DOWN
000308: Aug 20 10:48:00: LDAP: Connection timer started for 30 seconds for GULFB
ASCO
000309: Aug 20 10:48:00: LDAP: socket 0 - CONN_UP->CONN_CLOSE
000310: Aug 20 10:48:00: LDAP: Received socket event
000311: Aug 20 10:48:30: LDAP: Received timer event
000312: Aug 20 10:48:30: LDAP: Connection timeout occured. Retrying
000313: Aug 20 10:48:30: LDAP: Opening ldap connection ( 192.168.254.23, 389 )
000314: Aug 20 10:48:30: LDAP: socket 0 - connecting to 192.168.254.23 (389)
000315: Aug 20 10:48:30: LDAP: socket 0 - connection in progress
000316: Aug 20 10:48:30: LDAP: socket 0 - local address 192.168.254.254 (63758)
000317: Aug 20 10:48:30: LDAP: Connection on socket 0
000318: Aug 20 10:48:30: LDAP: Connection to LDAP server (GULFBASCO, 192.168.254
.23) attempted
000319: Aug 20 10:48:30: LDAP: Connection state: DOWN => CONNECTING
000320: Aug 20 10:48:30: LDAP: Received socket event
000321: Aug 20 10:48:30: LDAP: Checking the conn status
000322: Aug 20 10:48:30: LDAP: Socket read event socket=0
000323: Aug 20 10:48:30: LDAP: Found socket ctx
000324: Aug 20 10:48:30: LDAP: Making socket conn up
000325: Aug 20 10:48:30: LDAP: Notify the protocol code
000326: Aug 20 10:48:30: LDAP: Protocol received transport up notication
000327: Aug 20 10:48:30: LDAP: Connection state: CONNECTING => UP
000328: Aug 20 10:48:30: LDAP: Set socket=0 to non blocking mode
000329: Aug 20 10:48:30: LDAP: Performing Root-Dn bind operation
000330: Aug 20 10:48:30: LDAP: Root Bind on ciscoauth initiated.
000331: Aug 20 10:48:30: LDAP: Received socket event
000332: Aug 20 10:48:31: LDAP: Received socket event
000333: Aug 20 10:48:31: LDAP: Checking the conn status
000334: Aug 20 10:48:31: LDAP: Socket read event socket=0
000335: Aug 20 10:48:31: LDAP: Found socket ctx
000336: Aug 20 10:48:31: LDAP: Receive event: read=1, errno=11 (Resource tempora
rily unavailable)
000337: Aug 20 10:48:31: LDAP: Passing the client ctx=317267D0
000338: Aug 20 10:48:31: LDAP: LDAP Messages to be processed: 1
000339: Aug 20 10:48:31: LDAP: LDAP Message type: 97
000340: Aug 20 10:48:31: LDAP: Got ldap transaction context from reqid 2
000341: Aug 20 10:48:31: LDAP: Received Bind Response
000342: Aug 20 10:48:31: LDAP: Received Root Bind Response
000343: Aug 20 10:48:31: LDAP: Failed to do Root Bind on ciscoauth. Bind anonymo
us
000344: Aug 20 10:48:31: LDAP: Transaction context removed from list [ldap reqid
=2]
000345: Aug 20 10:48:31: LDAP: Finished processing ldap msg, Result:Success
000346: Aug 20 10:48:31: LDAP: Received socket event
Connection to host lost.
08-20-2011 11:18 AM
The bind username has to be specified as the full LDAP object path per this http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_cfg_ldap.html#wp1069114. Use dsquery on the username that you want to use for the intial lookup bind to get the full LDAP object description and set that instead:
dsquery user -samid user_name
Also, remember to delegate permissions to this account to allow them to read AD.
08-20-2011 11:24 AM
I used everything behind the DC like this:
"CN=cisco Systems,OU=ServiceAccounts,OU=Accounts,DC=gulfbasco,DC=local"
So I used:
base-dn "DC=gulfbasco,DC=local"
08-20-2011 11:30 AM
I'm referring to this line:
bind authenticate root-dn testuser password testpw
it should be:
bind authenticate root-dn "cn=testuser,ou=serviceaccounts,ou=accounts,dc=gulfbasco,dc=local" password blah
the base-dn config line refers to the search base DN, not the bind base DN. Your debug output indicates that it is failing to bind to LDAP, i.e. authenticate with the testuser account specified in the bind configuration.
08-20-2011 11:37 AM
Still erroring. I tried with CN=full user name and CN=shortname. Which should I be using and are there any other debugs that might help me figure out what is wrong?
000874: Aug 20 13:35:33: LDAP: Filter: (objectclass=*)
000875: Aug 20 13:35:33: %SYS-5-CONFIG_I: Configured from console by admin on vt
y0 (192.168.254.23)
000876: Aug 20 13:35:33: LDAP: Received message event
000877: Aug 20 13:35:33: LDAP: Connection to LDAP server (GULFBASCO) already UP
000878: Aug 20 13:35:45: AAA/BIND(00000E08): Bind i/f
000879: Aug 20 13:35:45: AAA/AUTHEN/LOGIN (00000E08): Pick method list 'AD'
000880: Aug 20 13:36:07: AAA/BIND(00000E09): Bind i/f
000881: Aug 20 13:36:07: AAA/AUTHEN/LOGIN (00000E09): Pick method list 'AD'
000882: Aug 20 13:36:07: %AAA-3-BADSERVERTYPEERROR: Cannot process authenticatio
n server type *invalid_group_handle*
10-14-2011 02:49 PM
Did you ever find a resolution for this issue? I'm having similar problems and getting the same error message.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: