cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
6127
Views
3
Helpful
6
Replies
2044418Puts
Beginner

IOS LDAP authenication against sAMAccountName

Hi,

I'm running a 881 with c880data-universalk9-mz.151-3.T.bin and now I'm trying to enable LDAP authentication. This works but it only allows me to authenticate against the full CN (like CN=Firstname Lastname). But I would like to authenticate againt the sAMAccountName since this is the same username the users are using in Windows.

This is my config:

ldap server dc01
ipv4 10.10.250.111
bind authenticate root-dn CN=LDAPReader,CN=Room,DC=customer,DC=local password 7 encrpasswordhere
base-dn OU=Room,OU=Users,DC=customer,DC=local
search-filter user-object-type *

Any idea on how to do this?

Thanks!

Regards,

Armand.

6 REPLIES 6
andamani
Cisco Employee

Hi,

Honestly, i have never done LDAP authentication with the IOS. could you please try the following:

search-filter  user-object-type sAMAccountName

Let me know how it goes.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

Hi Anisha,

I've just removed the search-filter user-object-type * line and added the search-filter user-object-type sAMAccountName line. Then I've performed a debug ldap all:

001356: Apr  5 10:20:13.608 CET: LDAP: LDAP: Queuing AAA request 79 for processing
001357: Apr  5 10:20:13.608 CET: LDAP: Received queue event, new AAA request
001358: Apr  5 10:20:13.608 CET: LDAP: LDAP authentication request
001359: Apr  5 10:20:13.608 CET: LDAP: Attempting first  next available LDAP server
001360: Apr  5 10:20:13.608 CET: LDAP: Got next LDAP server :dc01
001361: Apr  5 10:20:13.608 CET: LDAP: Server connection not up. Current state DOWN
001362: Apr  5 10:20:13.608 CET: LDAP: No servers left in LDAP server-group. Perform method failover
001363: Apr  5 10:20:13.608 CET: LDAP: Failed to send request. No more LDAP servers left.
001364: Apr  5 10:20:13.608 CET: LDAP: Performing method failover
001365: Apr  5 10:20:19.184 CET: LDAP: Received timer event
001366: Apr  5 10:20:19.184 CET: LDAP: Connection timeout occured. Retrying
001367: Apr  5 10:20:19.184 CET: LDAP: Opening ldap connection ( 10.10.250.111, 389 )ldap_open
ldap_init libldap 4.5 18-FEB-2000
open_ldap_connection
ldap_connect_to_host: 10.10.250.111:389

001368: Apr  5 10:20:19.184 CET: LDAP: socket 0 - connecting to 10.10.250.111 (389)
001369: Apr  5 10:20:19.184 CET: LDAP: socket 0 - connection in progress
001370: Apr  5 10:20:19.184 CET: LDAP: socket 0 - local address 10.10.250.254 (51705)
001371: Apr  5 10:20:19.184 CET: LDAP: Connection on socket 0
001372: Apr  5 10:20:19.184 CET: LDAP: Connection to LDAP server (dc01, 10.10.250.111) attempted
001373: Apr  5 10:20:19.184 CET: LDAP: Connection state: DOWN => CONNECTING
001374: Apr  5 10:20:19.184 CET: LDAP: Received socket event
001375: Apr  5 10:20:19.184 CET: LDAP: Checking the conn status
001376: Apr  5 10:20:19.184 CET: LDAP: Socket read event socket=0
001377: Apr  5 10:20:19.184 CET: LDAP: Found socket ctx
001378: Apr  5 10:20:19.184 CET: LDAP: Making socket conn up
001379: Apr  5 10:20:19.184 CET: LDAP: Notify the protocol codeldap_open successful
Notify LDAP main if it has to initiate any bind requests

001380: Apr  5 10:20:19.184 CET: LDAP: Protocol received transport up notication
001381: Apr  5 10:20:19.184 CET: LDAP: Connection state: CONNECTING => UP
001382: Apr  5 10:20:19.184 CET: LDAP: Set socket=0 to non blocking mode
001383: Apr  5 10:20:19.184 CET: LDAP: Performing Root-Dn bind operationldap_req_encode
Doing socket write
001384: Apr  5 10:20:19.188 CET: LDAP: Root Bind on CN=LDAPReader,CN=Room,DC=customer,DC=local initiated.
001385: Apr  5 10:20:19.188 CET: LDAP: Received socket event
001386: Apr  5 10:20:19.684 CET: LDAP: Received socket event
001387: Apr  5 10:20:19.684 CET: LDAP: Checking the conn status
001388: Apr  5 10:20:19.684 CET: LDAP: Socket read event socket=0
001389: Apr  5 10:20:19.684 CET: LDAP: Found socket ctx
001390: Apr  5 10:20:19.684 CET: LDAP: Receive event: read=1, errno=9 (Bad file number)
001391: Apr  5 10:20:19.684 CET: LDAP: Passing the client ctx=87179024ldap_result
wait4msg (timeout 0 sec, 1 usec)
ldap_select_fd_wait (select)
ldap_read_activity lc 0x86A7DB08

Doing socket read
LDAP-TCP:Bytes read = 22
ldap_match_request succeeded for msgid 1 h 0
changing lr 0x85034958 to COMPLETE as no continuations
removing request 0x85034958 from list as lm 0x8715A3F8 all 0
ldap_msgfree
ldap_msgfree

001392: Apr  5 10:20:19.688 CET: LDAP: LDAP Messages to be processed: 1
001393: Apr  5 10:20:19.688 CET: LDAP: LDAP Message type: 97
001394: Apr  5 10:20:19.688 CET: LDAP: Got ldap transaction context from reqid 26ldap_parse_result

001395: Apr  5 10:20:19.688 CET: LDAP: resultCode:    0     (Success)
001396: Apr  5 10:20:19.688 CET: LDAP: Received Bind Response
001397: Apr  5 10:20:19.688 CET: LDAP: Received Root Bind Response ldap_parse_result

001398: Apr  5 10:20:19.688 CET: LDAP: Ldap Result Msg: SUCCESS, Result code =0
001399: Apr  5 10:20:19.688 CET: LDAP: Root DN bind Successful on :CN=LDAPReader,CN=Room,DC=Customer,DC=local
001400: Apr  5 10:20:19.688 CET: LDAP: Transaction context removed from list [ldap reqid=26]ldap_msgfree
ldap_result
wait4msg (timeout 0 sec, 1 usec)
ldap_select_fd_wait (select)
ldap_err2string

001401: Apr  5 10:20:19.688 CET: LDAP: Finished processing ldap msg, Result:Success
001402: Apr  5 10:20:19.688 CET: LDAP: Received socket event
001403: Apr  5 10:20:33.832 CET: LDAP: LDAP: Queuing AAA request 79 for processing
001404: Apr  5 10:20:33.832 CET: LDAP: Received queue event, new AAA request
001405: Apr  5 10:20:33.832 CET: LDAP: LDAP authentication request
001406: Apr  5 10:20:33.832 CET: LDAP: Attempting first  next available LDAP server
001407: Apr  5 10:20:33.832 CET: LDAP: Got next LDAP server :dc01
001408: Apr  5 10:20:33.832 CET: LDAP: First Task: Send search req
001409: Apr  5 10:20:33.832 CET: LDAP: Check the default map for aaa type=username
001410: Apr  5 10:20:33.832 CET: LDAP: Ldap Search Req sent
                    ld          2266468388
                    base dn     OU=Lokaal10,OU=Room,DC=customer,DC=local
                    scope       2
                    filter      (&(objectclass=sAMAccountName)(cn=armandputs))ldap_req_encode
put_filter "(&(objectclass=sAMAccountName)(cn=armandputs))"
put_filter: AND
put_filter_list "(objectclass=sAMAccountName)(cn=armandputs)"
put_filter "(objectclass=sAMAccountName)"
put_filter: simple
put_filter "(cn=armandputs)"
put_filter: simple
Doing socket write
001411: Apr  5 10:20:33.836 CET: LDAP:  LDAP search request sent successfully (reqid:27)
001412: Apr  5 10:20:33.836 CET: LDAP: Sent the LDAP request to server
001413: Apr  5 10:20:34.344 CET: LDAP: Received socket event
001414: Apr  5 10:20:34.344 CET: LDAP: Checking the conn status
001415: Apr  5 10:20:34.344 CET: LDAP: Socket read event socket=0
001416: Apr  5 10:20:34.344 CET: LDAP: Found socket ctx
001417: Apr  5 10:20:34.344 CET: LDAP: Receive event: read=1, errno=9 (Bad file number)
001418: Apr  5 10:20:34.344 CET: LDAP: Passing the client ctx=87179024ldap_result
wait4msg (timeout 0 sec, 1 usec)
ldap_select_fd_wait (select)
ldap_read_activity lc 0x86A7DB08

Doing socket read
LDAP-TCP:Bytes read = 22
ldap_match_request succeeded for msgid 2 h 0
changing lr 0x85034958 to COMPLETE as no continuations
removing request 0x85034958 from list as lm 0x8715A3F8 all 0
ldap_msgfree
ldap_msgfree

001419: Apr  5 10:20:34.348 CET: LDAP: LDAP Messages to be processed: 1
001420: Apr  5 10:20:34.348 CET: LDAP: LDAP Message type: 101
001421: Apr  5 10:20:34.348 CET: LDAP: Got ldap transaction context from reqid 27ldap_parse_result

001422: Apr  5 10:20:34.348 CET: LDAP: resultCode:    0     (Success)
001423: Apr  5 10:20:34.348 CET: LDAP: Received Search Response resultldap_parse_result

001424: Apr  5 10:20:34.348 CET: LDAP: Ldap Result Msg: SUCCESS, Result code =0
001425: Apr  5 10:20:34.348 CET: LDAP: Failed to get any search entries ldap_msgfree

001426: Apr  5 10:20:34.348 CET: LDAP: Closing transaction and reporting error to AAA
001427: Apr  5 10:20:34.348 CET: LDAP: Transaction context removed from list [ldap reqid=27]
001428: Apr  5 10:20:34.348 CET: LDAP: Notifying AAA: REQUEST FAILED
001429: Apr  5 10:20:34.348 CET: LDAP: Received socket event

I'm not really good at AD but "armandputs" is my sAMAccountName in the AD. My CN=Armand Puts in the AD.So there is still something going wrong. Any idea's?

Thanks!

Umanath S
Cisco Employee

Hi Armand,

For this to work you need to configure the ldap attribute-map and attach it to the LDAP server configuration. Please refer the configs below.

!

ldap attribute-map ldap-username-map 

map type sAMAccountName username  

!

ldap server ss-ldap

ipv4 x.x.x.x

attribute map ldap-username-map   <=====

bind authenticate root-dn cn=administrator,cn=users,dc=ssstest,dc=com password Cisco

base-dn cn=users,dc=ssstest,dc=com

search-filter user-object-type top

authentication bind-first

Thanks

Umanath

Umans@cisco.com

Umanath, I deployed a similar config and it did not work.

Below, username is scrubbed with variable. It was showing exactly what I typed into the VPN Client authentication dialog. Would not work with or without DOMAIN\ in front of username.

Here is what the LDAP debugs were showing:

002747: Oct  1 15:35:09.048 MST: LDAP: Dynamic map configured

002748: Oct  1 15:35:09.048 MST: LDAP: Dynamic map found for aaa type=username

002749: Oct  1 15:35:09.048 MST: LDAP: Bind: User-DN=sAMAccountName=,CN=Users,DC=gdbhq,DC=localldap_req_encode

Doing socket write

002750: Oct  1 15:35:09.048 MST: LDAP:  LDAP bind request sent successfully (reqid=375)

002751: Oct  1 15:35:09.048 MST: LDAP: Sent the LDAP request to server

002752: Oct  1 15:35:09.564 MST: LDAP: Received socket event

002753: Oct  1 15:35:09.564 MST: LDAP: Checking the conn status

002754: Oct  1 15:35:09.564 MST: LDAP: Socket read event socket=0

002755: Oct  1 15:35:09.564 MST: LDAP: Found socket ctx

002756: Oct  1 15:35:09.564 MST: LDAP: Receive event: read=1, errno=9 (Bad file number)

002757: Oct  1 15:35:09.564 MST: LDAP: Passing the client ctx=310A5FB8ldap_result

wait4msg (timeout 0 sec, 1 usec)

ldap_select_fd_wait (select)

ldap_read_activity lc 0x2B7661DC

Doing socket read

LDAP-TCP:Bytes read = 109

ldap_match_request succeeded for msgid 10 h 0

changing lr 0x31244FE8 to COMPLETE as no continuations

removing request 0x31244FE8 from list as lm 0x2BFA8EF4 all 0

ldap_msgfree

ldap_msgfree

002758: Oct  1 15:35:09.564 MST: LDAP: LDAP Messages to be processed: 1

002759: Oct  1 15:35:09.564 MST: LDAP: LDAP Message type: 97

002760: Oct  1 15:35:09.564 MST: LDAP: Got ldap transaction context from reqid 375ldap_parse_result

002761: Oct  1 15:35:09.564 MST: LDAP: resultCode:    49     (Invalid credentials)

002762: Oct  1 15:35:09.564 MST: LDAP: Received Bind Responseldap_parse_result

ldap_err2string

002763: Oct  1 15:35:09.564 MST: LDAP: Ldap Result Msg: FAILED:Invalid credentials, Result code =49

When I take the map out, it works if I use the full CN (input "Firstname Lastname" into VPN authentication dialog), but I can not get it to work with the map. Here are the scrubbed configs with the map in use.

aaa group server ldap LDAP-GROUP

server SERVER1

server SERVER2

!

aaa authentication login AAA-CRYPTO-USER group ldap local

!

ldap attribute-map LDAP-USERNAME-MAP

map type sAMAccountName username

!

ldap server SERVER1

ipv4 192.168.0.1

attribute map LDAP-USERNAME-MAP

timeout retransmit 20

bind authenticate root-dn CN=,CN=,DC=,DC= password

base-dn CN=,DC=g,DC=

search-filter user-object-type top

authentication bind-first

!

ldap server SERVER2

ipv4 192.168.0.2

attribute map LDAP-USERNAME-MAP

timeout retransmit 20

bind authenticate root-dn CN=,CN=,DC=,DC= password

base-dn CN=,DC=g,DC=

search-filter user-object-type top

authentication bind-first

When I tested LDAP, I may have touched a possibly similar phenomenon:

http://ltlnetworker.wordpress.com/2010/11/09/ios-easyvpn-server-with-ldap-authentication/

"It seems this LDAP server does not send a Password attribute which could  be checked on the router. That’s why user password authentication  requires a bind operation with U1 to the LDAP server which affects the  search operation for the next connecting user. It seems the admin bind  is overridden by the user bind (maybe an IOS bug) which makes life hard  if rights of U1 are not sufficient to see the other user objects. In  that case, the LDAP server returns no results to the search operation  and the next user is unable to authenticate."

You can compare the configs and logs.

Hello Peter and Armand,

I have been troubleshooting a problem with LDAP, for the purpose of Scansafe, binding with Active Directory, that has been basically hindering its performance.

I have posted a post at:

thread/2236705

Search for the title below, in the Web Security Discussions.

Scansafe  ldap resultCode: 49 Invalid Credentials. Default usergroup applied  after user's sAMAccount authentication fails after BINDING. Filters are useless. Need  serious help!

I believe I may be having a very, very similar problem as you stated Peter, "it seems the admin bind is overriden by the user bind (may be IOS bug) which makes life hard..." I am not an LDAP expert, and I appreciate if any of you can please take a look at it.

Please let me know so I can post configs and logs.

Thank You,

Joe Lourenco

Create
Recognize Your Peers
Content for Community-Ad