04-04-2011 02:37 AM
Hi,
I'm running a 881 with c880data-universalk9-mz.151-3.T.bin and now I'm trying to enable LDAP authentication. This works but it only allows me to authenticate against the full CN (like CN=Firstname Lastname). But I would like to authenticate againt the sAMAccountName since this is the same username the users are using in Windows.
This is my config:
ldap server dc01
ipv4 10.10.250.111
bind authenticate root-dn CN=LDAPReader,CN=Room,DC=customer,DC=local password 7 encrpasswordhere
base-dn OU=Room,OU=Users,DC=customer,DC=local
search-filter user-object-type *
Any idea on how to do this?
Thanks!
Regards,
Armand.
04-04-2011 03:08 AM
Hi,
Honestly, i have never done LDAP authentication with the IOS. could you please try the following:
search-filter user-object-type sAMAccountName
Let me know how it goes.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.
04-05-2011 01:37 AM
Hi Anisha,
I've just removed the search-filter user-object-type * line and added the search-filter user-object-type sAMAccountName line. Then I've performed a debug ldap all:
001356: Apr 5 10:20:13.608 CET: LDAP: LDAP: Queuing AAA request 79 for processing
001357: Apr 5 10:20:13.608 CET: LDAP: Received queue event, new AAA request
001358: Apr 5 10:20:13.608 CET: LDAP: LDAP authentication request
001359: Apr 5 10:20:13.608 CET: LDAP: Attempting first next available LDAP server
001360: Apr 5 10:20:13.608 CET: LDAP: Got next LDAP server :dc01
001361: Apr 5 10:20:13.608 CET: LDAP: Server connection not up. Current state DOWN
001362: Apr 5 10:20:13.608 CET: LDAP: No servers left in LDAP server-group. Perform method failover
001363: Apr 5 10:20:13.608 CET: LDAP: Failed to send request. No more LDAP servers left.
001364: Apr 5 10:20:13.608 CET: LDAP: Performing method failover
001365: Apr 5 10:20:19.184 CET: LDAP: Received timer event
001366: Apr 5 10:20:19.184 CET: LDAP: Connection timeout occured. Retrying
001367: Apr 5 10:20:19.184 CET: LDAP: Opening ldap connection ( 10.10.250.111, 389 )ldap_open
ldap_init libldap 4.5 18-FEB-2000
open_ldap_connection
ldap_connect_to_host: 10.10.250.111:389
001368: Apr 5 10:20:19.184 CET: LDAP: socket 0 - connecting to 10.10.250.111 (389)
001369: Apr 5 10:20:19.184 CET: LDAP: socket 0 - connection in progress
001370: Apr 5 10:20:19.184 CET: LDAP: socket 0 - local address 10.10.250.254 (51705)
001371: Apr 5 10:20:19.184 CET: LDAP: Connection on socket 0
001372: Apr 5 10:20:19.184 CET: LDAP: Connection to LDAP server (dc01, 10.10.250.111) attempted
001373: Apr 5 10:20:19.184 CET: LDAP: Connection state: DOWN => CONNECTING
001374: Apr 5 10:20:19.184 CET: LDAP: Received socket event
001375: Apr 5 10:20:19.184 CET: LDAP: Checking the conn status
001376: Apr 5 10:20:19.184 CET: LDAP: Socket read event socket=0
001377: Apr 5 10:20:19.184 CET: LDAP: Found socket ctx
001378: Apr 5 10:20:19.184 CET: LDAP: Making socket conn up
001379: Apr 5 10:20:19.184 CET: LDAP: Notify the protocol codeldap_open successful
Notify LDAP main if it has to initiate any bind requests
001380: Apr 5 10:20:19.184 CET: LDAP: Protocol received transport up notication
001381: Apr 5 10:20:19.184 CET: LDAP: Connection state: CONNECTING => UP
001382: Apr 5 10:20:19.184 CET: LDAP: Set socket=0 to non blocking mode
001383: Apr 5 10:20:19.184 CET: LDAP: Performing Root-Dn bind operationldap_req_encode
Doing socket write
001384: Apr 5 10:20:19.188 CET: LDAP: Root Bind on CN=LDAPReader,CN=Room,DC=customer,DC=local initiated.
001385: Apr 5 10:20:19.188 CET: LDAP: Received socket event
001386: Apr 5 10:20:19.684 CET: LDAP: Received socket event
001387: Apr 5 10:20:19.684 CET: LDAP: Checking the conn status
001388: Apr 5 10:20:19.684 CET: LDAP: Socket read event socket=0
001389: Apr 5 10:20:19.684 CET: LDAP: Found socket ctx
001390: Apr 5 10:20:19.684 CET: LDAP: Receive event: read=1, errno=9 (Bad file number)
001391: Apr 5 10:20:19.684 CET: LDAP: Passing the client ctx=87179024ldap_result
wait4msg (timeout 0 sec, 1 usec)
ldap_select_fd_wait (select)
ldap_read_activity lc 0x86A7DB08
Doing socket read
LDAP-TCP:Bytes read = 22
ldap_match_request succeeded for msgid 1 h 0
changing lr 0x85034958 to COMPLETE as no continuations
removing request 0x85034958 from list as lm 0x8715A3F8 all 0
ldap_msgfree
ldap_msgfree
001392: Apr 5 10:20:19.688 CET: LDAP: LDAP Messages to be processed: 1
001393: Apr 5 10:20:19.688 CET: LDAP: LDAP Message type: 97
001394: Apr 5 10:20:19.688 CET: LDAP: Got ldap transaction context from reqid 26ldap_parse_result
001395: Apr 5 10:20:19.688 CET: LDAP: resultCode: 0 (Success)
001396: Apr 5 10:20:19.688 CET: LDAP: Received Bind Response
001397: Apr 5 10:20:19.688 CET: LDAP: Received Root Bind Response ldap_parse_result
001398: Apr 5 10:20:19.688 CET: LDAP: Ldap Result Msg: SUCCESS, Result code =0
001399: Apr 5 10:20:19.688 CET: LDAP: Root DN bind Successful on :CN=LDAPReader,CN=Room,DC=Customer,DC=local
001400: Apr 5 10:20:19.688 CET: LDAP: Transaction context removed from list [ldap reqid=26]ldap_msgfree
ldap_result
wait4msg (timeout 0 sec, 1 usec)
ldap_select_fd_wait (select)
ldap_err2string
001401: Apr 5 10:20:19.688 CET: LDAP: Finished processing ldap msg, Result:Success
001402: Apr 5 10:20:19.688 CET: LDAP: Received socket event
001403: Apr 5 10:20:33.832 CET: LDAP: LDAP: Queuing AAA request 79 for processing
001404: Apr 5 10:20:33.832 CET: LDAP: Received queue event, new AAA request
001405: Apr 5 10:20:33.832 CET: LDAP: LDAP authentication request
001406: Apr 5 10:20:33.832 CET: LDAP: Attempting first next available LDAP server
001407: Apr 5 10:20:33.832 CET: LDAP: Got next LDAP server :dc01
001408: Apr 5 10:20:33.832 CET: LDAP: First Task: Send search req
001409: Apr 5 10:20:33.832 CET: LDAP: Check the default map for aaa type=username
001410: Apr 5 10:20:33.832 CET: LDAP: Ldap Search Req sent
ld 2266468388
base dn OU=Lokaal10,OU=Room,DC=customer,DC=local
scope 2
filter (&(objectclass=sAMAccountName)(cn=armandputs))ldap_req_encode
put_filter "(&(objectclass=sAMAccountName)(cn=armandputs))"
put_filter: AND
put_filter_list "(objectclass=sAMAccountName)(cn=armandputs)"
put_filter "(objectclass=sAMAccountName)"
put_filter: simple
put_filter "(cn=armandputs)"
put_filter: simple
Doing socket write
001411: Apr 5 10:20:33.836 CET: LDAP: LDAP search request sent successfully (reqid:27)
001412: Apr 5 10:20:33.836 CET: LDAP: Sent the LDAP request to server
001413: Apr 5 10:20:34.344 CET: LDAP: Received socket event
001414: Apr 5 10:20:34.344 CET: LDAP: Checking the conn status
001415: Apr 5 10:20:34.344 CET: LDAP: Socket read event socket=0
001416: Apr 5 10:20:34.344 CET: LDAP: Found socket ctx
001417: Apr 5 10:20:34.344 CET: LDAP: Receive event: read=1, errno=9 (Bad file number)
001418: Apr 5 10:20:34.344 CET: LDAP: Passing the client ctx=87179024ldap_result
wait4msg (timeout 0 sec, 1 usec)
ldap_select_fd_wait (select)
ldap_read_activity lc 0x86A7DB08
Doing socket read
LDAP-TCP:Bytes read = 22
ldap_match_request succeeded for msgid 2 h 0
changing lr 0x85034958 to COMPLETE as no continuations
removing request 0x85034958 from list as lm 0x8715A3F8 all 0
ldap_msgfree
ldap_msgfree
001419: Apr 5 10:20:34.348 CET: LDAP: LDAP Messages to be processed: 1
001420: Apr 5 10:20:34.348 CET: LDAP: LDAP Message type: 101
001421: Apr 5 10:20:34.348 CET: LDAP: Got ldap transaction context from reqid 27ldap_parse_result
001422: Apr 5 10:20:34.348 CET: LDAP: resultCode: 0 (Success)
001423: Apr 5 10:20:34.348 CET: LDAP: Received Search Response resultldap_parse_result
001424: Apr 5 10:20:34.348 CET: LDAP: Ldap Result Msg: SUCCESS, Result code =0
001425: Apr 5 10:20:34.348 CET: LDAP: Failed to get any search entries ldap_msgfree
001426: Apr 5 10:20:34.348 CET: LDAP: Closing transaction and reporting error to AAA
001427: Apr 5 10:20:34.348 CET: LDAP: Transaction context removed from list [ldap reqid=27]
001428: Apr 5 10:20:34.348 CET: LDAP: Notifying AAA: REQUEST FAILED
001429: Apr 5 10:20:34.348 CET: LDAP: Received socket event
I'm not really good at AD but "armandputs" is my sAMAccountName in the AD. My CN=Armand Puts in the AD.So there is still something going wrong. Any idea's?
Thanks!
06-20-2012 03:20 AM
Hi Armand,
For this to work you need to configure the ldap attribute-map and attach it to the LDAP server configuration. Please refer the configs below.
!
ldap attribute-map ldap-username-map
map type sAMAccountName username
!
ldap server ss-ldap
ipv4 x.x.x.x
attribute map ldap-username-map <=====
bind authenticate root-dn cn=administrator,cn=users,dc=ssstest,dc=com password Cisco
base-dn cn=users,dc=ssstest,dc=com
search-filter user-object-type top
authentication bind-first
Thanks
Umanath
10-01-2012 04:51 PM
Umanath, I deployed a similar config and it did not work.
Below, username is scrubbed with
Here is what the LDAP debugs were showing:
002747: Oct 1 15:35:09.048 MST: LDAP: Dynamic map configured
002748: Oct 1 15:35:09.048 MST: LDAP: Dynamic map found for aaa type=username
002749: Oct 1 15:35:09.048 MST: LDAP: Bind: User-DN=sAMAccountName=
,CN=Users,DC=gdbhq,DC=localldap_req_encode Doing socket write
002750: Oct 1 15:35:09.048 MST: LDAP: LDAP bind request sent successfully (reqid=375)
002751: Oct 1 15:35:09.048 MST: LDAP: Sent the LDAP request to server
002752: Oct 1 15:35:09.564 MST: LDAP: Received socket event
002753: Oct 1 15:35:09.564 MST: LDAP: Checking the conn status
002754: Oct 1 15:35:09.564 MST: LDAP: Socket read event socket=0
002755: Oct 1 15:35:09.564 MST: LDAP: Found socket ctx
002756: Oct 1 15:35:09.564 MST: LDAP: Receive event: read=1, errno=9 (Bad file number)
002757: Oct 1 15:35:09.564 MST: LDAP: Passing the client ctx=310A5FB8ldap_result
wait4msg (timeout 0 sec, 1 usec)
ldap_select_fd_wait (select)
ldap_read_activity lc 0x2B7661DC
Doing socket read
LDAP-TCP:Bytes read = 109
ldap_match_request succeeded for msgid 10 h 0
changing lr 0x31244FE8 to COMPLETE as no continuations
removing request 0x31244FE8 from list as lm 0x2BFA8EF4 all 0
ldap_msgfree
ldap_msgfree
002758: Oct 1 15:35:09.564 MST: LDAP: LDAP Messages to be processed: 1
002759: Oct 1 15:35:09.564 MST: LDAP: LDAP Message type: 97
002760: Oct 1 15:35:09.564 MST: LDAP: Got ldap transaction context from reqid 375ldap_parse_result
002761: Oct 1 15:35:09.564 MST: LDAP: resultCode: 49 (Invalid credentials)
002762: Oct 1 15:35:09.564 MST: LDAP: Received Bind Responseldap_parse_result
ldap_err2string
002763: Oct 1 15:35:09.564 MST: LDAP: Ldap Result Msg: FAILED:Invalid credentials, Result code =49
When I take the map out, it works if I use the full CN (input "Firstname Lastname" into VPN authentication dialog), but I can not get it to work with the map. Here are the scrubbed configs with the map in use.
aaa group server ldap LDAP-GROUP
server SERVER1
server SERVER2
!
aaa authentication login AAA-CRYPTO-USER group ldap local
!
ldap attribute-map LDAP-USERNAME-MAP
map type sAMAccountName username
!
ldap server SERVER1
ipv4 192.168.0.1
attribute map LDAP-USERNAME-MAP
timeout retransmit 20
bind authenticate root-dn CN=
,CN= ,DC= ,DC= password base-dn CN=
,DC=g ,DC= search-filter user-object-type top
authentication bind-first
!
ldap server SERVER2
ipv4 192.168.0.2
attribute map LDAP-USERNAME-MAP
timeout retransmit 20
bind authenticate root-dn CN=
,CN= ,DC= ,DC= password base-dn CN=
,DC=g ,DC= search-filter user-object-type top
authentication bind-first
11-27-2012 02:29 PM
When I tested LDAP, I may have touched a possibly similar phenomenon:
http://ltlnetworker.wordpress.com/2010/11/09/ios-easyvpn-server-with-ldap-authentication/
"It seems this LDAP server does not send a Password attribute which could be checked on the router. That’s why user password authentication requires a bind operation with U1 to the LDAP server which affects the search operation for the next connecting user. It seems the admin bind is overridden by the user bind (maybe an IOS bug) which makes life hard if rights of U1 are not sufficient to see the other user objects. In that case, the LDAP server returns no results to the search operation and the next user is unable to authenticate."
You can compare the configs and logs.
09-01-2013 09:34 AM
Hello Peter and Armand,
I have been troubleshooting a problem with LDAP, for the purpose of Scansafe, binding with Active Directory, that has been basically hindering its performance.
I have posted a post at:
thread/2236705
Search for the title below, in the Web Security Discussions.
I believe I may be having a very, very similar problem as you stated Peter, "it seems the admin bind is overriden by the user bind (may be IOS bug) which makes life hard..." I am not an LDAP expert, and I appreciate if any of you can please take a look at it.
Please let me know so I can post configs and logs.
Thank You,
Joe Lourenco
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide