cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3907
Views
15
Helpful
7
Replies
Highlighted

Web Authentication via Apple OpenDirectory/LDAP Issues

I apologize if this has been covered elsewhere - I attempted a search for something in the ballpark, but haven't found anything.

I have to maintain a working wireless system (several 4x00-class WLCs, ~200 LWAPs) for a pubilc school system. The system is bound to a pre-existing eternal RADIUS server that does simple MAC filtering. (Leftover from an earlier wireless system.)


Student MAC spoofing of faculty hardware is becoming an issue and I would like to implement authentication via LDAP to cull out spoofed users. The district here uses mostly Apple servers as a backend.

All directory/auth information here is housed in an Apple OpenDirectory server.

Most of the guides I have seen for setting up AAA server/web auth focus on using Windows/AD as the LDAP backend. I am really out of my depth at knowing what to enter for "Server User Base DN", "Server User Attribute", and "Server User Type".

The OD here uses bog-standard schema. Directory Utility reports something like the following for a search base for "Users":

cn=users, dc=hostname,dc=rest,dc=of,dc=domain,dc=entries

I have tried anything that makes (to me) logical sense for the User Attribute, User Type, etc. Apple's OD schema has all sorts of Apple-style entries like:

dsAttrTypeNative:uid

Have you successfully bound a WLC to Apple's LDAP to use web-auth?

5.2 is on the WLCs here. Any help would be greatly appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Hi Jesse,

Glad that the LDAP browser helped out.
If I may suggest, we should probably test with the following:

User Base DN: cn=users,dc=myhostname,dc=nisk,dc=k12,dc=ny,dc=us
User Attribute: uid
User Type: person

According to the WLC in fact

- User Attribute is the user's attribute that should contain the user name. In AD, for example, this is usually the sAMAccountName.
So in your case this should be set to "uid".
- User Object Type is the value of the attribute Object Type (or objectClass) that should tell us if the object that we found in the LDAP database is a user. In AD, for example, every user contains at least an "Object Type" attribute with the value "Person".
So in your case this should be set to "person".

Regards,

Fede

--
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

View solution in original post

7 REPLIES 7
Highlighted
Cisco Employee

Hi Jesse,

Usually the LDAP configuration fields on the WLC should have the following meaning:

1. User Base DN
This should tell us where to search for the users in the LDAP scheme. In AD, for example, this is usually something like
CN=Builtin,CN=Users,DC=mydomain,DC=cisco,DC=com

2. User Attribute
This is the user's attribute that should contain the user name. In AD, for example, this is usually the sAMAccountName.

3. User Object Type
This is the value of the attribute Object Type that should tell us if the object that we found in the LDAP database is a user. In AD, for example, every user contains at least an "Object Type" attribute with the value "Person".

I tried to re-state these fields with personal words, so let me know if more clarifications are needed.
It would then be a matter of understanding how these are translated in the Apple LDAP database.

As a further hint, you may also want to first test by browsing the Apple database with a free LDAP browser such as Softerra:
http://softerra-downloads.com/ldapadmin/ldapbrowser26.msi

Once you'll successfully bind and browse the tree with this browser, you can apply the same settings to the WLC.

Regards,

Fede

--
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Highlighted

I installed the Softerra LDAP browser, which was helpful. Thank you.

So, I have set:

User Base DN: cn=users,dc=myhostname,dc=nisk,dc=k12,dc=ny,dc=us
User Attribute: objectClass
User Type: uid

As far as I can tell, I did have the correct Server User Base DN right - this user base shows up in the LDAP browser when I select a given user:

cn=users,dc=myhostnme,dc=nisk,dc=k12,dc=ny,dc=us

The only field in the LDAP entries that has "person" as a text entry is the "objectClass" attribute. I used this as Server User Attribute.

The "uid" attribute contains the user's shortname/username. I used this for Server User Type.

I can browse unbound/anonymously with Softerra, and have tried both bound and unbound LDAP configs on the WLC. Neither seem to work.

Just to confirm my settings for the WLAN in question, I have:

Layer 3 security set to None, with Web Policy enabled.

Global Web Auth is unchecked,

Web Auth type is set to default internal.

In AAA Servers, everything is set to None or unchecked, except for LDAP server, which is set to reference the LDAP server above.

I appreciate the kind help. Any other suggestions are welcome. I'll continue to poke around with it.

Highlighted

Hi Jesse,

Glad that the LDAP browser helped out.
If I may suggest, we should probably test with the following:

User Base DN: cn=users,dc=myhostname,dc=nisk,dc=k12,dc=ny,dc=us
User Attribute: uid
User Type: person

According to the WLC in fact

- User Attribute is the user's attribute that should contain the user name. In AD, for example, this is usually the sAMAccountName.
So in your case this should be set to "uid".
- User Object Type is the value of the attribute Object Type (or objectClass) that should tell us if the object that we found in the LDAP database is a user. In AD, for example, every user contains at least an "Object Type" attribute with the value "Person".
So in your case this should be set to "person".

Regards,

Fede

--
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

View solution in original post

Highlighted

Thank you for your help. I had tried uid/person as the original setting, but it did not work.. but not because it was wrong. Someone had deselected "LDAP" form the available auth methods in auth priority. This setting is NOT exposed in the 5.2 WCS GUI, but IS exposed in the 5.2 WLC GUI. After adding uid/person as the info and setting LDAP as a priority auth method, web authentication works just fine.

Thanks again for your prompt and genuinely helpful replies.

Highlighted

Thank you Jesse, glad that this thread helped you out ;-)

Feel free to ping us back in the future in case you'd need further help with your wireless setup.

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Highlighted

Hi Federico,

I have a similar problem as Jesse had. I have a WLC 4402 ver 7.0.98.0, but in my case I have windows server 2003.

I have followed the procedure in oder to fill all the fields (see attached image), but all the time I received the message "invalida user or password",

logs displays "LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1037 Could not connect to LDAP server 1, reason: 49 (Invalid credentials).[..."

I'm not sure if the information in the flieds are correct, mainly in User Base DN, because there are several OU inside MXMX,  that ncludes all the users.

inside MXMX-->Users----> SEVERALS OU (8)

I was provided the bind username an password and I'm sure they are correct because they were use to integrate LDAP with communication manager.

I don't what else verify, I have spend many hours and I haven't been able to find the solution,

any additional ideas in order to solve this issue??

Regards,

Highlighted

Hi Jesse,

I'm trying to set web authenticacion with LDAP windows server 2003, but I can not validate users on my LDAP, I would like to know if you used an specific

wireless client in order to enter user's info.

Did you use certificates?

regards,