01-29-2018 03:02 PM
Hello ISE LDAP experts,
I am integrating to an LDAP directory that does not contain any groups. I have also been given a restricted view of the users in the directory (I can only see their UID). When I bind to this directory using ISE 2.3 patch 2, I get:
Ldap bind succeeded to iddiraaa.education.local:636
Subject search ended with an error.Please check search base configured properly
Group search ended with an error.Please check search base configured properly
Response time 265ms
My Subject Search Base: CN=Person,DC=IDDir
My Group Search Base: CN=Person,DC=IDDir
If I click on the button "Naming Contexts..." next to each search base, ISE reports "No suggestions from server"
When I bind using Windows ldaps with same credentials, I can view the users just fine.
I read in the ISE Admin Guide that ISE expects to see Groups in the LDAP directory:
Solved! Go to Solution.
01-29-2018 03:59 PM
You would need to customize the LDAP server settings so that ISE can apply group membership to some attribute, even if not a traditional group attribute.
01-29-2018 03:15 PM
Try DEBUG on prrt-JNI, AAA-runtime, AAA-config. And, check prrt-server.log.
01-29-2018 03:47 PM
thanks for that!
After some scratching of my head I figured out this had to be done on the PAN, and not the PSN :-p
I ran debug while clicking on "Test Bind to Server"
The two lines in bold look promising - but doesn't give me much to go on.
Crypto,2018-01-30 09:40:29,305,DEBUG,0x7f3f03c96700,NIL-CONTEXT,Crypto::Result=0, Crypto.SSLConnection.writeData - success,SSLConnection.cpp:1077
ConnectionHandler,2018-01-30 09:40:29,308,DEBUG,0x7f3f03c96700,LdapTestBindConnectionHandler::handle_input called,LdapTestBindConnectionHandler.cpp:109
ConnectionHandler,2018-01-30 09:40:29,308,DEBUG,0x7f3f03c96700,LdapTestBindConnectionHandler::fetchBindResponse called,LdapTestBindConnectionHandler.cpp:391
Crypto,2018-01-30 09:40:29,308,DEBUG,0x7f3f03c96700,NIL-CONTEXT,Crypto::Result=0, Crypto.SSLConnection.readData - nInDataSize=0, entity=client,SSLConnection.cpp:835
Crypto,2018-01-30 09:40:29,308,DEBUG,0x7f3f03c96700,NIL-CONTEXT,Crypto::Result=0, Crypto.SSLConnection.readData - output-size=22,SSLConnection.cpp:917
Connection,2018-01-30 09:40:29,308,DEBUG,0x7f3f03c96700,LdapBindResponse::update: bind result = 0 (Success),LdapConnectionResponses.cpp:106
Connection,2018-01-30 09:40:29,309,DEBUG,0x7f3f03c96700,LdapBindResponse::update: password policy control is not returned by the server,LdapConnectionResponses.cpp:140
Connection,2018-01-30 09:40:29,309,INFO ,0x7f3f03c96700,LdapSslConnectionContext:sslConnectionEstablished: flag certificate send is true,LdapSslConnectionContext.cpp:402
ConnectionHandler,2018-01-30 09:40:29,309,DEBUG,0x7f3f03c96700,LdapTestBindConnectionHandler::fetchBindResponse::onInput(id = 1102): bind succeeded,LdapTestBindConnectionHandler.cpp:437
Connection,2018-01-30 09:40:29,309,DEBUG,0x7f3f03c96700,LdapConnectionContext::sendSearchRequest(id = 1102): base = CN=Person,DC=IDDir, filter = (objectClass=Group),LdapConnectionContext.cpp:516
Crypto,2018-01-30 09:40:29,309,DEBUG,0x7f3f03c96700,NIL-CONTEXT,Crypto::Result=0, Crypto.SSLConnection.writeData - nInDataSize=71, entity=client,SSLConnection.cpp:970
Crypto,2018-01-30 09:40:29,309,DEBUG,0x7f3f03c96700,NIL-CONTEXT,Crypto::Result=0, Crypto.SSLConnection.writeData - success,SSLConnection.cpp:1077
ConnectionHandler,2018-01-30 09:40:29,313,DEBUG,0x7f3f03c96700,LdapTestBindConnectionHandler::handle_input called,LdapTestBindConnectionHandler.cpp:109
ConnectionHandler,2018-01-30 09:40:29,313,DEBUG,0x7f3f03c96700,LdapTestBindConnectionHandler::fetchGroupSearchResponse called,LdapTestBindConnectionHandler.cpp:575
Crypto,2018-01-30 09:40:29,313,DEBUG,0x7f3f03c96700,NIL-CONTEXT,Crypto::Result=0, Crypto.SSLConnection.readData - nInDataSize=0, entity=client,SSLConnection.cpp:835
Crypto,2018-01-30 09:40:29,313,DEBUG,0x7f3f03c96700,NIL-CONTEXT,Crypto::Result=0, Crypto.SSLConnection.readData - output-size=126,SSLConnection.cpp:917
Connection,2018-01-30 09:40:29,313,DEBUG,0x7f3f03c96700,LdapSearchResponse::update: SDK result = 32(No such object),LdapConnectionResponses.cpp:265
ConnectionHandler,2018-01-30 09:40:29,313,ERROR,0x7f3f03c96700,LdapTestBindConnectionHandler::fetchSearchResponse::onInput(id = 1102): search ended with an error: 150,LdapTestBindConnectionHandler.cpp:596
Crypto,2018-01-30 09:40:29,313,DEBUG,0x7f3f03c96700,NIL-CONTEXT,Crypto::Result=0, Crypto.SSLConnection.pvDone,SSLConnection.cpp:278
Crypto,2018-01-30 09:40:29,313,DEBUG,0x7f3f03c96700,NIL-CONTEXT,shutting session id
01-29-2018 03:59 PM
You would need to customize the LDAP server settings so that ISE can apply group membership to some attribute, even if not a traditional group attribute.
01-29-2018 04:19 PM
Just to be clear on the wording, when you say "so that ISE can apply group membership", what is meant by can apply? Is ISE going to modify something in the LDAP directory (i.e. need write access) or, did you mean that there has to exist a Group in the LDAP, and each user MUST be a member of that Group? If so, would any Group suffice?
Sorry for my lack of LDAP understanding. I am relating as best as I can to how I understand Active Directory to work (Users and Groups, and their relationship).
01-29-2018 05:09 PM
Take a look at Slide 17 of ISE 1.3-2.1 Sponsor Authorization on Secondary Attributes
For example, the LDAP schema "Active Directory" in ISE are using the attribute memberOf for groups, but you may map it to another attribute in your LDAP.
01-29-2018 05:16 PM
Maybe a better word would be "reconcile" rather than assign. As shown in AD example below, there are pointers telling ISE how to exampne the scheme and extract group objects and members, a fundamental part of defining the LDAP store.
If you do not have the specified group or member attribute defined, then it is possible this will cause LDAP lookup to fail. Note that these are mandatory attributes.
Thanks Hsing. I was thinking of referencing that doc as well as an example of how to manipulate group references. In that doc, I showed how to have ISE treat a different attribute as if it was a group object.
Craig
02-06-2018 03:35 PM
The customer doesn't want to budge on this point. They are questioning why ISE requires this Group concept when any generic LDAP browser will happily bind and traverse the LDAP directory they've created (which only contains a single attribute). This directory was designed and built for simplicity and speed and it works well with other applications they have.
Is there a way around this mandatory Group Map attribute and Group Name attribute in ISE?
02-06-2018 09:20 PM
Arnie, Have you tried using default values for groups? I just tested with invalid object names for groups and even for search space and was able to bind successfully and perform a test auth against LDAP server. I was not able to add groups, but attributes did appear and were retrieved in test auth.
That said, if existing behavior not working and requesting change in the design, then suggest submitting an enhancement request to Tal Surasky as the PM for AAA and Id Stores.
02-11-2018 06:05 PM
Hi Craig
I tried various permutations but I think my lack of LDAP understanding is causing me to stumble.
I don't have admin access to the LDAP directory itself to see how it's configured.
But I can browse the directory using Windows Server command ldp. When I search the thing I can see the following
The uid contains the username that I am allowed to query on. That's it. Million dollar question is how to configure ISE to allow me to do so.
My ISE config is as follows:
I can bind, but get error
Ldap bind succeeded to I*********.local:636
Subject search ended with an error.Please check search base configured properly
Group search ended with an error.Please check search base configured properly
Response time 496ms
As far as the Genera tab is concerned, I don't know whether it resembles what you were talking about? i.e. using Dummy values for the Group Map and Group Name attributes?
Nothing I do seems to work.
02-11-2018 07:00 PM
Try saving it away and then re-do the test binding.
I got similar errors as you did and it went ok after saving it.
I followed Ldp Examples: Active Directory to perform search tests on our test AD instance.
02-11-2018 10:07 PM
thanks for that. It turns out that I was given the incorrect Subject ObjectClass and as soon as I substituted that with a wildcard, I was able to move forward (this was also the value I gave the Windows ldp tool in my previous example).
thanks for all the assistance with this. I somehow have an aversion to LDAP and I think it will still haunt me beyond the grave ...
02-12-2018 05:30 AM
Glad you were able to work things out. I was going to provide some examples of some common LDAP records as your earlier examples do not reflect typical schema and objectclass definitions...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: