Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
692
Views
0
Helpful
4
Replies

CE565/CE7325 with MS LDAP Auth - Problem

ralldread
Level 1
Level 1

‎04-24-2003 06:53 PM

Once again seems I am the first one to use a new product. I have a CE565 that I am trying to get to work with MS LDAP. Anyone had any luck doing this? Cisco TAC is having difficult time tracing down problem.

ce565#sho ldap

LDAP Configuration:

-------------------

LDAP Authentication is enabled

Allow mode: disabled

Base DN: DC=domain,DC=com

Filter: <none>

Retransmits: 2

Timeout: 5 seconds

UID Attribute: uid

Group Attribute: memberOf

Administrative DN: <none>

Administrative Password: <none>

LDAP version: 3

LDAP port: 389

Server Status

--------------- ---------

192.168.99.7 primary

<none> secondary

ce565#debug authe http

Apr 24 22:44:56 ce565 http_authmod: pam_sm_authenticate:2498 ***pam_ldap: Begin

Apr 24 22:44:56 ce565 http_authmod: pam_sm_authenticate:2502 *** pam_ldap: Got username ralldread

Apr 24 22:44:56 ce565 http_authmod: _pam_ldap_get_session:1977 *** pam_ldap: Begin

Apr 24 22:44:56 ce565 http_authmod: _read_config:570 ***pam_ldap: Reading configuration

Apr 24 22:44:56 ce565 http_authmod: ldap_server_validate:1928 ***pam_ldap: === Host[0] 192.168.99.7 ===

Apr 24 22:44:56 ce565 http_authmod: ldap_server_isalive:1851 ***pam_ldap: Connecting...

Apr 24 22:44:56 ce565 http_authmod: ldap_server_isalive:1867 ***pam_ldap: Socket timeout 5

Apr 24 22:44:56 ce565 http_authmod: ldap_server_isalive:1891 ***pam_ldap: Connected to 192.168.99.7

Apr 24 22:44:56 ce565 http_authmod: ldap_server_validate:1948 ***pam_ldap: ServerAlive [1] (up=1, down=0)

Apr 24 22:44:56 ce565 http_authmod: pam_sm_authenticate:2508 *** pam_ldap: Got session

Apr 24 22:44:56 ce565 http_authmod: pam_sm_authenticate:2519 *** pam_ldap: Do authentication

Apr 24 22:44:56 ce565 http_authmod: _get_user_info:1672 *** pam_ldap: Begin user ralldread

Apr 24 22:44:56 ce565 http_authmod: _connect_anonymously:1059 *** pam_ldap: Host 192.168.99.7

Apr 24 22:44:56 ce565 http_authmod: _connect_anonymously:1063 *** pam_ldap: Open session

Apr 24 22:44:56 ce565 http_authmod: _open_session:927 *** pam_ldap: Begin

Apr 24 22:44:56 ce565 http_authmod: _connect_anonymously:1074 *** pam_ldap: Binding...

Apr 24 22:44:56 ce565 http_authmod: _get_user_info:1676 *** pam_ldap: Connected anonymously

Apr 24 22:44:56 ce565 http_authmod: _get_user_info:1699 *** pam_ldap: Filter (uid=ralldread)

Apr 24 22:44:56 ce565 http_authmod: pam_sm_authenticate:2522 *** pam_ldap: Done authentication FAILURE

Any thoughts?

Labels:
0 Helpful
4 Replies 4

lisa.hall
Level 2
Level 2

‎04-30-2003 12:24 PM

There could be a problem with the LDAP server. If possible try a different server. You may want to reconfigure the CE again in case there is something that did not get configured correctly the first time.

0 Helpful

ralldread
Level 1
Level 1
In response to lisa.hall

‎05-01-2003 04:55 AM

I got it working. I did 2 things. One, I rebuilt the the server to make sure Active Directory was working correctly. Two, I changed the DC=domain to be dc=domain. I havent had a chance to test which one actually fixed it, but here it the config that I am using.

ce565#sho run

device mode content-engine

!

hostname ce565

!

!

http authentication header 407

http authentication cache timeout 1

http authentication cache max-entries 32000

http proxy incoming 8888

!

!

clock timezone EST -5 0

!

!

!

ip domain-name demodomain

!

!

!

https proxy incoming 8888

!

!

interface GigabitEthernet 1/0

ip address 10.10.220.71 255.255.255.0

exit

interface GigabitEthernet 2/0

shutdown

exit

!

!

ip default-gateway 10.10.220.1

!

primary-interface GigabitEthernet 1/0

!

!

no auto-register enable

!

!

!

!

ip name-server 10.10.220.80

!

!

!

!

!

pre-load enable

pre-load depth-level-default 2

pre-load resume

pre-load traverse-other-domains

pre-load url-list-file ftp://ftpuser:ftpuser@10.10.220.80/ce-preload.txt

!

!

!

!

!

!

!

!

transaction-logs enable

transaction-logs log-windows-domain

transaction-logs archive interval every-hour every 10

transaction-logs sanitize

transaction-logs export enable

transaction-logs export interval every-hour every 10

transaction-logs export ftp-server 10.10.220.80 ftpuser ftpuser /

transaction-logs format extended-squid

!

!

username admin password 1 bVmDmMMmZAPjY

username admin privilege 15

!

!

!

ldap server base "dc=demodomain"

ldap server userid-attribute cn

ldap server host 10.10.220.80 primary

ldap server administrative-dn "cn=administrator,cn=users,dc=demodomain"

ldap server administrative-passwd ****

ldap server active-directory-group enable

ldap server version 3

ldap server enable

!

authentication login local enable primary

authentication configuration local enable primary

!

!

!

!

!

url-filter http smartfilter enable

!

!

!

cdm ip 10.10.220.70

cms enable

!

!

0 Helpful

6rdold
Level 1
Level 1
In response to ralldread

‎09-27-2003 03:53 AM

I managed to get the LDAP authentication working however... It only accepts the cn and password.

ie: My username is peter and my cn is peter jones, so I can`t log in with peter, I have to use peter jones. And the issue arises when smartfilter doesn`t seem to accept a space in the username so the user gets pased to the default policy. I need to get the authentication working with the normal username in order for smartfilter to work correctly. Any ideas?

Heres my config:

cache#sh run

hostname cache

!

!

http authentication header 407

http proxy incoming 8080

http proxy outgoing host 10.10.0.21 8080 primary

!

ftp proxy incoming 8080

ftp proxy outgoing host 10.10.0.21 8080

!

!

!

!

ip domain-name lab.cache.net

!

!

!

https proxy incoming 8080

https proxy outgoing host 10.10.0.21 8080

!

!

interface GigabitEthernet 1/0

ip address 10.10.0.99 255.255.254.0

exit

interface GigabitEthernet 2/0

shutdown

exit

!

!

ip default-gateway 10.10.0.1

!

!

!

no auto-register enable

!

!

!

!

ip name-server 10.10.1.200

!

!

!

!

!

!

!

!

!

!

!

!

!

transaction-logs enable

transaction-logs archive interval every-hour at 0

transaction-logs file-marker

transaction-logs sanitize

transaction-logs export enable

transaction-logs export interval every-hour at 0

transaction-logs export ftp-server 10.10.1.200 administrator **** /proxy/logs

!

!

username admin password 1 .faKN7JYcIVSQ

username admin privilege 15

username Chris password 1 /w9qtoF4qJK0I uid 2001

username Chris privilege 0

!

!

!

ldap server base "dc=lab,dc=cache,dc=net"

ldap server userid-attribute cn

ldap server host 10.10.1.200 primary

ldap server administrative-dn "cn=administrator,cn=users,dc=lab,dc=cache,dc=net"

ldap server administrative-passwd ****

ldap server version 3

ldap server active-directory-group enable

ldap server enable

!

authentication login local enable primary

authentication configuration local enable primary

!

!

!

!

!

url-filter http smartfilter enable

!

!

!

!

cache#

0 Helpful

ngorenko
Level 1
Level 1
In response to 6rdold

‎02-17-2004 07:07 AM

try to use as user-attribute sAMAccountName. In Microsoft Active Directory it corresponds uid:

ldap server userid-attribute sAMAccountName

I hope it will help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents