Cisco Support Community
Community Member

LDAP Authentication to Novell NDS LDAP server?

I am having a problem with LDAP authentication to a Novell NDS server. This is on an ASA 7.1(2) 5510 talking to Netware 6.5 with all current patches installed. All of the context stuff, as well as the SSL stuff is working just fine. We can clearly see a failed authentication attempt when we type in an incorrect password, so I'm sure the base DN's, search and bind credentials settings are all just fine.

The problem is that when we type in a *correct* password, it still fails from the ASA's perspective, though Novell seems to think everything is fine. The DSTRACE screen shows:

Sending operation result 0:"":"" to connection 0x121dd540

With LDAP debugging on the ASA, we see:

[32] Performing Simple authentication for user to XX.XX.XX.XX

[32] Authentication successful for user to XX.XX.XX.XX

[32] Retrieving user attributes from server XX.XX.XX.XX

callback_aaa_task: status = -3

[32] Fiber exit Tx=192 bytes Rx=26621 bytes, status=-3

[32] Session End

When running the "test" button on ASDM, we get back the cryptic message:

Authentication test to host XX.XX.XX.XX failed. The following error occured

ERROR: Authentication Error: No error.

Despite the above, it truly is broken. Anyone have a clue what might be going wrong? Or does anyone have a successful LDAP from ASA->NDS working? Do I perhaps need some attribute mappings or some other configuration option?

My open TAC case engineer wants a packet trace, but this is an SSL connection, and setting up a non-SSL LDAP server may be problematic.

Thanks all!

Mark Lachniet


Re: LDAP Authentication to Novell NDS LDAP server?

I am not very familier with NDS, but from my understanding of AAA authentication, two things you need to check on the authentication server. One is if the client is configured correctly (with the IP address) and the second is the shared secret key.

Community Member

Re: LDAP Authentication to Novell NDS LDAP server?

That would be for Radius. As it turns out, we got it working by:

A) Selecting the LDAP type of "Microsoft" (was previously set to auto-detect)

B) Fully patching the Netware server.

It seems that both were necessary.

CreatePlease to create content