|
|
Landon
I have played a little bit with your plugin using the testplugin program
I can see a positive bind and a one positive reply for the request for
the user demo999 when looking at the data passed back and forth, but the
plugin replies that the user cannot be found. I wonder why the request
timed out.
If I add the ou attribute to the basedn of the search request, the user
is found and can be authenticated against. Unfortunately this attribute
is not generally known for all users.
administrator@quicksoup:~/src/auth-ldap-2.0/src> ./testplugin
../tests/data/AD.conf
Username: demo999
Password:
LDAP search failed: -5: Timed out
LDAP user "demo999" was not found.
Authorization Failed!
LDAP search failed: -5: Timed out
LDAP user "demo999" was not found.
client-connect failed!
LDAP search failed: 1: Operations error
LDAP user "demo999" was not found.
client-disconnect failed!
config: not working
<LDAP>
# LDAP server URL
URL ldap://ad2.asp.ruf.ch
# Bind DN (If your LDAP server doesn't support anonymous binds)
BindDN cn=queryuser,CN=Users,DC=ASP,DC=RUF,DC=CH
# Bind Password
Password whatever
# Network timeout (in seconds)
Timeout 15
# Enable TLS
TLSEnable no
# TLS CA Certificate File
#TLSCACertFile /usr/local/etc/ssl/ca.pem
# TLS CA Certificate Directory
#TLSCACertDir /etc/ssl/certs
# Client Certificate
#TLSCertFile /usr/local/etc/ssl/client-cert.pem
# Client Key
#TLSKeyFile /usr/local/etc/ssl/client-key.pem
# Cipher Suite
#TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
# Base DN
BaseDN "dc=asp,dc=ruf,dc=ch"
# User Search Filter
SearchFilter "(sAMAccountName=%u)"
# Require Group Membership
RequireGroup false
</Authorization>
this config works:
....
<Authorization>
# Base DN
BaseDN "ou=mnd999,dc=asp,dc=ruf,dc=ch"
# User Search Filter
SearchFilter "(sAMAccountName=%u)"
# Require Group Membership
RequireGroup false
</Authorization>
administrator@quicksoup:~/src/auth-ldap-2.0/src> ./testplugin
../tests/data/AD.conf
Username: demo999
Password:
Authorization Succeed!
client-connect succeed!
client-disconnect succeed!
The authorization filter appears to work well when a known basedn can be
applied. This basedn can be found with a previous query for the dn.
Can this be done with the plugin or does it have to be extended to
include another query?
Thanks
Erich
______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-10/msg00006.html on line 282
Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-10/msg00006.html on line 282
|