Yubico Forum

I've been using Yubi-Radius for a while, and now that it isn't supported I've been trying to get Yubix working. I downloaded the virtual appliance, imported it into my Vmware environment, and turned it on. It started up and downloaded/installed a bunch of updates. I then went in through the web interface and went to the 'YubiAuth' section where I checked the 'Authenticate users against LDAP' box, entered my domain controller into the LDAP server URL box (i.e. - ldap://1.2.3.4), and in the 'BindDN for user authentication' box I have "uid={user.name},CN=Yubikey,CN=Users,DC=<domain_name>,DC=local" (I want members of a Yubikey group in Users container to be able to use this RADIUS server). Under the 'OTP Validation' tab, I've left it alone for now and am using the default values. I thought I'd changed it after I got this working. I've added the IP address of my workstation to the RADIUS Clients config, just for testing, and I am unable to get a user authorization locally through the web interface or from the RADIUS client I installed on my local workstation. I don't know where to turn next...

I am having trouble to, authenticating to AD
My problem is that I can not fill out enough information in the configuration tabs.

I know for a fact that I need to provide LDAP bind credentials, since our AD server will not allow users to use their own username to bind to the LDAP server.
In Yubiradius there were some extra fields to fill regarding binding to ldap.
A bind username AND a bind password to start.
The simplified Yubix interface is just that, to simple.........

Please provice documentation on how to use AD as an authentication source.

YubiX only supports LDAP authentication through Simple Bind at the moment, using the users own username and password.

Since Yubix was pushed to replace Yubiradius, I assume you will be expanding the feature set of Yubix to match the featureset Yubiradius had when you closed it down ?
When can we expect the feature compatible version of Yubix ?
Our AD does not allow simple binds based on the users own credentials, we use a special LDAP useraccount for binding for security reasons.
Worked well in Yubiradius and I need the functionality, without it, I can not switch to Yubix.

I need to advise the board about our current situation, and I would like to be able to tell them that all will be well soon.
Can I ?

I second hvbuel in this case.

If it would be possible to bind YubiX to Active Directory and Filtering which users should be able to authenticate through AD, YubiX would be more widely used and would (in my opinion) also be capable of replacing YubiRadius.
What do you think about it?

Update:

Got it working with my Active Directory and Simple Bind.

I used in LDAP the fully qualified server-Name, but I think you can also use the IP-Adress. For example:

ldap://servername.domain.local


The point where it got problematic, was the template for the Bind DN.
When you use Active Directory, it should look like that:

cn={user.name},ou=secondou,ou=firstou,dc=domain,dc=local

So in your example above it should more look like this: "CN={user.name},OU=Yubikey,CN=Users,DC=<domain_name>,DC=local" (Maybe the OU is CN, I'm not sure about it)

It's important, that, when you look at the users in AD, the display name is the same as the user-name the user logs on with. For example, if a user jondoe is there and i'ts shown as John Doe in AD, "CN={user.name}" needs to be "John Doe". Else it won't authenticate. So it would be best to change the display name of that user to "johndoe". Then the display name matches the user name. (I hope you understand, what I mean)


Would still be great if there would be an Extended AD Support for YubiX

I have YubiX working with Active Directory as specified above, but it looks like there are major limitations in how it's implemented.

Is there any way to get authentication working for more than one OU?

For example, say you have these accounts in these pre-defined OUs:

OU=Users1,DC=Subdomain,DC=Domain,DC=net
OU=Users2,DC=Subdomain,DC=Domain,DC=net

So far, the only way I've gotten authentication to work is by using the following:

CN={user.name},OU=Users1,DC=Subdomain,DC=Domain,DC=net

Of which only accounts that are in the Users1 OU can authenticate.

Is there any way to get accounts in both Users1 and Users2 OUs to authenticate?