Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 3:41 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Thu Oct 03, 2013 3:31 pm 
Offline

Joined: Thu Oct 03, 2013 3:12 pm
Posts: 5
I'm trying to set up YubiRADIUS with Active Directory 2012. I've created a dedicated account for the VA to use to bind to AD.

Image


Here is the error:
Quote:
User Import operation started...
Connecting to LDAP/AD server.
Successfully connected to LDAP/AD server.
Binding to server with given user credentials.
Failed to bind to server.
Failed to find Users.
Please check login credentials or Directory Type.



Any clue what i am doing wrong here?


Last edited by bbladesCSE on Wed Oct 16, 2013 3:44 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Sat Oct 05, 2013 7:50 am 
Offline

Joined: Fri Oct 04, 2013 5:26 pm
Posts: 1
This seems very poorly documented in the YubiRADIUS literature. I'm running successfully against 2012 to authenticate Cisco AnyConnect VPN clients.

I spent a long time and went through quite a bit of swearing to get this to work. I was not (and still not) an AD/LDAP expert when I started this so if I point out some things that are obvious, my apologies. They were not obvious to me.

User DN is the Full Name of the user, not the login. That is, if I create an AD user with first name LDAP and last name Query and give it the login ldapq, then use "CN=LDAP Query" and not "CN=ldapq"

Also, the default filter is pretty poor. You'll probably want something more like:
Code:
(&(objectCategory=person)(objectClass=user))


This should limit the accounts brought over to those that belong to real people.

Lastly, LoginNameIdentifier should be sAMAccountName and not cn. Just like under User DN, cn will yield the full name as the login and not the login you're used to.

Hope this helps.


Top
 Profile  
Reply with quote  
PostPosted: Mon Oct 07, 2013 7:34 pm 
Offline

Joined: Thu Oct 03, 2013 3:12 pm
Posts: 5
Thanks for replying! I always find that anything that uses canonical names and not just a plane old login are always a pain in the rear to get working. Using my example 'Yubi' is the login, and first name of the user I've created for ldap queries, there is no last name. --

I just logged into my YRVA to change the filter and ....
WHOA! All my AD users showed up What the EFF???





I seriously have no idea how or why it started working.


Top
 Profile  
Reply with quote  
PostPosted: Wed Oct 16, 2013 3:48 pm 
Offline

Joined: Thu Oct 03, 2013 3:12 pm
Posts: 5
The only thing i can think of is I used an account that is in the Users OU, and the account name is a single word (where the username and the first name are the same, and there is no last name). I may have created the user on a different domain controller than the one i configured the VA to use to authenticate (i dont explicitly remember which one i used to create the account) and replication too a while, which could be why it 'just started working', perhaps.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group