Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 12:03 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Thu Aug 08, 2013 4:02 pm 
Offline
User avatar

Joined: Thu Aug 08, 2013 10:42 am
Posts: 2
Location: Chisinau, Republic of Moldova
Hello!
We bought some yubikeys and now try to configure YubiRADIUS server.
But have some problems:

1. Configuring OpenLDAP.
OpenLDAP server is already configured or it must be configured on YubiRADIUS machine?

I try to add a new tree by "Create Tree", "Name for new DN", "Based on domain name", "ihost.md", "Create example object under new DN?", "Unix user" - but receive error: "Creating base DN dc=ihost, dc=md .. .. failed : no global superior knowledge".
Same error with "Distinguished name"...
Does it need some configurations before add a new tree?

I tried to use external OpenLDAP server, in this case no problems with user management, I added on remote OpenLDAP server a domain "ihost.md" and a user "ob", successfully imported it on YubiRADIUS, added an Yubikey, but can't assign this key to user.
I indicated a "Local" Validation Server, I inserted API Key from manual.

2. Assigning yubikeys to users.

When I try to assign a yubikey to an user, I meet errors.
I tried add "ob" and "ob@ihost.md" from users list and yubikeys list, but unsuccessful, every time I got errors.

When I try to assign a yubikey to a user from users list:
Login Name: ob
YubiKey OTP: vvlehgcnnnet001d16f487c947983524dd58d15a5f95
Error in adding the key mapping : Unknown error

When I try to assign a yubikey to a user from users list:
Login Name: ob@ihost.md
YubiKey OTP: vvlehgcnnnet001d16f487c947983524dd58d15a5f95
Error in adding the key mapping : Invalid Login Name 'ob@ihost.md'

When I try to assign a yubikey to a user from yubikeys list:
Login Name: ob
YubiKey OTP: vvlehgcnnnet001d16f487c947983524dd58d15a5f95
Error in adding the key mapping : Failed to find the user with login name 'o'

When I try to assign a yubikey to a user from yubikeys list:
Login Name: ob@ihost.md
YubiKey OTP: vvlehgcnnnet001d16f487c947983524dd58d15a5f95
Error in adding the key mapping : Unknown error

3. Also, I can't Validate OTP - get error:
Server Responses: Authentication Failed!
Error message: Could not parse Yubikey OTP
What is wrong with this?

"I readed How to deploy YubiRADIUS TFA solution", "Uploading-YubiKeys-to-YubiRADIUS", "YubiRADIUS_Virtual_Appliance_3_6_0" and "YubiKey Authentication Module Design Guideline" manuals.
Also this thread: viewtopic.php?f=29&t=985
But without success...

Please, help me!

_________________
http://proweb.md/ http://secured.md/ http://ihost.md/


Last edited by olegburca on Tue Aug 13, 2013 10:08 am, edited 1 time in total.

Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Aug 12, 2013 2:23 pm 
Offline
Yubico Team
Yubico Team

Joined: Mon Feb 22, 2010 9:49 am
Posts: 183
Hello,

Please follow the steps to configure YubiRADIUS with Open LDAP:

1. Insert IP address or host name in the browser, and login to webmin using username "root" and password "yubico".
2. Insert the domain name (eg. test.com) in the test box show in front of the "Add Domain" button and click on "Ad Domain" button this will generate the domain for your users.
3. To import the users click on "Domain Name" >> click on the “Users Import" tab.
4. You can import the users from Active Directory or OpenLdap. To import users there are two modes "normal mode" and “advanced mode".
a. For normal mode your Active Directory or OpenLDAP domain name should be same as you have created in the YRVA.
1) Select the "Directory Type" whether it is active directory or Open Ldap.
2) Give "LDAP/AD Server Address or Host Name".
3) Admin User.
4) Password.
5) Click on "Save" and then "Import Users".
b. For Advanced mode click on the "Advanced" button.
1) Select "Yes" or "No" for "Use Secure Connection?"
2) Select "Directory Type" as "Active Directory" or "OpenLDAP".
3) Give the "LDAP/AD Server IP Address" or "Host Name".
4) "Backup LDAP/AD Server IP Address" or "Host Name" ("optional" for user authentication only)
5) "Port (use 0 or blank to use the default port)" using this option you can give port number,
if you have configure for your AD/LDAP, if not this option will take it by default port number.
6) "LDAP Version" using this option you can give LDAP version.
7) "Base DN" here you can give LDAP/AD "base_dn" (e.g. DC=example,DC=com).
8) "User DN" here you can give LDAP/AD admin "user_dn" (e.g. CN=Administrator,DC=example,DC=com).
9) "Password" here you can give LDAP/AD admin user "password".
10) "Schedule" here you can select "Hourly" , "Daily" , "Weekly" schedule to import users.
11) "Filter" if you want all users, give filter as "(objectClass=person)"
12) "Login Name Identifier" for Active Directory use "sAMAccountName" or "cn" and for "OpenLDAP" use "uid".
13) Click on "Save" and then "Import Users".
==========================
For Testing please follow the steps below:

In FreeRADIUS instance of YRVA, we need to configure the IP address of the OpenLDAP server to be used for user authentication. As you know, an OpenLDAP instance is already available preconfigured on YRVA VM. We request you to please use this openLDAP instance for the first use and then you can carry on with your AD/LDAP configuration.

1) Create a new domain:

From webmin page for YRVA, go to "Domain" Tab >> put domain name "test.com" and click on "Add Domain" button

2) Import users from openLDAP:

Click on the "test.com" (on newly created domain) >>click on "User Import" tab >> click on "Advanced" button

3) Please put the following details for the configuration for Advanced mode please click on the "Advanced" button:

Use Secure Connection? => No
Directory Type => openLDAP
LDAP/AD Server Address or Host Name => <<Local VM IP address>>
Backup LDAP/AD Server Address or Host Name ==> optional or same as above
Port (use 0 or blank to use the default port) ==> 389
LDAP Version ==> 3
Base DN ==> dc=example,dc=com
User DN ==> cn=admin,dc=example,dc=com
Password ==> yubico
Schedule ==> None
Filter ==> (objectClass=person)
Login Name Identifier ==> uid

Click on "Import Users"
============================

5. After importing it will show you some messages. If import is successful click on the "Return to previous page" >> "Users/Groups".
6. This will show you all users. To assign YubiKey to users there are two ways. Make sure that whether your YubiKey is configured with online YubiKey validation server or local validation server.
a. If it is validated with online validation server then configure YRVA to online validation server using steps below.
1) Click on the link "YubiRADIUS Virtual Appliance" on the left hand side of the screen.
2) Go to "Global Configuration" tab >> click on "Validation Server" >> select "YubiCloud - Online Validation Service"
and fill information as shown below
1. Client ID: "4233" (without quotation)
2. API Key: "H9xX7BeTIbhYK3xCb/PSEeRVNvY=" (without quotation)
3. Confirm API Key: "H9xX7BeTIbhYK3xCb/PSEeRVNvY=" (without quotation)
4. Click on "save".
b. If it is validated with local validation server then configure YRVA with local validation server using the steps below.
1) Click on the link "YubiRADIUS Virtual Appliance" on the left hand side of the screen.
2) Go to "Global Configuration" tab >> click on "Validation Server" >> select "Local validation Server on YubiRADIUS
Virtual Appliance" and fill information as shown below.
3) Click on "Generate" button this will generate "API Key"
4) Click on "save".

7. To assign the YubiKey to User, Click on the link "YubiRADIUS Virtual Appliance" on the left hand side of the screen.
8. Go to domain by selecting the domain.
9. Click on the link "Assign a new YubiKey".
10. Give the login name of the user and OTP from the YubiKey.
11. In case of "Local Validation Server" you have first import YubiKeys. Please refer section 5.2.4 of "YubiRADIUS configuration guide" available at http://static.yubico.com/var/uploads/pd ... 5_3_v1.pdf
12. For testing whether YubiKey is assigned to the user or not we need to do the Radtest for that follow the steps below.
a. Click on the link "YubiRADIUS Virtual Appliance" on the left hand side of the screen.
b. The Client secret is "test" by default.
c. Go to "Troubleshoot" tab give the username.(if there is single domain in your YRVA instance, you can give only username
if not thenb you have to give username along with domain name for e.g. "username@domain_name.com" ).
d. Then LDAP/AD password in the "Password" field.
e. YubiKey OTP in the "YubiKey OTP" or "Temporary Token" field.
f. Click on the "Send Request"
13. If your authentication is successful it will give you a response "Successful" and if not it will give you response "Failure".

Hope this helps! If you have further questions please feel free to write back to "support@yubico.com".

Thanks and best regards,
Samir.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 13, 2013 10:03 am 
Offline
User avatar

Joined: Thu Aug 08, 2013 10:42 am
Posts: 2
Location: Chisinau, Republic of Moldova
Hello, Samir!
Thank you for the answer.

I ALREADY followed these steps, I wrote about this before, but I met errors.
I understand how to manage users in OpenLDAP, how to import users and other operations.

The problem is in errors, not in instructions.

I can not add domain in OpenLDAP, because it return the error: "failed: no global superior knowledge." when I try to create a new Tree.

Regarding the second issue, the user key assignment and validation.
I have already followed these steps, but again I got errors that I wrote about in detail, what I do and what errors system return.

I do not need instructions that I already used, but need help in solving problems that I mentioned.
Can you help me find the cause of this error and solve it?
Maybe it is necessary to post any logs or content of configuration files?

PS: I expanded my message from first post, I hope it is more explicit now.


UPDATE:
/var/log/syslog report:
Quote:
Aug 15 08:58:36 yrva361 ykmap[1368]: LOG_INFO:ykmap-query:dsi:searching for yubikey_prefix : vvlehgcnnnet in db
Aug 15 08:58:36 yrva361 ykmap[1368]: LOG_DEBUG:ykmap-query:dsi:db:DB query is: SELECT * FROM ykmaps WHERE yk_publicname = 'vvlehgcnnnet' and keyword = 'username'
Aug 15 08:58:36 yrva361 ykmap[1368]: LOG_NOTICE:ykmap-query:dsi:no recors for yk_publicname : vvlehgcnnnet
Aug 15 08:58:36 yrva361 ykmap[1368]: LOG_CRIT:ykmap-query:[127.0.0.1] No records exists!


But this yubikey vvlehgcnnnet is in list of known keys!
Attachment:
File comment: yubikeys list
yubikeys.jpg
yubikeys.jpg [ 30.03 KiB | Viewed 3398 times ]


It appears to be a system error, not a user error!

_________________
http://proweb.md/ http://secured.md/ http://ihost.md/


Top
 Profile  
Reply with quote  
PostPosted: Fri Aug 16, 2013 1:48 pm 
Offline
Yubico Team
Yubico Team

Joined: Mon Feb 22, 2010 9:49 am
Posts: 183
Hello,

We haven't dealt with configuring multiple domains on the same OpenLDAP server in the past.

However, from Google search we found some links below which may help:

http://www.zytrax.com/books/ldap/ch11/multi-dit.html

https://help.ubuntu.com/10.04/servergui ... erver.html

Regarding the second issue, there is no mapping available in YKMAP database. To map YubiKey with username please follow the steps from earlier post (step numbers 7,8,9).

Thanks and best regards,
Samir.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group