Yubico Forum https://forum.yubico.com/ |
|
[SOLVED] YubiRADIUS Bind to Active Directory fails https://forum.yubico.com/viewtopic.php?f=29&t=1184 |
Page 1 of 1 |
Author: | bbladesCSE [ Thu Oct 03, 2013 3:31 pm ] |
Post subject: | [SOLVED] YubiRADIUS Bind to Active Directory fails |
I'm trying to set up YubiRADIUS with Active Directory 2012. I've created a dedicated account for the VA to use to bind to AD. Here is the error: Quote: User Import operation started... Connecting to LDAP/AD server. Successfully connected to LDAP/AD server. Binding to server with given user credentials. Failed to bind to server. Failed to find Users. Please check login credentials or Directory Type. Any clue what i am doing wrong here? |
Author: | agonsman [ Sat Oct 05, 2013 7:50 am ] |
Post subject: | Re: [QUESTION] YubiRADIUS Bind to Active Directory fails |
This seems very poorly documented in the YubiRADIUS literature. I'm running successfully against 2012 to authenticate Cisco AnyConnect VPN clients. I spent a long time and went through quite a bit of swearing to get this to work. I was not (and still not) an AD/LDAP expert when I started this so if I point out some things that are obvious, my apologies. They were not obvious to me. User DN is the Full Name of the user, not the login. That is, if I create an AD user with first name LDAP and last name Query and give it the login ldapq, then use "CN=LDAP Query" and not "CN=ldapq" Also, the default filter is pretty poor. You'll probably want something more like: Code: (&(objectCategory=person)(objectClass=user)) This should limit the accounts brought over to those that belong to real people. Lastly, LoginNameIdentifier should be sAMAccountName and not cn. Just like under User DN, cn will yield the full name as the login and not the login you're used to. Hope this helps. |
Author: | bbladesCSE [ Mon Oct 07, 2013 7:34 pm ] |
Post subject: | Re: [QUESTION] YubiRADIUS Bind to Active Directory fails |
Thanks for replying! I always find that anything that uses canonical names and not just a plane old login are always a pain in the rear to get working. Using my example 'Yubi' is the login, and first name of the user I've created for ldap queries, there is no last name. -- I just logged into my YRVA to change the filter and .... WHOA! All my AD users showed up What the EFF??? I seriously have no idea how or why it started working. |
Author: | bbladesCSE [ Wed Oct 16, 2013 3:48 pm ] |
Post subject: | Re: [SOLVED] YubiRADIUS Bind to Active Directory fails |
The only thing i can think of is I used an account that is in the Users OU, and the account name is a single word (where the username and the first name are the same, and there is no last name). I may have created the user on a different domain controller than the one i configured the VA to use to authenticate (i dont explicitly remember which one i used to create the account) and replication too a while, which could be why it 'just started working', perhaps. |
Page 1 of 1 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |