Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 11:22 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 6 posts ] 
Author Message
PostPosted: Mon Mar 31, 2014 11:13 pm 
Offline

Joined: Thu Jan 24, 2013 4:11 pm
Posts: 2
I've been using Yubi-Radius for a while, and now that it isn't supported I've been trying to get Yubix working. I downloaded the virtual appliance, imported it into my Vmware environment, and turned it on. It started up and downloaded/installed a bunch of updates. I then went in through the web interface and went to the 'YubiAuth' section where I checked the 'Authenticate users against LDAP' box, entered my domain controller into the LDAP server URL box (i.e. - ldap://1.2.3.4), and in the 'BindDN for user authentication' box I have "uid={user.name},CN=Yubikey,CN=Users,DC=<domain_name>,DC=local" (I want members of a Yubikey group in Users container to be able to use this RADIUS server). Under the 'OTP Validation' tab, I've left it alone for now and am using the default values. I thought I'd changed it after I got this working. I've added the IP address of my workstation to the RADIUS Clients config, just for testing, and I am unable to get a user authorization locally through the web interface or from the RADIUS client I installed on my local workstation. I don't know where to turn next...


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Apr 01, 2014 1:46 pm 
Offline

Joined: Thu Nov 10, 2011 8:48 pm
Posts: 22
I am having trouble to, authenticating to AD
My problem is that I can not fill out enough information in the configuration tabs.

I know for a fact that I need to provide LDAP bind credentials, since our AD server will not allow users to use their own username to bind to the LDAP server.
In Yubiradius there were some extra fields to fill regarding binding to ldap.
A bind username AND a bind password to start.
The simplified Yubix interface is just that, to simple.........

Please provice documentation on how to use AD as an authentication source.


Top
 Profile  
Reply with quote  
PostPosted: Mon Apr 14, 2014 7:51 am 
Offline
Site Admin
Site Admin

Joined: Mon Mar 02, 2009 9:51 pm
Posts: 83
YubiX only supports LDAP authentication through Simple Bind at the moment, using the users own username and password.


Top
 Profile  
Reply with quote  
PostPosted: Wed Apr 23, 2014 9:25 am 
Offline

Joined: Thu Nov 10, 2011 8:48 pm
Posts: 22
Since Yubix was pushed to replace Yubiradius, I assume you will be expanding the feature set of Yubix to match the featureset Yubiradius had when you closed it down ?
When can we expect the feature compatible version of Yubix ?
Our AD does not allow simple binds based on the users own credentials, we use a special LDAP useraccount for binding for security reasons.
Worked well in Yubiradius and I need the functionality, without it, I can not switch to Yubix.

I need to advise the board about our current situation, and I would like to be able to tell them that all will be well soon.
Can I ?


Top
 Profile  
Reply with quote  
PostPosted: Sat Apr 26, 2014 5:36 pm 
Offline

Joined: Wed Apr 23, 2014 4:32 pm
Posts: 10
I second hvbuel in this case.

If it would be possible to bind YubiX to Active Directory and Filtering which users should be able to authenticate through AD, YubiX would be more widely used and would (in my opinion) also be capable of replacing YubiRadius.
What do you think about it?

Update:

Got it working with my Active Directory and Simple Bind.

I used in LDAP the fully qualified server-Name, but I think you can also use the IP-Adress. For example:

ldap://servername.domain.local


The point where it got problematic, was the template for the Bind DN.
When you use Active Directory, it should look like that:

cn={user.name},ou=secondou,ou=firstou,dc=domain,dc=local

So in your example above it should more look like this: "CN={user.name},OU=Yubikey,CN=Users,DC=<domain_name>,DC=local" (Maybe the OU is CN, I'm not sure about it)

It's important, that, when you look at the users in AD, the display name is the same as the user-name the user logs on with. For example, if a user jondoe is there and i'ts shown as John Doe in AD, "CN={user.name}" needs to be "John Doe". Else it won't authenticate. So it would be best to change the display name of that user to "johndoe". Then the display name matches the user name. (I hope you understand, what I mean)


Would still be great if there would be an Extended AD Support for YubiX


Top
 Profile  
Reply with quote  
PostPosted: Thu Feb 26, 2015 1:42 am 
Offline

Joined: Thu Feb 26, 2015 1:28 am
Posts: 1
I have YubiX working with Active Directory as specified above, but it looks like there are major limitations in how it's implemented.

Is there any way to get authentication working for more than one OU?

For example, say you have these accounts in these pre-defined OUs:

OU=Users1,DC=Subdomain,DC=Domain,DC=net
OU=Users2,DC=Subdomain,DC=Domain,DC=net

So far, the only way I've gotten authentication to work is by using the following:

CN={user.name},OU=Users1,DC=Subdomain,DC=Domain,DC=net

Of which only accounts that are in the Users1 OU can authenticate.

Is there any way to get accounts in both Users1 and Users2 OUs to authenticate?


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group