Thanks John for helping me check this issue.<br><br>I just run tac_plus -C /path/to/tac_plus.conf -L -p 49 -d256 -g to see the log in stdout and in log file. I can't see any suspicious log information here. I paste the log below:<br>
<br><br>Sat Nov 21 22:28:22 2009 [3393]: Waiting for packet<br>Sat Nov 21 22:28:27 2009 [3393]: Read AUTHEN/CONT size=23<br>Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=<span style="color: rgb(255, 0, 0);">mykey</span><br>
Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type 1, seq no 5, flags 0x1<br>Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 (0xc46868ce), Data length<br> 11 (0xb)<br>Sat Nov 21 22:28:27 2009 [3393]: End header<br>
Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN/CONT<br>Sat Nov 21 22:28:27 2009 [3393]: user_msg_len 6 (0x6), user_data_len 0 (0x0)<br>Sat Nov 21 22:28:27 2009 [3393]: flags=0x0<br>Sat Nov 21 22:28:27 2009 [3393]: User msg:<br>
Sat Nov 21 22:28:27 2009 [3393]: <span style="color: rgb(255, 0, 0);">myusername</span><br>Sat Nov 21 22:28:27 2009 [3393]: User data:<br>Sat Nov 21 22:28:27 2009 [3393]: End packet<br>Sat Nov 21 22:28:27 2009 [3393]: choose_authen chose default_fn<br>
Sat Nov 21 22:28:27 2009 [3393]: Calling authentication function<br>Sat Nov 21 22:28:27 2009 [3393]: Writing AUTHEN/GETPASS size=28<br>Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=<span style="color: rgb(255, 0, 0);">mykey</span><br>
Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type 1, seq no 6, flags 0x1<br>Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 (0xc46868ce), Data length<br> 16 (0x10)<br>Sat Nov 21 22:28:27 2009 [3393]: End header<br>
Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1<br>Sat Nov 21 22:28:27 2009 [3393]: msg_len=10, data_len=0<br>Sat Nov 21 22:28:27 2009 [3393]: msg:<br>Sat Nov 21 22:28:27 2009 [3393]: Password:<br>
Sat Nov 21 22:28:27 2009 [3393]: data:<br>Sat Nov 21 22:28:27 2009 [3393]: End packet<br>Sat Nov 21 22:28:27 2009 [3393]: Waiting for packet<br>Sat Nov 21 22:28:34 2009 [3393]: Read AUTHEN/CONT size=30<br>Sat Nov 21 22:28:34 2009 [3393]: PACKET: key=metro<br>
Sat Nov 21 22:28:34 2009 [3393]: version 192 (0xc0), type 1, seq no 7, flags 0x1<br>Sat Nov 21 22:28:34 2009 [3393]: session_id 3295176910 (0xc46868ce), Data length<br> 18 (0x12)<br>Sat Nov 21 22:28:34 2009 [3393]: End header<br>
Sat Nov 21 22:28:34 2009 [3393]: type=AUTHEN/CONT<br>Sat Nov 21 22:28:34 2009 [3393]: user_msg_len 13 (0xd), user_data_len 0 (0x0)<br>Sat Nov 21 22:28:34 2009 [3393]: flags=0x0<br>Sat Nov 21 22:28:34 2009 [3393]: User msg:<br>
Sat Nov 21 22:28:34 2009 [3393]: <span style="color: rgb(255, 0, 0);">mypassword</span><br>Sat Nov 21 22:28:34 2009 [3393]: User data:<br>Sat Nov 21 22:28:34 2009 [3393]: End packet<br>Sat Nov 21 22:28:36 2009 [3393]: login query for '<span style="color: rgb(255, 0, 0);">myusername</span>' tty0 from 10.1.69.89 r<br>
ejected<br>Sat Nov 21 22:28:36 2009 [3393]: login failure: <span style="color: rgb(255, 0, 0);">myusername </span>10.1.69.89 (10.1.69.89) t<br>ty0<br>Sat Nov 21 22:28:36 2009 [3393]: Writing AUTHEN/FAIL size=18<br>Sat Nov 21 22:28:36 2009 [3393]: PACKET: key=<span style="color: rgb(255, 0, 0);">mykey</span><br>
Sat Nov 21 22:28:36 2009 [3393]: version 192 (0xc0), type 1, seq no 8, flags 0x1<br>Sat Nov 21 22:28:36 2009 [3393]: session_id 3295176910 (0xc46868ce), Data length<br> 6 (0x6)<br>Sat Nov 21 22:28:36 2009 [3393]: End header<br>
Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN status=2 (AUTHEN/FAIL) flags=0x0<br>Sat Nov 21 22:28:36 2009 [3393]: msg_len=0, data_len=0<br>Sat Nov 21 22:28:36 2009 [3393]: msg:<br>Sat Nov 21 22:28:36 2009 [3393]: data:<br>
Sat Nov 21 22:28:36 2009 [3393]: End packet<br>Sat Nov 21 22:28:36 2009 [3393]: <a href="http://10.1.69.89">10.1.69.89</a>: disconnect<br><br><br><br><div class="gmail_quote">On Mon, Nov 23, 2009 at 12:23 PM, john heasley <span dir="ltr"><<a href="mailto:heas@shrubbery.net">heas@shrubbery.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Mon, Nov 23, 2009 at 12:12:58PM -0600, Hailu Meng:<br>
<div class="im">> Hi Adam,<br>
><br>
> If the ldapsearch -D "" -w "" runs successfully, what do we suppose to get<br>
> from the output? I just got all of the user information in that group. Does<br>
> that means my password and username got authenticated successfully against<br>
> AD?<br>
><br>
> This thing drives me crazy. I need solve it through this week before the<br>
> holiday...<br>
<br>
</div>i havent followed this thread, as i know nearly zero about ldap. but,<br>
have you enabled authentication debugging in the tacacas daemon and<br>
checked the logs to determine what is coming back from pam? it very<br>
well may be that the ldap client is working just fine, but there is a<br>
pam module bug or a bug in the tacplus daemon or that your device<br>
simply doesnt like something about the replies.<br>
<div><div></div><div class="h5"><br>
> Thanks a lot for the help.<br>
><br>
> Lou<br>
><br>
> On Fri, Nov 20, 2009 at 7:26 AM, Hailu Meng <<a href="mailto:hailumeng@gmail.com">hailumeng@gmail.com</a>> wrote:<br>
><br>
> > Still no clue how to turn on the log. binding seems good. See my findings<br>
> > below. Thanks a lot.<br>
> ><br>
> > On Thu, Nov 19, 2009 at 9:26 PM, adam <<a href="mailto:prozaconstilts@gmail.com">prozaconstilts@gmail.com</a>> wrote:<br>
> ><br>
> >> Hailu Meng wrote:<br>
> >><br>
> >>> Adam,<br>
> >>><br>
> >>> I tried the su - "userid" in my tacacs+ server but I don't have that<br>
> >>> userid in CentOS. So the CentOS just don't want me log in. I think this will<br>
> >>> not ask tacacs server to authenticate against AD.<br>
> >>><br>
> >><br>
> >> You shouldn't need to have to define the user in CentOS, that's the point<br>
> >> of using ldap for authentication. The user is defined in ldap, not in<br>
> >> CentOS. Now that I think about it, su - <user> probably wouldn't work<br>
> >> anyway, as AD doesn't by default have the data needed by a linux box to<br>
> >> allow login...but see below for more options.<br>
> >><br>
> >><br>
> >><br>
> >>> Is there any other way to test ldap authentication against AD with the<br>
> >>> userid in AD? I tried ldapsearch. It did find my user id without problem.<br>
> >>> But I haven't found any option to try with password and authenticate against<br>
> >>> AD.<br>
> >>><br>
> >><br>
> >> Try using -D:<br>
> >><br>
> >> from `man ldapsearch`:<br>
> >><br>
> >> -D binddn<br>
> >> Use the Distinguished Name binddn to bind to the LDAP directory.<br>
> >><br>
> >> so -D cn=username,ou=my_ou,dc=my_dc should let you try to authenticate<br>
> >> using whatever user you want to define. Just check and double check you get<br>
> >> the right path in that dn.<br>
> >><br>
> >><br>
> >> I tried -D " cn=username,ou=my_ou,dc=my_dc " but it just returned lots of<br>
> > users' information. It means successful?<br>
> ><br>
> ><br>
> >> Do you have ldap server setup or only the openldap library and openldap<br>
> >>> client? I don't understand why the log is not turned on. There must be some<br>
> >>> debugging info in the log which can help solve this issue.<br>
> >>><br>
> >><br>
> >> only the libs and client. You should not need the server. In the<br>
> >> ldapsearch, you can use -d <integer> to get debugging info for that search.<br>
> >> As before, higher number = more debug<br>
> >><br>
> >><br>
> >> If the user can authenticate, does ethereal capture some packets about<br>
> >>> password verification? Right now I only see the packets when ldap search for<br>
> >>> my user id and gets results back from AD.<br>
> >>><br>
> >><br>
> >> Ethereal should catch all data flowing between the client and server. If<br>
> >> you can search out the user in your AD right now, then one of two things is<br>
> >> happening:<br>
> >><br>
> >> 1. You are performing anonymous searches. In this case, no username and pw<br>
> >> is provided, and your AD is happy to hand over info to anyone who asks for<br>
> >> it. If this is the case, you will _not_ see authentication information. The<br>
> >> following MS KB article should probably help you determine on your AD if<br>
> >> anonymous queries are allowed:<br>
> >><br>
> >> <a href="http://support.microsoft.com/kb/320528" target="_blank">http://support.microsoft.com/kb/320528</a><br>
> >><br>
> >> It has exact instructions for how to get it going, but you can follow<br>
> >> along with it to check your current settings without making any changes.<br>
> >><br>
> ><br>
> > I checked our setting. Permission type for normal user is "Read & Execute".<br>
> > I click edit to check the detail about permission. I think it only allow the<br>
> > user to read the attributes, permission something and can't modify the<br>
> > AD.There is "Everyone" setting is also set as "Read & Execute". By the way,<br>
> > the AD is Win2003 R2.<br>
> ><br>
> ><br>
> >><br>
> >> 2. Authentication is happening. It will be the _very_ first thing the<br>
> >> client and server perform, after basic connection establishment. Look for it<br>
> >> at the very beginning of a dump.<br>
> >><br>
> >><br>
> >><br>
> >> Also, it's a bit overkill, but the following article is extremely<br>
> >> informative about all the different ways you can plug linux into AD for<br>
> >> authentication. It might offer some hints...<br>
> >><br>
> >><br>
> >><br>
> >><br>
> >>> Maybe I need dig into ldap.conf more. If you have any idea, let me know.<br>
> >>><br>
> >>> Thank you very much.<br>
> >>><br>
> >>> Lou<br>
> >>><br>
> >><br>
> >><br>
> >><br>
> ><br>
</div></div><div class="im">> -------------- next part --------------<br>
> An HTML attachment was scrubbed...<br>
</div>> URL: <a href="http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html" target="_blank">http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html</a><br>
<div class="im">> _______________________________________________<br>
> tac_plus mailing list<br>
> <a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
</div><div><div></div><div class="h5">> <a href="http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus</a><br>
</div></div></blockquote></div><br>