From sparks at telerama.com Mon May 1 12:00:24 2006 From: sparks at telerama.com (sparks) Date: Mon, 1 May 2006 15:00:24 -0400 (EDT) Subject: [NoCat] Nocat+Radius Message-ID: <20060501143658.I63951@zaxxon.telerama.com> I am trying to implement Radius in my nocat network. I have nocatauth radius mysql installed. but when i try to login i get invalid login. This is my nocat log --- Mon May 1 14:52:21 2006 cgi-bin/login [2006-05-01 14:52:21] User sparks from 205.201.29.33 requests form BUTT = login key = gateway, value = 192.231.221.1:5280 key = gatewayname, value = nocatdevel key = logourl, value = https://auth.wireless.telerama.com/images/logo-telerama-city.jpg key = mac, value = key = mode, value = login key = new_state, value = login key = pass, value = key = redirect, value = http://www.google.com/firefox key = siteurl, value = http://www.telerama.com key = timeout, value = 14400 key = token, value = key = user, value = sparks [2006-05-01 14:52:21] Connecting to RADIUS server 127.0.0.1 with Timeout 10 [2006-05-01 14:52:21] Got a good connection to RADIUS server 127.0.0.1 [2006-05-01 14:52:21] Radius: received packet is NOT defined [2006-05-01 14:52:21] Out of servers to try and my radius log May 01 14:52:21 Auth.notice: Login incorrect [sparks at wireless.telerama.com/p]S] thanks for any help in advance mike From kyleena at tele2.it Wed May 3 07:40:15 2006 From: kyleena at tele2.it (kyleena at tele2.it) Date: Wed, 03 May 2006 16:40:15 +0200 Subject: [NoCat] Bandwidth throttling - anyone made it work? Message-ID: Hi all again, I'm trying to throttle my bandwidth but it doesn't seem work. I read all mail about that in this mailing list, and I made everything you suggested - making throttle.fw executable, loading all needed kernel modules... but it doesn't work at all. I would like to know if anyone of you can make the magic, or suggest me how can I get help. Thank you very much Monica From kyleena at tele2.it Wed May 3 09:57:44 2006 From: kyleena at tele2.it (kyleena at tele2.it) Date: Wed, 03 May 2006 18:57:44 +0200 Subject: [NoCat] Bandwidth throttling problem (big problem) Message-ID: Hi all again, I'm trying to throttle my bandwidth but it doesn't seem work. I read all mails about that in this mailing list, and I made everything you suggested - making throttle.fw executable, loading all needed kernel modules... but it doesn't work at all. I would like to know if anyone of you can make the magic, or suggest me how can I get help. Thank you very much Monica From kyleena at tele2.it Thu May 11 07:08:59 2006 From: kyleena at tele2.it (kyleena at tele2.it) Date: Thu, 11 May 2006 16:08:59 +0200 Subject: [NoCat] Strange problem with Radius Message-ID: Hi all, I'm here again with a strange problem. I hadn't found anything similar on this archive... I'm running NoCatAuth gateway and server on two separate machines. The version is the nightly one. Server's IP is 172.16.10.123. External interface of gateway is 172.16.10.100, and the internal interface (which clients are connected to) is 10.0.0.1. Everything works fine with an authorization file-based. But my need is to run a RADIUS server with Postresql. I found Pogozone patch and I applied it (even if I don't understand if it must be applied only on the gateway or on both server and gateway...). Now, the problem... It seems that Radius works fine. When I run radiusd -X and a client tries to autheticate, I have this output: *****************RADIUS OUTPUT******************************** ************************************************************** rad_recv: Access-Request packet from host 127.0.0.1:32833, id=124, length=46 User-Name = "monica" User-Password = "monica" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "monica", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 radius_xlat: 'monica' rlm_sql (sql): sql_set_user escaped user --> 'monica' radius_xlat: 'SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'monica' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 1 rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'monica' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = radius_xlat: 'SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op FROM radgroupcheck, usergroup WHERE usergroup.Username = 'monica' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_postgresql: query: SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op FROM radgroupcheck, usergroup WHERE usergroup.Username = 'monica' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = radius_xlat: 'SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = 'monica' ORDER BY id' rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = 'monica' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = radius_xlat: 'SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, radgroupreply.Value, radgroupreply.Op FROM radgroupreply,usergroup WHERE usergroup.Username = 'monica' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_postgresql: query: SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, radgroupreply.Value, radgroupreply.Op FROM radgroupreply,usergroup WHERE usergroup.Username = 'monica' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = rlm_sql (sql): Released sql socket id: 1 modcall[authorize]: module "sql" returns ok for request 3 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module "noresetcounter" returns noop for request 3 modcall: leaving group authorize (returns ok) for request 3 auth: type Local auth: user supplied User-Password matches local User-Password Login OK: [monica/monica] (from client localhost port 0) Sending Access-Accept of id 124 to 127.0.0.1 port 32833 Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 124 with timestamp 44633e91 Nothing to do. Sleeping until we see a request. ********END OF RADIUS OUTPUT**************************** ******************************************************** I am not very smart with Radius, but it seems sending an Access-Accept, isn't it? But my client sees a "Sorry, your session has expired" message, and it is redirecting to login page again. I found this error in my gateway nocat.log: *************NOCAT.LOG********************************* ******************************************************* [2006-05-11 15:36:41] Connection to 172.16.10.100 from 172.16.10.123 [2006-05-11 15:36:41] Spawning child process 7284. [2006-05-11 15:36:41] Received notify from 172.16.10.123 [2006-05-11 15:36:41] Missing notify from 172.16.10.123 [2006-05-11 15:36:41] Capturing 172.16.10.123 for http://172.16.10.100:528010.0.0.30 [2006-05-11 15:36:41] Notifying parent of Capture on peer 172.16.10.123 [2006-05-11 15:36:41] Got notification Capture of peer 172.16.10.123 [2006-05-11 15:36:41] Child process returned 1 [2006-05-11 15:36:47] Connection to 10.0.0.1 from 10.0.0.30 [2006-05-11 15:36:47] Capturing 10.0.0.30 for http://www.google.it/ [2006-05-11 15:36:47] Notifying parent of Capture on peer 10.0.0.30 [2006-05-11 15:36:47] Spawning child process 7285. [2006-05-11 15:36:47] Got notification Capture of peer 10.0.0.30 [2006-05-11 15:36:47] Child process returned 1 ******END OF NOCAT.LOG********************************** ******************************************************** It seems that it concatenates the LocalGateway's IP and the client's IP !! And finally, this is my Apache ssl_eeror_log: ************APACHE LOG********************************** ******************************************************** [Thu May 11 16:02:34 2006] [error] [client 172.16.10.100] [2006-05-11 16:02:34] User monica from 172.16.10.100 requests form, referer: https://172.16.10.123/cgi-bin/login?redirect=http%3a%2f%2fwww%2egoogle%2eit%2f&timeout=300&gateway=&mac=10%2e0%2e0%2e30&token=%241%2454466498%24C8cywEtMUbwuuxZxdACFz%2f [Thu May 11 16:02:34 2006] [error] [client 172.16.10.100] [2006-05-11 16:02:34] Use of uninitialized value in concatenation (.) or string at ../lib//NoCat/Source/RADIUS.pm line 46, line 1., referer: https://172.16.10.123/cgi-bin/login?redirect=http%3a%2f%2fwww%2egoogle%2eit%2f&timeout=300&gateway=&mac=10%2e0%2e0%2e30&token=%241%2454466498%24C8cywEtMUbwuuxZxdACFz%2f [Thu May 11 16:02:34 2006] [error] [client 172.16.10.100] [2006-05-11 16:02:34] Connecting to RADIUS server localhost:1812 with Timeout , referer: https://172.16.10.123/cgi-bin/login?redirect=http%3a%2f%2fwww%2egoogle%2eit%2f&timeout=300&gateway=&mac=10%2e0%2e0%2e30&token=%241%2454466498%24C8cywEtMUbwuuxZxdACFz%2f [Thu May 11 16:02:34 2006] [error] [client 172.16.10.100] [2006-05-11 16:02:34] Request from local ip 172.16.10.100, directing to local gateway 172.16.10.100:5280., referer: https://172.16.10.123/cgi-bin/login?redirect=http%3a%2f%2fwww%2egoogle%2eit%2f&timeout=300&gateway=&mac=10%2e0%2e0%2e30&token=%241%2454466498%24C8cywEtMUbwuuxZxdACFz%2f [Thu May 11 16:02:34 2006] [error] [client 172.16.10.100] [2006-05-11 16:02:34] Gateway returned 302 (Moved ) for 10.0.0.30., referer: https://172.16.10.123/cgi-bin/login?redirect=http%3a%2f%2fwww%2egoogle%2eit%2f&timeout=300&gateway=&mac=10%2e0%2e0%2e30&token=%241%2454466498%24C8cywEtMUbwuuxZxdACFz%2f [Thu May 11 16:02:34 2006] [error] [client 172.16.10.100] [2006-05-11 16:02:34] Request from local ip 172.16.10.100, directing to local gateway 172.16.10.100:5280., referer: https://172.16.10.123/cgi-bin/login?redirect=http%3a%2f%2fwww%2egoogle%2eit%2f&timeout=300&gateway=&mac=10%2e0%2e0%2e30&token=%241%2454466498%24C8cywEtMUbwuuxZxdACFz%2f [Thu May 11 16:02:40 2006] [error] [client 172.16.10.100] [2006-05-11 16:02:40] User UNKNOWN from 172.16.10.100 requests form ***************END OF APACHE LOG********************************** ****************************************************************** The strange line for me is "Request from local ip 172.16.10.100, directing to local gateway 172.16.10.100:5280". I think that local ip would be the client's one, but it sees the gateway's one. I have no idea how to find the bug!! Please help me... thanks! Monica From kyleena at tele2.it Thu May 11 09:59:02 2006 From: kyleena at tele2.it (kyleena at tele2.it) Date: Thu, 11 May 2006 18:59:02 +0200 Subject: [NoCat] Strange problem with Radius - yet Message-ID: Hi, sorry for reply to myself. Many of my errors was because I patched both server and gateway. Now I have rebuild server and something seems go better... teoretically. Initially I had a different error, but I found that Gnupg version didn't match. Now that problem is solved... and again client see the message of session expired. My ssl_error_log is: [Thu May 11 18:57:23 2006] [error] [client 172.16.10.100] [2006-05-11 18:57:23] User monica from 172.16.10.100 requests form, referer: https://172.16.10.123/cgi-bin/login?redirect=http%3a%2f%2fwww%2egoogle%2eit%2f&timeout=300&gateway=&mac=00%3a10%3aA7%3a0A%3a61%3a62&token=%241%2482374486%24DddaQjlbq%2eLPoYCz1XCCC%2e [Thu May 11 18:57:23 2006] [error] [client 172.16.10.100] [2006-05-11 18:57:23] Connecting to RADIUS server localhost:1812 with Timeout 5, referer: https://172.16.10.123/cgi-bin/login?redirect=http%3a%2f%2fwww%2egoogle%2eit%2f&timeout=300&gateway=&mac=00%3a10%3aA7%3a0A%3a61%3a62&token=%241%2482374486%24DddaQjlbq%2eLPoYCz1XCCC%2e [Thu May 11 18:57:23 2006] [error] [client 172.16.10.100] [2006-05-11 18:57:23] Gateway returned 302 (Moved ) for 00:10:A7:0A:61:62., referer: https://172.16.10.123/cgi-bin/login?redirect=http%3a%2f%2fwww%2egoogle%2eit%2f&timeout=300&gateway=&mac=00%3a10%3aA7%3a0A%3a61%3a62&token=%241%2482374486%24DddaQjlbq%2eLPoYCz1XCCC%2e [Thu May 11 18:57:29 2006] [error] [client 172.16.10.100] [2006-05-11 18:57:29] User UNKNOWN from 172.16.10.100 requests form It seems a Radius problem. Radius seems to send an Access-Accept. The strange message is that "Gateway returned 302 (Moved)". Please... help me Monica From jeha at zolid.dk Mon May 22 06:35:29 2006 From: jeha at zolid.dk (Jesper Haggren, Zolid) Date: Mon, 22 May 2006 15:35:29 +0200 Subject: [NoCat] LDAP and NoCat, nearly working.. Message-ID: <4471BE21.9010502@zolid.dk> Hi NoCat list, I have a working NoCatAuth setup running with "DataSource = Passwd" - the last thing I would like to get working is for nocat to use my existing Windows 2003 Server Active Directory for the authorization part. I tried both with nocat 0.82 and with the ACTARES-fork. Both auth-servers are still running. Heres is my senario: I have a nocat-gateway called gw-srv1: ETH0, 172.16.1.1: (running DHCP, DNS and so on). ETH1, 192.168.1.3 Then I have 2 Auth-servers (one with 0.82 and one with the ACTARES-fork). Currently I use the one with the ACTARES-fork: ath-srv1, ETH0 192.168.1.4 (ACTARES-fork) ath-srv2, ETH0 192.168.1.5 (0.82) Both work fine in DataSource=Passwd mode. Then I have my Windows 2003 Domain controller, fil-srv2 (fil-srv2.sgu.dom): ETH0, 192.168.1.11 (windows AD). ----------- The only thing I want is for the AUTH-server to be able to validate a wireless-user by looking at my Windows AD-server. All users who is allowed to access the Internet from the wireless network are located in a OU called "sguPublicUsers". I have no use for manipulating users/data trough the nocat-admintool. All user-setup will be done on the Windows server. I can't get this to work, and the main problem is in fact that I have no log-file telling me what is wrong - when a user called "ji" tries to logon using his emailadress (as described in the nocat.conf) which is ji at sgu.dom (my ad-domain is called sgu.dom) the nocat gateway returns: "That emailadress is unknown. PLease try again". All packages should be in place (Net::LDAP and IO::Socket:SSL and so on..). My authserver nocat.conf file is located below. Thanks in avance! Jesper Haggren Partner, System Developer Zolid --------------------- Bjergbygade 1A DK-4200 Slagelse Tele +45 70 20 91 13 Mobil +45 61 33 08 49 E-mail: jeha at zolid.dk www: http://zolid.dk ------------ ###### BEGIN "nocat.conf" (NOCAT-AUTHSERVER) ###### GENERAL SETTINGS ###### Verbosity 8 GatewayLog /usr/local/nocat/nocat.log ############################## ###### AUTHSERVER SETTINGS ###### HomePage http://nocat.slagelse-gym.dk DocumentRoot /usr/local/nocat/htdocs ################################# ###### AUTHENTICATION SETTINGS ###### ###### ( LDAP requires Net::LDAP and IO:Socket::SSL ) ###### DataSource LDAP UserFile /usr/local/nocat/etc/passwd GroupUserFile /usr/local/nocat/etc/group GroupAdminFile /usr/local/nocat/etc/groupadm # DataSource LDAP # LDAP_Host - Hostname or IP Address of LDAP directory # LDAP_Base - LDAP container for searching and creating users # LDAP_Admin_User - Fully distinguished name of administrative user # (*MUST* be able to create users in specified container) # LDAP_Admin_PW - Administrator user's password # LDAP_Hash_Passwords - Wether passwords are to be MD5 hashed by NOCAT # LDAP_Filter - Attribute name containing user's ID (emailAddress) # LDAP_PasswdField - Attribute name containing user's password # LDAP_StampField - Attribute name containing user's creation timestamp # LDAP_ModifyField - Attribute name containing user's modification timestamp # LDAP_CNField - Attribute name containing user's common name # (which typically is the first part of the user's emailAddress) # NOTE: This attribute is NOT really useful and *SHOULD* be # removed later... # LDAP_NetGroupsField - *MULTI-VALUED* attribute name containing the # network groups the user belongs to # LDAP_GroupIDField - Attribute name containing a network group's name # LDAP_GroupAdminField - Attribute name containing a network group's # administratorID (emailAddress) # LDAP_nocatUser_OC - NOCAT user's objectclass (see "nocat.schema") # LDAP_nocatGroup_OC - NOCAT group's objectclass (see "nocat.schema") # # This version of LDAP.pm has been tested against OpenLDAP 2.1.25 (with AES # encryption patches). # The login "ID" is the user's email address. # Everything is stored in the LDAP directory using the "nocat.schema" under "LDAP_Base". # Nocat USERS are stored as "nocatUser" objectclasses. # Nocat GROUPS are stored as "nocatGroups" objectclasses. LDAP_Host fil-srv2.sgu.dom LDAP_Base ou=sguPublicUsers,dc=sgu,dc=dom LDAP_Admin_User cn=admin,dc=sgu,dc=dom LDAP_Admin_PW ****** LDAP_Hash_Passwords No LDAP_Filter mail #### ...ONLY CHANGE THE LDAP SETTINGS BELOW IF YOU *REALLY* KNOW WHAT YOU ARE DOING... #### LDAP_PasswdField userPassword LDAP_StampField creationDate LDAP_ModifyField modifyDate LDAP_CNField cn LDAP_NetGroupsField networkGroups LDAP_GroupIDField groupName LDAP_GroupAdminField groupAdmin LDAP_nocatUser_OC nocatUser LDAP_nocatGroup_OC nocatGroup ##################################### ###### USER TABLE SETTINGS ###### # UserTable **SQL-ONLY** is the name of the SQL table containing the user ID data. # UserIDField Name of INTERNAL NOCAT hashtable index containing user's ID (emailAddress). # UserPasswdField Name of INTERNAL NOCAT hashtable index containing user's password. # UserStampField Name of INTERNAL NOCAT hashtable index containing user's creation timestamp. # UserModifyField Name of INTERNAL NOCAT hashtable index containing user's modification timestamp. # UserCNField Name of INTERNAL NOCAT hashtable index containing user's commonname (first part of his emailAddress). # UserNetGroupsField Name of INTERNAL NOCAT hashtable index containing *ARRAY REFERENCE* to network groups a user belongs to. #### ...ONLY CHANGE THE USERTABLE SETTINGS BELOW IF YOU *REALLY* KNOW WHAT YOU ARE DOING... #### UserTable member UserIDField login UserPasswdField pass UserStampField created UserModifyField modified UserCNField commonname UserNetGroupsField networkGroups ################################# ###### GROUP TABLE SETTINGS ###### # GroupTable **SQL-ONLY** is the name of the SQL table containing the group ID data. # GroupIDField Name of INTERNAL NOCAT hashtable index containing group ID (group name). # GroupAdminField Name of INTERNAL NOCAT hashtable index containing group administrator's ID (emailAddress). #### ...ONLY CHANGE THE GROUPTABLE SETTINGS BELOW IF YOU *REALLY* KNOW WHAT YOU ARE DOING... #### GroupTable network GroupIDField network GroupAdminField admin ################################## ######### WEB APPLICATION SETTINGS ###### MinPasswdLength 6 ###################################### ###### GPG SETTINGS ###### #PGPKeyPath /usr/local/nocat/pgp #GpgPath /usr/local/bin/gpg #MessageSign $GpgPath --clearsign --homedir=$PGPKeyPath -o- ########################## ###### NETWORK SETTINGS ###### ###### (Net::Netmask is required) ###### #LocalGateway wifigate.company.lan #LocalNetwork 172.16.10.0/24 #LocalGateway 192.168.1.3 ############################## ###### TEMPLATE NAMES ###### LoginForm login-no-skip.html LoginOKForm login_ok.html FatalForm fatal.html ExpiredForm expired.html RenewForm renew.html PassiveRenewForm renew_pasv.html RegisterForm register.html RegisterOKForm register_ok.html RegisterFields name url description UpdateForm update.html UpdateFields url description ############################ ###### USER MESSAGES ###### LoginGreeting Greetings! Welcome to the NOCAT NETWORK. LoginMissing Please fill in all fields! LoginBadUser That e-mail address is unknown. Please try again. LoginBadPass That e-mail and password do not match. Please try again. LoginBadStatus Sorry, you are not a registered co-op member. RegisterGreeting Welcome! Please enter the following information to register. RegisterMissing Name, E-mail, and password fields must be filled in. RegisterUserExists Sorry, that e-mail address is already taken. Are you already registered? RegisterBadUser The e-mail address provided appears to be invalid. Did you spell it correctly? RegisterInvalidPass All passwords must be at least six characters long. RegisterPassNoMatch The passwords you provided do not match. Please try again. RegisterSuccess Congratulations, you have successfully registered. UpdateGreeting Enter your E-mail and password to update your info. UpdateBadUser That e-mail address is unknown. Please try again. UpdateBadPass That e-mail and password do not match. Please try again. UpdateInvalidPass New passwords must be at least six characters long. UpdatePassNoMatch The new passwords you provided do not match. Please try again. UpdateSuccess Congratulations, you have successfully updated your account. ########################### ###### END OF "nocat.conf" (NOCAT-AUTHSERVER) From alain at ait.ac.th Mon May 22 18:51:18 2006 From: alain at ait.ac.th (Alain Fauconnet) Date: Tue, 23 May 2006 08:51:18 +0700 Subject: [NoCat] LDAP and NoCat, nearly working.. In-Reply-To: <4471BE21.9010502@zolid.dk> References: <4471BE21.9010502@zolid.dk> Message-ID: <20060523015118.GB32032@ait.ac.th> Hello Jesper, On Mon, May 22, 2006 at 03:35:29PM +0200, Jesper Haggren, Zolid wrote: > Hi NoCat list, > > I have a working NoCatAuth setup running with "DataSource = Passwd" - > the last thing I would like to get working is for nocat to use my > existing Windows 2003 Server Active Directory for the authorization part. > > I tried both with nocat 0.82 and with the ACTARES-fork. Both > auth-servers are still running. Heres is my senario: > > I have a nocat-gateway called gw-srv1: > > ETH0, 172.16.1.1: (running DHCP, DNS and so on). > ETH1, 192.168.1.3 > > > Then I have 2 Auth-servers (one with 0.82 and one with the > ACTARES-fork). Currently I use the one with the ACTARES-fork: > > ath-srv1, ETH0 192.168.1.4 (ACTARES-fork) > ath-srv2, ETH0 192.168.1.5 (0.82) > > Both work fine in DataSource=Passwd mode. > > Then I have my Windows 2003 Domain controller, fil-srv2 (fil-srv2.sgu.dom): > > ETH0, 192.168.1.11 (windows AD). > > ----------- > > The only thing I want is for the AUTH-server to be able to validate a > wireless-user by looking at my Windows AD-server. All users who is > allowed to access the Internet from the wireless network are located in > a OU called "sguPublicUsers". > > I have no use for manipulating users/data trough the nocat-admintool. > All user-setup will be done on the Windows server. > > I can't get this to work, and the main problem is in fact that I have no > log-file telling me what is wrong - when a user called "ji" tries to > logon using his emailadress (as described in the nocat.conf) which is > ji at sgu.dom (my ad-domain is called sgu.dom) the nocat gateway returns: > "That emailadress is unknown. PLease try again". > > > All packages should be in place (Net::LDAP and IO::Socket:SSL and so > on..). My authserver nocat.conf file is located below. (...rest deleted...) I have no direct experience with NoCat using LDAP, but I may need to tackle this soon. Anyway in such a situation my first step would be to check if your auth gateway is actually sending LDAP requests or not, and if yes, trace these requests. Check tcpdump or much better [t]ethereal, run them on your auth gateway with "host ". Especially [t]ethereal will show you the LDAP requests/replies completely decoded. That should hint you. Oh wait... IO::Socket:SSL... of course if all your LDAP traffic goes over SSL this is a dead end. I'm not much familiar with Windows AD (I use OpenLDAP) but is there any way to have the LDAP requires go unencrypted during the troubleshooting? If not, ouch. Well, at least you can see if there's *any* traffic going on between the two boxes. Maybe NoCat isn't even trying to query LDAP. Greets, _Alain_ From jeha at zolid.dk Tue May 23 01:03:21 2006 From: jeha at zolid.dk (Jesper Haggren, Zolid) Date: Tue, 23 May 2006 10:03:21 +0200 Subject: [NoCat] LDAP and NoCat, nearly working.. In-Reply-To: <20060523015118.GB32032@ait.ac.th> Message-ID: <000601c67e3f$5c063d30$6500000a@meek> Alain, Thanks for your reply. After I wrote the list yesterday i switched back to the 0.82 auth-server and actually got it working. Not so that users are authorized, but I now get som log-activity on my windows-server. The relevant portion of my conf: DataSource LDAP LDAP_Host fil-srv2.sgu.dom LDAP_Base ou=sguPublicUsers,ou=SGU,dc=sgu,dc=dom LDAP_Admin_User cn=admin,cn=users,dc=sgu,dc=dom LDAP_Admin_PW pen10u LDAP_Hash_Passwords Yes LDAP_Search_as_Admin Yes LDAP_Filter mail I'm using a test user with the logonname "ji", with the domain-name he has a username as so: "ji at sgu.dom". This user is placed in the sguPublicUsers OU. When my auth-server contacts the windows-server it generates 5 log-entries, see them below: ENTRY 1: Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: admin Source Workstation: FIL-SRV2 Error Code: 0x0 (this means that to user (hence admin) was logged on successfully) ENTRY 2: Logon attempt using explicit credentials: Logged on user: User Name: FIL-SRV2$ Domain: SGU Logon ID: (0x0,0x3E7) Logon GUID: - User whose credentials were used: Target User Name: admin Target Domain: SGU Target Logon GUID: - Target Server Name: localhost Target Server Info: localhost Caller Process ID: 860 Source Network Address: 192.168.1.5 Source Port: 32804 (192.168.1.5 is infact my auth-server) ENTRY 3: Successful Network Logon: User Name: admin Domain: SGU Logon ID: (0x0,0x907B49B) Logon Type: 3 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: FIL-SRV2 Logon GUID: - Caller User Name: FIL-SRV2$ Caller Domain: SGU Caller Logon ID: (0x0,0x3E7) Caller Process ID: 860 Transited Services: - Source Network Address: 192.168.1.5 Source Port: 32804 ENTRY 5: (something about what credentials the user (admin) has on the server) ENTRY 4: User Logoff: User Name: admin Domain: SGU Logon ID: (0x0,0x907B49B) Logon Type: 3 ----------- As you see I'm nearly there. But in all 5 entries my user ji at sgu.dom is not mentioned - so something is still wrong. In fact I think entry 2 is the problem. The log-entry ID states that it means something like "when a remote users tries to authorize as another user (typically when an administrator uses the RUNAS feature on a workstation)". This sounds like a way of doing it. Does anyone have a clue? /Jesper -----Oprindelig meddelelse----- Fra: nocat-bounces at lists.nocat.net [mailto:nocat-bounces at lists.nocat.net] P? vegne af Alain Fauconnet Sendt: 23. maj 2006 03:51 Til: nocat at lists.nocat.net Emne: Re: [NoCat] LDAP and NoCat, nearly working.. Hello Jesper, On Mon, May 22, 2006 at 03:35:29PM +0200, Jesper Haggren, Zolid wrote: > Hi NoCat list, > > I have a working NoCatAuth setup running with "DataSource = Passwd" - > the last thing I would like to get working is for nocat to use my > existing Windows 2003 Server Active Directory for the authorization part. > > I tried both with nocat 0.82 and with the ACTARES-fork. Both > auth-servers are still running. Heres is my senario: > > I have a nocat-gateway called gw-srv1: > > ETH0, 172.16.1.1: (running DHCP, DNS and so on). > ETH1, 192.168.1.3 > > > Then I have 2 Auth-servers (one with 0.82 and one with the > ACTARES-fork). Currently I use the one with the ACTARES-fork: > > ath-srv1, ETH0 192.168.1.4 (ACTARES-fork) ath-srv2, ETH0 192.168.1.5 > (0.82) > > Both work fine in DataSource=Passwd mode. > > Then I have my Windows 2003 Domain controller, fil-srv2 (fil-srv2.sgu.dom): > > ETH0, 192.168.1.11 (windows AD). > > ----------- > > The only thing I want is for the AUTH-server to be able to validate a > wireless-user by looking at my Windows AD-server. All users who is > allowed to access the Internet from the wireless network are located > in a OU called "sguPublicUsers". > > I have no use for manipulating users/data trough the nocat-admintool. > All user-setup will be done on the Windows server. > > I can't get this to work, and the main problem is in fact that I have > no log-file telling me what is wrong - when a user called "ji" tries > to logon using his emailadress (as described in the nocat.conf) which > is ji at sgu.dom (my ad-domain is called sgu.dom) the nocat gateway returns: > "That emailadress is unknown. PLease try again". > > > All packages should be in place (Net::LDAP and IO::Socket:SSL and so > on..). My authserver nocat.conf file is located below. (...rest deleted...) I have no direct experience with NoCat using LDAP, but I may need to tackle this soon. Anyway in such a situation my first step would be to check if your auth gateway is actually sending LDAP requests or not, and if yes, trace these requests. Check tcpdump or much better [t]ethereal, run them on your auth gateway with "host ". Especially [t]ethereal will show you the LDAP requests/replies completely decoded. That should hint you. Oh wait... IO::Socket:SSL... of course if all your LDAP traffic goes over SSL this is a dead end. I'm not much familiar with Windows AD (I use OpenLDAP) but is there any way to have the LDAP requires go unencrypted during the troubleshooting? If not, ouch. Well, at least you can see if there's *any* traffic going on between the two boxes. Maybe NoCat isn't even trying to query LDAP. Greets, _Alain_ _______________________________________________ NoCat mailing list NoCat at lists.nocat.net http://lists.nocat.net/mailman/listinfo/nocat From nba at users.sourceforge.net Tue May 23 02:27:17 2006 From: nba at users.sourceforge.net (Niels Baggesen) Date: Tue, 23 May 2006 11:27:17 +0200 Subject: [NoCat] LDAP and NoCat, nearly working.. In-Reply-To: <000601c67e3f$5c063d30$6500000a@meek> References: <20060523015118.GB32032@ait.ac.th> <000601c67e3f$5c063d30$6500000a@meek> Message-ID: <20060523092717.GA1857@baggesen.mine.nu> On Tue, May 23, 2006 at 10:03:21AM +0200, Jesper Haggren, Zolid wrote: > As you see I'm nearly there. But in all 5 entries my user ji at sgu.dom is not mentioned - so something is still wrong. In fact I think > entry 2 is the problem. The log-entry ID states that it means something like "when a remote users tries to authorize as another user > (typically when an administrator uses the RUNAS feature on a workstation)". This sounds like a way of doing it. Are you sure that the search filter is correct? Does the user have a mail attribute? If the LDAP search does not find a match, it won't try to authenticate against it. /Niels -- Niels Baggesen - @home - ?rhus - Denmark - nba at users.sourceforge.net The purpose of computing is insight, not numbers --- R W Hamming From jpugh at jpugh.org Tue May 23 05:38:19 2006 From: jpugh at jpugh.org (John Pugh) Date: Tue, 23 May 2006 08:38:19 -0400 Subject: [NoCat] LDAP and NoCat, nearly working.. In-Reply-To: <000601c67e3f$5c063d30$6500000a@meek> References: <000601c67e3f$5c063d30$6500000a@meek> Message-ID: <1148387899.8345.2.camel@z00p.zoopster.net> On Tue, 2006-05-23 at 10:03 +0200, Jesper Haggren, Zolid wrote: > Alain, > > Thanks for your reply. After I wrote the list yesterday i switched back to the 0.82 auth-server and actually got it working. Not so > that users are authorized, but I now get som log-activity on my windows-server. > > The relevant portion of my conf: > > DataSource LDAP > LDAP_Host fil-srv2.sgu.dom > LDAP_Base ou=sguPublicUsers,ou=SGU,dc=sgu,dc=dom > LDAP_Admin_User cn=admin,cn=users,dc=sgu,dc=dom > LDAP_Admin_PW pen10u > LDAP_Hash_Passwords Yes > LDAP_Search_as_Admin Yes > LDAP_Filter mail > > > I'm using a test user with the logonname "ji", with the domain-name he has a username as so: "ji at sgu.dom". This user is placed in > the sguPublicUsers OU. When my auth-server contacts the windows-server it generates 5 log-entries, see them below: > > ENTRY 1: > Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 > Logon account: admin > Source Workstation: FIL-SRV2 > Error Code: 0x0 > > (this means that to user (hence admin) was logged on successfully) > > > > ENTRY 2: > Logon attempt using explicit credentials: > Logged on user: > User Name: FIL-SRV2$ > Domain: SGU > Logon ID: (0x0,0x3E7) > Logon GUID: - > User whose credentials were used: > Target User Name: admin > Target Domain: SGU > Target Logon GUID: - > > Target Server Name: localhost > Target Server Info: localhost > Caller Process ID: 860 > Source Network Address: 192.168.1.5 > Source Port: 32804 > > (192.168.1.5 is infact my auth-server) > > > > ENTRY 3: > Successful Network Logon: > User Name: admin > Domain: SGU > Logon ID: (0x0,0x907B49B) > Logon Type: 3 > Logon Process: Advapi > Authentication Package: Negotiate > Workstation Name: FIL-SRV2 > Logon GUID: - > Caller User Name: FIL-SRV2$ > Caller Domain: SGU > Caller Logon ID: (0x0,0x3E7) > Caller Process ID: 860 > Transited Services: - > Source Network Address: 192.168.1.5 > Source Port: 32804 > > ENTRY 5: > > (something about what credentials the user (admin) has on the server) > > > ENTRY 4: > User Logoff: > User Name: admin > Domain: SGU > Logon ID: (0x0,0x907B49B) > Logon Type: 3 > > > ----------- > > As you see I'm nearly there. But in all 5 entries my user ji at sgu.dom is not mentioned - so something is still wrong. In fact I think > entry 2 is the problem. The log-entry ID states that it means something like "when a remote users tries to authorize as another user > (typically when an administrator uses the RUNAS feature on a workstation)". This sounds like a way of doing it. > > Does anyone have a clue? > > /Jesper > > > > -----Oprindelig meddelelse----- > Fra: nocat-bounces at lists.nocat.net [mailto:nocat-bounces at lists.nocat.net] P? vegne af Alain Fauconnet > Sendt: 23. maj 2006 03:51 > Til: nocat at lists.nocat.net > Emne: Re: [NoCat] LDAP and NoCat, nearly working.. > > Hello Jesper, > > On Mon, May 22, 2006 at 03:35:29PM +0200, Jesper Haggren, Zolid wrote: > > Hi NoCat list, > > > > I have a working NoCatAuth setup running with "DataSource = Passwd" - > > the last thing I would like to get working is for nocat to use my > > existing Windows 2003 Server Active Directory for the authorization part. > > > > I tried both with nocat 0.82 and with the ACTARES-fork. Both > > auth-servers are still running. Heres is my senario: > > > > I have a nocat-gateway called gw-srv1: > > > > ETH0, 172.16.1.1: (running DHCP, DNS and so on). > > ETH1, 192.168.1.3 > > > > > > Then I have 2 Auth-servers (one with 0.82 and one with the > > ACTARES-fork). Currently I use the one with the ACTARES-fork: > > > > ath-srv1, ETH0 192.168.1.4 (ACTARES-fork) ath-srv2, ETH0 192.168.1.5 > > (0.82) > > > > Both work fine in DataSource=Passwd mode. > > > > Then I have my Windows 2003 Domain controller, fil-srv2 (fil-srv2.sgu.dom): > > > > ETH0, 192.168.1.11 (windows AD). > > > > ----------- > > > > The only thing I want is for the AUTH-server to be able to validate a > > wireless-user by looking at my Windows AD-server. All users who is > > allowed to access the Internet from the wireless network are located > > in a OU called "sguPublicUsers". > > > > I have no use for manipulating users/data trough the nocat-admintool. > > All user-setup will be done on the Windows server. > > > > I can't get this to work, and the main problem is in fact that I have > > no log-file telling me what is wrong - when a user called "ji" tries > > to logon using his emailadress (as described in the nocat.conf) which > > is ji at sgu.dom (my ad-domain is called sgu.dom) the nocat gateway returns: > > "That emailadress is unknown. PLease try again". > > > > > > All packages should be in place (Net::LDAP and IO::Socket:SSL and so > > on..). My authserver nocat.conf file is located below. > (...rest deleted...) > > I have no direct experience with NoCat using LDAP, but I may need to tackle this soon. Anyway in such a situation my first step > would be to check if your auth gateway is actually sending LDAP requests or not, and if yes, trace these requests. Check tcpdump or > much better [t]ethereal, run them on your auth gateway with "host server>". Especially [t]ethereal will show you the LDAP > requests/replies completely decoded. That should hint you. > > Oh wait... IO::Socket:SSL... of course if all your LDAP traffic goes over SSL this is a dead end. I'm not much familiar with > Windows AD (I use OpenLDAP) but is there any way to have the LDAP requires go unencrypted during the troubleshooting? If not, ouch. > Well, at least you can see if there's *any* traffic going on between the two boxes. > Maybe NoCat isn't even trying to query LDAP. > > Greets, > _Alain_ The problem is the fact that you are using MS AD which doesn't support LDAP as the RFC dictates. You are better off using a real directory that supports LDAP correctly such as Novell's eDirectory or OpenLDAP. JP From kyleena at tele2.it Thu May 25 08:50:38 2006 From: kyleena at tele2.it (kyleena at tele2.it) Date: Thu, 25 May 2006 17:50:38 +0200 Subject: [NoCat] Limit time online per user Message-ID: Hi again, I hope someone can suggest me a tip to do what I need... I have NoCatAuth gateway and server installed on two machines. Authentication works on RADIUS that queries a PostgreSQL database. I used a SQL script that I downloaded at: http://www.peternixon.net/tmp/dialupadmin-pg-netsnmp.tar.bz and everything works fine. I want to use DialupAdmin to manage users. It also seems to work fine, but I want to know I can limit time online per user, for example, how can I set that an user can stay online only 2 hours. I would like that after 2 hours his session expire and he can't stay online no more. I tried to set Session Timeout when I create a new user, but it doesn't work. Anyone can tell me where I can set this limit? Thankssssss ;-) Monica From jeha at zolid.dk Fri May 26 03:56:27 2006 From: jeha at zolid.dk (Jesper Haggren, Zolid) Date: Fri, 26 May 2006 12:56:27 +0200 Subject: [NoCat] LDAP and NoCat, nearly working.. In-Reply-To: <20060523092717.GA1857@baggesen.mine.nu> References: <20060523015118.GB32032@ait.ac.th> <000601c67e3f$5c063d30$6500000a@meek> <20060523092717.GA1857@baggesen.mine.nu> Message-ID: <4476DEDB.3040107@zolid.dk> hi Niels, The search-filter is setup as default 'mail'. and I havent't been able to find a list of avalible attributes to use? anyone? /Jesper Niels Baggesen skrev: > On Tue, May 23, 2006 at 10:03:21AM +0200, Jesper Haggren, Zolid wrote: >> As you see I'm nearly there. But in all 5 entries my user ji at sgu.dom is not mentioned - so something is still wrong. In fact I think >> entry 2 is the problem. The log-entry ID states that it means something like "when a remote users tries to authorize as another user >> (typically when an administrator uses the RUNAS feature on a workstation)". This sounds like a way of doing it. > > Are you sure that the search filter is correct? Does the user have a > mail attribute? > If the LDAP search does not find a match, it won't try to authenticate > against it. > > /Niels > From jeha at zolid.dk Fri May 26 03:57:51 2006 From: jeha at zolid.dk (Jesper Haggren, Zolid) Date: Fri, 26 May 2006 12:57:51 +0200 Subject: [NoCat] LDAP and NoCat, nearly working.. In-Reply-To: <1148387899.8345.2.camel@z00p.zoopster.net> References: <000601c67e3f$5c063d30$6500000a@meek> <1148387899.8345.2.camel@z00p.zoopster.net> Message-ID: <4476DF2F.1080300@zolid.dk> Hi John, I'm not about to replace my AD just because of nocat ;-) Still there's a lot of users on this list who have written about nocat and MS AD working just fine.... anyone? /Jesper John Pugh skrev: > On Tue, 2006-05-23 at 10:03 +0200, Jesper Haggren, Zolid wrote: >> Alain, >> >> Thanks for your reply. After I wrote the list yesterday i switched back to the 0.82 auth-server and actually got it working. Not so >> that users are authorized, but I now get som log-activity on my windows-server. >> >> The relevant portion of my conf: >> >> DataSource LDAP >> LDAP_Host fil-srv2.sgu.dom >> LDAP_Base ou=sguPublicUsers,ou=SGU,dc=sgu,dc=dom >> LDAP_Admin_User cn=admin,cn=users,dc=sgu,dc=dom >> LDAP_Admin_PW pen10u >> LDAP_Hash_Passwords Yes >> LDAP_Search_as_Admin Yes >> LDAP_Filter mail >> >> >> I'm using a test user with the logonname "ji", with the domain-name he has a username as so: "ji at sgu.dom". This user is placed in >> the sguPublicUsers OU. When my auth-server contacts the windows-server it generates 5 log-entries, see them below: >> >> ENTRY 1: >> Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >> Logon account: admin >> Source Workstation: FIL-SRV2 >> Error Code: 0x0 >> >> (this means that to user (hence admin) was logged on successfully) >> >> >> >> ENTRY 2: >> Logon attempt using explicit credentials: >> Logged on user: >> User Name: FIL-SRV2$ >> Domain: SGU >> Logon ID: (0x0,0x3E7) >> Logon GUID: - >> User whose credentials were used: >> Target User Name: admin >> Target Domain: SGU >> Target Logon GUID: - >> >> Target Server Name: localhost >> Target Server Info: localhost >> Caller Process ID: 860 >> Source Network Address: 192.168.1.5 >> Source Port: 32804 >> >> (192.168.1.5 is infact my auth-server) >> >> >> >> ENTRY 3: >> Successful Network Logon: >> User Name: admin >> Domain: SGU >> Logon ID: (0x0,0x907B49B) >> Logon Type: 3 >> Logon Process: Advapi >> Authentication Package: Negotiate >> Workstation Name: FIL-SRV2 >> Logon GUID: - >> Caller User Name: FIL-SRV2$ >> Caller Domain: SGU >> Caller Logon ID: (0x0,0x3E7) >> Caller Process ID: 860 >> Transited Services: - >> Source Network Address: 192.168.1.5 >> Source Port: 32804 >> >> ENTRY 5: >> >> (something about what credentials the user (admin) has on the server) >> >> >> ENTRY 4: >> User Logoff: >> User Name: admin >> Domain: SGU >> Logon ID: (0x0,0x907B49B) >> Logon Type: 3 >> >> >> ----------- >> >> As you see I'm nearly there. But in all 5 entries my user ji at sgu.dom is not mentioned - so something is still wrong. In fact I think >> entry 2 is the problem. The log-entry ID states that it means something like "when a remote users tries to authorize as another user >> (typically when an administrator uses the RUNAS feature on a workstation)". This sounds like a way of doing it. >> >> Does anyone have a clue? >> >> /Jesper >> >> >> >> -----Oprindelig meddelelse----- >> Fra: nocat-bounces at lists.nocat.net [mailto:nocat-bounces at lists.nocat.net] P? vegne af Alain Fauconnet >> Sendt: 23. maj 2006 03:51 >> Til: nocat at lists.nocat.net >> Emne: Re: [NoCat] LDAP and NoCat, nearly working.. >> >> Hello Jesper, >> >> On Mon, May 22, 2006 at 03:35:29PM +0200, Jesper Haggren, Zolid wrote: >>> Hi NoCat list, >>> >>> I have a working NoCatAuth setup running with "DataSource = Passwd" - >>> the last thing I would like to get working is for nocat to use my >>> existing Windows 2003 Server Active Directory for the authorization part. >>> >>> I tried both with nocat 0.82 and with the ACTARES-fork. Both >>> auth-servers are still running. Heres is my senario: >>> >>> I have a nocat-gateway called gw-srv1: >>> >>> ETH0, 172.16.1.1: (running DHCP, DNS and so on). >>> ETH1, 192.168.1.3 >>> >>> >>> Then I have 2 Auth-servers (one with 0.82 and one with the >>> ACTARES-fork). Currently I use the one with the ACTARES-fork: >>> >>> ath-srv1, ETH0 192.168.1.4 (ACTARES-fork) ath-srv2, ETH0 192.168.1.5 >>> (0.82) >>> >>> Both work fine in DataSource=Passwd mode. >>> >>> Then I have my Windows 2003 Domain controller, fil-srv2 (fil-srv2.sgu.dom): >>> >>> ETH0, 192.168.1.11 (windows AD). >>> >>> ----------- >>> >>> The only thing I want is for the AUTH-server to be able to validate a >>> wireless-user by looking at my Windows AD-server. All users who is >>> allowed to access the Internet from the wireless network are located >>> in a OU called "sguPublicUsers". >>> >>> I have no use for manipulating users/data trough the nocat-admintool. >>> All user-setup will be done on the Windows server. >>> >>> I can't get this to work, and the main problem is in fact that I have >>> no log-file telling me what is wrong - when a user called "ji" tries >>> to logon using his emailadress (as described in the nocat.conf) which >>> is ji at sgu.dom (my ad-domain is called sgu.dom) the nocat gateway returns: >>> "That emailadress is unknown. PLease try again". >>> >>> >>> All packages should be in place (Net::LDAP and IO::Socket:SSL and so >>> on..). My authserver nocat.conf file is located below. >> (...rest deleted...) >> >> I have no direct experience with NoCat using LDAP, but I may need to tackle this soon. Anyway in such a situation my first step >> would be to check if your auth gateway is actually sending LDAP requests or not, and if yes, trace these requests. Check tcpdump or >> much better [t]ethereal, run them on your auth gateway with "host > server>". Especially [t]ethereal will show you the LDAP >> requests/replies completely decoded. That should hint you. >> >> Oh wait... IO::Socket:SSL... of course if all your LDAP traffic goes over SSL this is a dead end. I'm not much familiar with >> Windows AD (I use OpenLDAP) but is there any way to have the LDAP requires go unencrypted during the troubleshooting? If not, ouch. >> Well, at least you can see if there's *any* traffic going on between the two boxes. >> Maybe NoCat isn't even trying to query LDAP. >> >> Greets, >> _Alain_ > > The problem is the fact that you are using MS AD which doesn't support > LDAP as the RFC dictates. You are better off using a real directory that > supports LDAP correctly such as Novell's eDirectory or OpenLDAP. > > JP > > > _______________________________________________ > NoCat mailing list > NoCat at lists.nocat.net > http://lists.nocat.net/mailman/listinfo/nocat > > From bigwavedave at gmail.com Mon May 29 17:32:14 2006 From: bigwavedave at gmail.com (Big Wave Dave) Date: Mon, 29 May 2006 17:32:14 -0700 Subject: [NoCat] LDAP and NoCat, nearly working.. In-Reply-To: <4476DF2F.1080300@zolid.dk> References: <000601c67e3f$5c063d30$6500000a@meek> <1148387899.8345.2.camel@z00p.zoopster.net> <4476DF2F.1080300@zolid.dk> Message-ID: <8e124f160605291732g10e48f3epf238e364f96e4d@mail.gmail.com> On 5/26/06, Jesper Haggren, Zolid wrote: > Hi John, > > I'm not about to replace my AD just because of nocat ;-) > Still there's a lot of users on this list who have written about nocat > and MS AD working just fine.... anyone? > > /Jesper > For what its worth, I have it working with MS AD. My authserv config file snipet: DataSource LDAP LDAP_Host adhost.domain.com LDAP_Base cn=Users,dc=domain,dc=com LDAP_Admin_User cn=IT Bind User,cn=Users,dc=domain,dc=com LDAP_Admin_PW ******** LDAP_Hash_Passwords No LDAP_Search_as_Admin Yes LDAP_Filter sAMAccountName LDAP_Secure Yes LDAP_Group CN=Domain Users,CN=Users,DC=domain,DC=com The user just logs in with username... NOT with the "@domain.com". This may not be desirable for all people... but was the way we wanted it. Does that help? Dave -- ---------------------------------------------------------- Are Your Friends Lemmings? -- http://www.lemmingshirts.com From jeha at zolid.dk Tue May 30 03:02:12 2006 From: jeha at zolid.dk (Jesper Haggren, Zolid) Date: Tue, 30 May 2006 12:02:12 +0200 Subject: [NoCat] LDAP and NoCat, nearly working.. In-Reply-To: <8e124f160605291732g10e48f3epf238e364f96e4d@mail.gmail.com> References: <000601c67e3f$5c063d30$6500000a@meek> <1148387899.8345.2.camel@z00p.zoopster.net> <4476DF2F.1080300@zolid.dk> <8e124f160605291732g10e48f3epf238e364f96e4d@mail.gmail.com> Message-ID: <447C1824.4080707@zolid.dk> Big Wave Dave skrev: > On 5/26/06, Jesper Haggren, Zolid wrote: >> Hi John, >> >> I'm not about to replace my AD just because of nocat ;-) >> Still there's a lot of users on this list who have written about nocat >> and MS AD working just fine.... anyone? >> >> /Jesper >> > > For what its worth, I have it working with MS AD. My authserv config > file snipet: > DataSource LDAP > LDAP_Host adhost.domain.com > LDAP_Base cn=Users,dc=domain,dc=com > LDAP_Admin_User cn=IT Bind User,cn=Users,dc=domain,dc=com > LDAP_Admin_PW ******** > LDAP_Hash_Passwords No > LDAP_Search_as_Admin Yes > LDAP_Filter sAMAccountName > LDAP_Secure Yes > LDAP_Group CN=Domain Users,CN=Users,DC=domain,DC=com > > > The user just logs in with username... NOT with the "@domain.com". > This may not be desirable for all people... but was the way we wanted > it. > Does that help? Incredible!! I changed my config to match yours (and moved my test-user from one ou to the builtin "users" container) and now my users get authenticated! I'll do some extensive research and find out what was wrong and then get back to you guys on the list. Thanks!! /jesper > > Dave > From jeha at zolid.dk Tue May 30 06:31:58 2006 From: jeha at zolid.dk (Jesper Haggren, Zolid) Date: Tue, 30 May 2006 15:31:58 +0200 Subject: [NoCat] LDAP and NoCat, nearly working.. In-Reply-To: <8e124f160605291732g10e48f3epf238e364f96e4d@mail.gmail.com> References: <000601c67e3f$5c063d30$6500000a@meek> <1148387899.8345.2.camel@z00p.zoopster.net> <4476DF2F.1080300@zolid.dk> <8e124f160605291732g10e48f3epf238e364f96e4d@mail.gmail.com> Message-ID: <447C494E.2090206@zolid.dk> hi everybody, I found out something new - and I believe it to be a bug (if i'm not the one who is mistaken). The right way to set this up (best practice) would be to create a global security group containing the users who are allowed to access the internet trough the nocat-system. Doing so: creating group: allowedNocatUsers add members to group: "ji". Then specify this group as the LDAP_Base (my config:) LDAP_Base CN=allowedNocatUsers,DC=sgu,DC=dom THIS DOES NOT WORK. If I, instead of a group, use a OU: Doing so: creating ou: allowedNocatUsersOU moving my users to this ou: "ji" Changing the LDAP_Base to: OU=allowedNocatUsersOU,DC=sgu,DC=dom Then it works. This is nevertheless not very clever because bigger AD's tends to spread out the users in different OUs (seperating rights, locations and GPOs on these OUs). If I were to use nocat I would have to place all users in one OU. I my organisation we have 1000 users, all divided into different departments, user-right groups and so on. I would not be able to place all these in one OU. BUT in fact the nocat searches the OU nested, making it possible to create a structure of OU's below the Root-nocat-OU. Still this would mean that all users had nocat-access. This is not my intention. The only solution is to make nocatauth use AD groups instead of AD OUs... anyone? (earlier in a mail from Big Wave Dave he pasted his config containing a parameter for nocatauth called LDAP_Group - this parameter might be the solution but it's use is not documentated??? anyone?) Thanks in avance Jesper Haggren Big Wave Dave skrev: > On 5/26/06, Jesper Haggren, Zolid wrote: >> Hi John, >> >> I'm not about to replace my AD just because of nocat ;-) >> Still there's a lot of users on this list who have written about nocat >> and MS AD working just fine.... anyone? >> >> /Jesper >> > > For what its worth, I have it working with MS AD. My authserv config > file snipet: > DataSource LDAP > LDAP_Host adhost.domain.com > LDAP_Base cn=Users,dc=domain,dc=com > LDAP_Admin_User cn=IT Bind User,cn=Users,dc=domain,dc=com > LDAP_Admin_PW ******** > LDAP_Hash_Passwords No > LDAP_Search_as_Admin Yes > LDAP_Filter sAMAccountName > LDAP_Secure Yes > LDAP_Group CN=Domain Users,CN=Users,DC=domain,DC=com > > > The user just logs in with username... NOT with the "@domain.com". > This may not be desirable for all people... but was the way we wanted > it. > Does that help? > > Dave > From jpugh at jpugh.org Tue May 30 10:11:40 2006 From: jpugh at jpugh.org (John Pugh) Date: Tue, 30 May 2006 13:11:40 -0400 Subject: [NoCat] LDAP and NoCat, nearly working.. In-Reply-To: <447C494E.2090206@zolid.dk> References: <000601c67e3f$5c063d30$6500000a@meek> <1148387899.8345.2.camel@z00p.zoopster.net> <4476DF2F.1080300@zolid.dk> <8e124f160605291732g10e48f3epf238e364f96e4d@mail.gmail.com> <447C494E.2090206@zolid.dk> Message-ID: <1149009100.16375.15.camel@z00p.zoopster.net> If AD supported the full LDAP v3 spec, this would not be a problem. OU's cannot be security containers in AD as it can in all other LDAP v3 compliant directories, hence the need to use the group object class, however in AD a group object is not capable of inheriting any user attributes as most directory services allow. What I did is create a new aux class as a container object (don't think AD can do this either-but if it can) that is specific to nocat, create an index on a specific attribute in this class and point nocat to use this aux class (appears as a container to nocat) for the auth source then I don't care how my tree is set up anyone who meets the criteria of "allowed to use nocat" can gain access. Groups fully defeat the purpose of an enterprise directory and AD's only security containment is a domain (I think they renamed them to tree's? in AD)...big problem for more than just nocat. On Tue, 2006-05-30 at 15:31 +0200, Jesper Haggren, Zolid wrote: > hi everybody, > > I found out something new - and I believe it to be a bug (if i'm not the > one who is mistaken). > > The right way to set this up (best practice) would be to create a global > security group containing the users who are allowed to access the > internet trough the nocat-system. > > Doing so: > creating group: allowedNocatUsers > add members to group: "ji". > > Then specify this group as the LDAP_Base (my config:) > > LDAP_Base CN=allowedNocatUsers,DC=sgu,DC=dom > > THIS DOES NOT WORK. > > If I, instead of a group, use a OU: > > Doing so: > creating ou: allowedNocatUsersOU > moving my users to this ou: "ji" > Changing the LDAP_Base to: OU=allowedNocatUsersOU,DC=sgu,DC=dom > > Then it works. > > This is nevertheless not very clever because bigger AD's tends to spread > out the users in different OUs (seperating rights, locations and GPOs on > these OUs). If I were to use nocat I would have to place all users in > one OU. > > I my organisation we have 1000 users, all divided into different > departments, user-right groups and so on. I would not be able to place > all these in one OU. > > BUT in fact the nocat searches the OU nested, making it possible to > create a structure of OU's below the Root-nocat-OU. Still this would > mean that all users had nocat-access. This is not my intention. > > The only solution is to make nocatauth use AD groups instead of AD > OUs... anyone? > > > (earlier in a mail from Big Wave Dave he pasted his config containing a > parameter for nocatauth called LDAP_Group - this parameter might be the > solution but it's use is not documentated??? anyone?) > > Thanks in avance > > Jesper Haggren > > > > > > > > Big Wave Dave skrev: > > On 5/26/06, Jesper Haggren, Zolid wrote: > >> Hi John, > >> > >> I'm not about to replace my AD just because of nocat ;-) > >> Still there's a lot of users on this list who have written about nocat > >> and MS AD working just fine.... anyone? > >> > >> /Jesper > >> > > > > For what its worth, I have it working with MS AD. My authserv config > > file snipet: > > DataSource LDAP > > LDAP_Host adhost.domain.com > > LDAP_Base cn=Users,dc=domain,dc=com > > LDAP_Admin_User cn=IT Bind User,cn=Users,dc=domain,dc=com > > LDAP_Admin_PW ******** > > LDAP_Hash_Passwords No > > LDAP_Search_as_Admin Yes > > LDAP_Filter sAMAccountName > > LDAP_Secure Yes > > LDAP_Group CN=Domain Users,CN=Users,DC=domain,DC=com > > > > > > The user just logs in with username... NOT with the "@domain.com". > > This may not be desirable for all people... but was the way we wanted > > it. > > Does that help? > > > > Dave > > > > _______________________________________________ > NoCat mailing list > NoCat at lists.nocat.net > http://lists.nocat.net/mailman/listinfo/nocat >