[NoCat] LDAP and NoCat, nearly working..

Alain Fauconnet alain at ait.ac.th
Mon May 22 18:51:18 PDT 2006 

Hello Jesper,

On Mon, May 22, 2006 at 03:35:29PM +0200, Jesper Haggren, Zolid wrote:
> Hi NoCat list,
> 
> I have a working NoCatAuth setup running with "DataSource = Passwd" - 
> the last thing I would like to get working is for nocat to use my 
> existing Windows 2003 Server Active Directory for the authorization part.
> 
> I tried both with nocat 0.82 and with the ACTARES-fork. Both 
> auth-servers are still running. Heres is my senario:
> 
> I have a nocat-gateway called gw-srv1:
> 
> ETH0, 172.16.1.1: (running DHCP, DNS and so on).
> ETH1, 192.168.1.3
> 
> 
> Then I have 2 Auth-servers (one with 0.82 and one with the 
> ACTARES-fork). Currently I use the one with the ACTARES-fork:
> 
> ath-srv1, ETH0 192.168.1.4 (ACTARES-fork)
> ath-srv2, ETH0 192.168.1.5 (0.82)
> 
> Both work fine in DataSource=Passwd mode.
> 
> Then I have my Windows 2003 Domain controller, fil-srv2 (fil-srv2.sgu.dom):
> 
> ETH0, 192.168.1.11 (windows AD).
> 
> -----------
> 
> The only thing I want is for the AUTH-server to be able to validate a 
> wireless-user by looking at my Windows AD-server. All users who is 
> allowed to access the Internet from the wireless network are located in 
> a OU called "sguPublicUsers".
> 
> I have no use for manipulating users/data trough the nocat-admintool. 
> All user-setup will be done on the Windows server.
> 
> I can't get this to work, and the main problem is in fact that I have no 
> log-file telling me what is wrong - when a user called "ji" tries to 
> logon using his emailadress (as described in the nocat.conf) which is 
> ji at sgu.dom (my ad-domain is called sgu.dom) the nocat gateway returns: 
> "That emailadress is unknown. PLease try again".
> 
> 
> All packages should be in place (Net::LDAP and IO::Socket:SSL and so 
> on..). My authserver nocat.conf file is located below.
(...rest deleted...)

I have no direct experience with NoCat using LDAP, but I may need to
tackle this soon. Anyway in such a situation my first step would be to
check if your auth gateway is actually sending LDAP requests or not,
and if yes, trace these requests. Check tcpdump or much better
[t]ethereal, run them on your auth gateway with "host <your LDAP
server>". Especially [t]ethereal will show you the LDAP
requests/replies completely decoded. That should hint you.

Oh wait...  IO::Socket:SSL... of course if all your LDAP traffic goes
over SSL this is a dead end. I'm not much familiar with Windows AD (I
use OpenLDAP) but is there any way to have the LDAP requires go
unencrypted during the troubleshooting? If not, ouch. Well, at least
you can see if there's *any* traffic going on between the two boxes.
Maybe NoCat isn't even trying to query LDAP.

Greets,
_Alain_

More information about the NoCat mailing list