Business Community > Requests & Suggestions > LDAP with Active Directory bug(?)
< Requests & Suggestions
 
0
Votes

LDAP with Active Directory bug(?)

 
0
Votes

LDAP with Active Directory bug(?)

LDAP with Active Directory bug(?)
LDAP with Active Directory bug(?)
Friday - last edited an hour ago
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.2.6

hi all,

 

I've tried to configure OpenVPN user auth with LDAP pointing to Active Directory Domain Controller.

yes, I know, there are some articles that this doesn't work, AD not supported and so on, suggesting to install the Windows version of openLDAP....

 

as I have some other software products communicating fine with AD using LDAP protocol, I've started packet capturing on domain controller to see what is happening.

as a baseline I'll take the LDAP user auth dialog of Zabbix (monitoring tool):

 

Zabbix <--> AD DC:
--> bindRequest with bind user(*) and simple auth
<-- bindResponse: success
--> searchRequest with baseObject(**), scope=wholeSubtree and filter="(sAMAccountName=<my name>)
<-- searchResEntry - success (1 result) << returning DN of my account
--> bindRequest with user to be auth and simple auth << try to bind with my account
<-- bindResponse: success << my credentials are confirmed, I'm logged in
--> unbindRequest << close the dialog...

 

and now auth dialog between router and domain controller:

ER605 <--> AD DC:
--> bindRequest with bind user(*) and simple auth
<-- bindResponse: success
--> searchRequest with baseObject(**), scope=wholeSubtree and filter="(sAMAccountName=<my name>)
<-- searchResEntry - success (1 result) << returning DN of my account
--> unbindRequest << close the dialog...

 

(*) bind user is called "Regular DN" at Controller

(*) baseObject is called "Base Distinguished Name" at the Omada Controller

 

as I can see, the router doesn't even try to verify my password using bindRequest and just reports back to the OpenVPN client, that the password is incorrect.......

 

is this a bug or am I missing something?

 

/BR ZoloNN --------------------------------------------------------------------------------------------------------------------- Omada 2x ER605(UN) v2.0 + SG200P(UN) V3.20 + 3x EAP615-Wall(EU) V1.0
#1
Options
1 Reply
Re:LDAP with Active Directory bug(?)
an hour ago

*** UPDATE ***

 

I've installed the Windows openLDAP according this article , configured as LDAP proxy and made packet capture. the results is almost the same - the router doesn't even try to verify my password....

 

only difference in communication is, that openLDAP sends the searchDone message after the searchResEntry message

 

 

R --> O       bindRequest with bind user and simple auth
      O --> D bindRequest with bind user and simple auth
      O <-- D bindResponse: success
R <-- O       bindResponse: success
R --> O       searchRequest with baseObject, scope=wholeSubtree and filter="(sAMAccountName=<my name>)"
      O --> D searchRequest with baseObject, scope=wholeSubtree and filter="(sAMAccountName=<my name>)"
      O <-- D searchResEntry - success (1 result) << returning DN of my account
R <-- O       searchResEntry - success (1 result) << returning DN of my account
R <-- O       searchDone - success (1 result)
R --> O       unbindRequest
      O --> D unbindRequest

 

R - router

O - openLDAP

D - Domain controller

/BR ZoloNN --------------------------------------------------------------------------------------------------------------------- Omada 2x ER605(UN) v2.0 + SG200P(UN) V3.20 + 3x EAP615-Wall(EU) V1.0
#2
Options

Information

Helpful: 0

Views: 38

Replies: 1

Voters 0

No one has voted for it yet.

About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.