Home

Forums

Stories

Knowledge Base

Business Community > Requests & Suggestions > LDAP with Active Directory bug(?)

< Requests & Suggestions

Votes

LDAP with Active Directory bug(?)

Votes

LDAP with Active Directory bug(?)

ZoloNN

2025-01-24 15:32:40 - last edited a week ago

Posts: 32

Helpful: 7

Solutions: 0

Stories: 0

Registered: 2024-10-01

LDAP with Active Directory bug(?)

2025-01-24 15:32:40 - last edited a week ago

Model: ER605 (TL-R605)

Hardware Version: V2

Firmware Version: 2.2.6

hi all,

I've tried to configure OpenVPN user auth with LDAP pointing to Active Directory Domain Controller.

yes, I know, there are some articles that this doesn't work, AD not supported and so on, suggesting to install the Windows version of openLDAP....

as I have some other software products communicating fine with AD using LDAP protocol, I've started packet capturing on domain controller to see what is happening.

as a baseline I'll take the LDAP user auth dialog of Zabbix (monitoring tool):

Zabbix <--> AD DC:
--> bindRequest with bind user(*) and simple auth
<-- bindResponse: success
--> searchRequest with baseObject(**), scope=wholeSubtree and filter="(sAMAccountName=<my name>)
<-- searchResEntry - success (1 result) << returning DN of my account
--> bindRequest with user to be auth and simple auth << try to bind with my account
<-- bindResponse: success << my credentials are confirmed, I'm logged in
--> unbindRequest << close the dialog...

and now auth dialog between router and domain controller:

ER605 <--> AD DC:
--> bindRequest with bind user(*) and simple auth
<-- bindResponse: success
--> searchRequest with baseObject(**), scope=wholeSubtree and filter="(sAMAccountName=<my name>)
<-- searchResEntry - success (1 result) << returning DN of my account
--> unbindRequest << close the dialog...

(*) bind user is called "Regular DN" at Controller

(*) baseObject is called "Base Distinguished Name" at the Omada Controller

as I can see, the router doesn't even try to verify my password using bindRequest and just reports back to the OpenVPN client, that the password is incorrect.......

is this a bug or am I missing something?

/BR ZoloNN ------------------------------------------------------------------------------------ Omada 2x ER605(UN) v2.0 + SG200P(UN) V3.20 + SG2218 V1.20 + 2x SG2008 V4.20 + 3x EAP615-Wall(EU) V1.0

1 Accepted Solution

Clive_A

a week ago - last edited a week ago

Posts: 6611

Helpful: 3360

Solutions: 1571

Stories: 0

Registered: 2023-06-09

Re:LDAP with Active Directory bug(?)-Solution

a week ago - last edited a week ago

Hi @ZoloNN

Thanks for posting in our business forum.

ZoloNN wrote

Hi @Clive_A,

thank you

And a quick update:

The problem with LDAP can be tried to modify the configuration of the "Common Name Identifer" field, because we found that some LDAP server returns the DN result, instead of the configured value, which directly causes the LDAP query to fail without continuing to verify the password. You can try out CN and UID, SN on the field.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update! ☛Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.

* UPDATE *

I've installed the Windows openLDAP according this article , configured as LDAP proxy and made packet capture. the results is almost the same - the router doesn't even try to verify my password....

only difference in communication is, that openLDAP sends the searchDone message after the searchResEntry message

R --> O       bindRequest with bind user and simple auth
      O --> D bindRequest with bind user and simple auth
      O <-- D bindResponse: success
R <-- O       bindResponse: success
R --> O       searchRequest with baseObject, scope=wholeSubtree and filter="(sAMAccountName=<my name>)"
      O --> D searchRequest with baseObject, scope=wholeSubtree and filter="(sAMAccountName=<my name>)"
      O <-- D searchResEntry - success (1 result) << returning DN of my account
R <-- O       searchResEntry - success (1 result) << returning DN of my account
R <-- O       searchDone - success (1 result)
R --> O       unbindRequest
      O --> D unbindRequest

R - router

O - openLDAP

D - Domain controller

/BR ZoloNN ------------------------------------------------------------------------------------ Omada 2x ER605(UN) v2.0 + SG200P(UN) V3.20 + SG2218 V1.20 + 2x SG2008 V4.20 + 3x EAP615-Wall(EU) V1.0

ZoloNN

LV2

2 weeks ago

Posts: 32

Helpful: 7

Solutions: 0

Stories: 0

Registered: 2024-10-01

Re:LDAP with Active Directory bug(?)

2 weeks ago

hi @Clive_A,

can you ülease look into? do you have any idea what's going on?

thanks in advance

/BR ZoloNN ------------------------------------------------------------------------------------ Omada 2x ER605(UN) v2.0 + SG200P(UN) V3.20 + SG2218 V1.20 + 2x SG2008 V4.20 + 3x EAP615-Wall(EU) V1.0

Clive_A

2 weeks ago

Posts: 6611

Helpful: 3360

Solutions: 1571

Stories: 0

Registered: 2023-06-09

Re:LDAP with Active Directory bug(?)

2 weeks ago

Hi @ZoloNN

Thanks for posting in our business forum.

Just forwarded it to the test team for review.

ZoloNN

LV2

2 weeks ago

Posts: 32

Helpful: 7

Solutions: 0

Stories: 0

Registered: 2024-10-01

Re:LDAP with Active Directory bug(?)

2 weeks ago

Hi @Clive_A,

thank you

/BR ZoloNN ------------------------------------------------------------------------------------ Omada 2x ER605(UN) v2.0 + SG200P(UN) V3.20 + SG2218 V1.20 + 2x SG2008 V4.20 + 3x EAP615-Wall(EU) V1.0

Clive_A

a week ago

Posts: 6611

Helpful: 3360

Solutions: 1571

Stories: 0

Registered: 2023-06-09

Re:LDAP with Active Directory bug(?)

a week ago

Hi @ZoloNN

Thanks for posting in our business forum.

ZoloNN wrote
*** UPDATE ***

I've installed the Windows openLDAP according this article , configured as LDAP proxy and made packet capture. the results is almost the same - the router doesn't even try to verify my password....

only difference in communication is, that openLDAP sends the searchDone message after the searchResEntry message
R --> O       bindRequest with bind user and simple auth
      O --> D bindRequest with bind user and simple auth
      O <-- D bindResponse: success
R <-- O       bindResponse: success
R --> O       searchRequest with baseObject, scope=wholeSubtree and filter="(sAMAccountName=<my name>)"
      O --> D searchRequest with baseObject, scope=wholeSubtree and filter="(sAMAccountName=<my name>)"
      O <-- D searchResEntry - success (1 result) << returning DN of my account
R <-- O       searchResEntry - success (1 result) << returning DN of my account
R <-- O       searchDone - success (1 result)
R --> O       unbindRequest
      O --> D unbindRequest
R - router

O - openLDAP

D - Domain controller

Since you stated that you followed the guide and configured per the guide.

Can you show me how you configure it? The full parameters on this LDAP config. I did not ask for this since you mentioned that you have strictly followed the guide. Dev is suspicious on your configuration.

Clive_A

a week ago - last edited a week ago

Posts: 6611

Helpful: 3360

Solutions: 1571

Stories: 0

Registered: 2023-06-09

Re:LDAP with Active Directory bug(?)-Solution

a week ago - last edited a week ago

Hi @ZoloNN

Thanks for posting in our business forum.

ZoloNN wrote

Hi @Clive_A,

thank you

And a quick update:

LDAP with Active Directory bug(?)

LDAP with Active Directory bug(?)

*** UPDATE ***

*** UPDATE ***

Information

Voters 0

Tags

* UPDATE *

* UPDATE *