LDAP_HOSTS not defined
441 views
Skip to first unread message
Kevin Tran
Mar 26, 2015, 12:58:23 PM3/26/15
to event-driv...@googlegroups.com
First time setup tac_plus. I'm following the steps at http://www.pro-bono-publico.de/projects/howto-tac_plus-ads.html
and I'm getting the following error message:
LDAP_HOSTS not defined at /usr/local/lib/mavis/mavis_tacplus_ldap.pl line 278, <DATA> line 522.
when executing this command "/usr/local/lib/mavis/mavis_tacplus_ads.pl < /dev/null"
I'm on version DEVEL.201503121920
Any idea?
and I'm getting the following error message:
LDAP_HOSTS not defined at /usr/local/lib/mavis/mavis_tacplus_ldap.pl line 278, <DATA> line 522.
when executing this command "/usr/local/lib/mavis/mavis_tacplus_ads.pl < /dev/null"
I'm on version DEVEL.201503121920
Any idea?
Klint K
Mar 28, 2015, 7:15:41 AM3/28/15
to event-driv...@googlegroups.com
Kevin,
You will want to define you LDAP hosts in the tac_plus.cfg file. My file is at /usr/local/etc/ yours might be in a different location.
It should look something like this. I am on an older version but yours should be similar.
Just edit to fit your needs. (servers, domain and username/password)
mavis module = external {
# Optionally:
# script out = {
# # Require group membership:
# if (undef($TACMEMBER) && $RESULT == ACK) set $RESULT = NAK
#
# # Don'cache passwords:
# if ($RESULT == ACK) set $PASSWORD_ONESHOT = 1
# }
setenv LDAP_SERVER_TYPE = "microsoft"
# setenv LDAP_HOSTS = "ldaps://192.168.1.1:636 ldaps://192.168.1.2:636"
setenv LDAP_HOSTS = "192.168.1.1:3268 192.168.1.2:3268"
# setenv LDAP_SCOPE = sub
setenv LDAP_BASE = "dc=domain,dc=com"
# setenv LDAP_FILTER = "(&(objectclass=user)(sAMAccountName=%s))"
setenv LDAP_USER = "ldapuser"
setenv LDAP_PASSWD = "ldapuserpassword"
# setenv AD_GROUP_PREFIX = tacacs
# setenv REQUIRE_AD_GROUP_PREFIX = 1
setenv USE_TLS = 0
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
Hope this helps.
You will want to define you LDAP hosts in the tac_plus.cfg file. My file is at /usr/local/etc/ yours might be in a different location.
It should look something like this. I am on an older version but yours should be similar.
Just edit to fit your needs. (servers, domain and username/password)
mavis module = external {
# Optionally:
# script out = {
# # Require group membership:
# if (undef($TACMEMBER) && $RESULT == ACK) set $RESULT = NAK
#
# # Don'cache passwords:
# if ($RESULT == ACK) set $PASSWORD_ONESHOT = 1
# }
setenv LDAP_SERVER_TYPE = "microsoft"
# setenv LDAP_HOSTS = "ldaps://192.168.1.1:636 ldaps://192.168.1.2:636"
setenv LDAP_HOSTS = "192.168.1.1:3268 192.168.1.2:3268"
# setenv LDAP_SCOPE = sub
setenv LDAP_BASE = "dc=domain,dc=com"
# setenv LDAP_FILTER = "(&(objectclass=user)(sAMAccountName=%s))"
setenv LDAP_USER = "ldapuser"
setenv LDAP_PASSWD = "ldapuserpassword"
# setenv AD_GROUP_PREFIX = tacacs
# setenv REQUIRE_AD_GROUP_PREFIX = 1
setenv USE_TLS = 0
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
Hope this helps.
Kevin Tran
Mar 28, 2015, 11:10:29 AM3/28/15
to event-driv...@googlegroups.com
Klint,
Thanks for your response. That was the first thing I did. I tried both fqdn as well as IP's and still got the error message. My tac_plus config file is in the same location as yours. I just don't know what to do next and hoping someone from the community could help.
--
You received this message because you are subscribed to a topic in the Google Groups "Event-Driven Servers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/event-driven-servers/krbEUC11PHo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to event-driven-ser...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Axel Eble
Mar 28, 2015, 11:20:59 AM3/28/15
to event-driv...@googlegroups.com
Kevin,
maybe you should post the relevant parts of your config file. Please do not forget to X out the passwords before sharing, though.
Regards,
Axel
--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
Kevin Tran
Mar 28, 2015, 11:50:30 AM3/28/15
to event-driv...@googlegroups.com
Here's my config (only shows what I changed and everything else is default). Note, "network.abc.org" is just an example, not my real domain.
mavis module = external {
exec = /usr/local/lib/mavis/mavis_tacplus_ads.pl
setenv LDAP_SERVER_TYPE = "microsoft"
setenv LDAP_HOSTS = "ldaps://network.abc.org:636"
# setenv LDAP_HOSTS = "ldaps://10.1.0.1:636 ldaps://10.1.0.2:636"
setenv LDAP_BASE = "dc=network,dc=abc,dc=org"
setenv LDAP_SCOPE = sub
# setenv LDAP_SCOPE = "CN=sv_tacplus,OU=SvAccounts,OU=AltUserAccounts,OU=UserAccounts,DC=network,DC=abc,DC=org"
setenv LDAP_FILTER = "(&(objectclass=person)(sAMAccountName=%s))"
setenv LDAP_USER = x...@network.abc.org
setenv LDAP_PASSWD = "xxxxxxxxx"
setenv AD_GROUP_PREFIX = "OU=TacPlus,DC=network,DC=abc,DC=org"
# setenv REQUIRE_TACACS_GROUP_PREFIX = 1
# exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
Thanks.mavis module = external {
exec = /usr/local/lib/mavis/mavis_tacplus_ads.pl
setenv LDAP_SERVER_TYPE = "microsoft"
setenv LDAP_HOSTS = "ldaps://network.abc.org:636"
# setenv LDAP_HOSTS = "ldaps://10.1.0.1:636 ldaps://10.1.0.2:636"
setenv LDAP_BASE = "dc=network,dc=abc,dc=org"
setenv LDAP_SCOPE = sub
# setenv LDAP_SCOPE = "CN=sv_tacplus,OU=SvAccounts,OU=AltUserAccounts,OU=UserAccounts,DC=network,DC=abc,DC=org"
setenv LDAP_FILTER = "(&(objectclass=person)(sAMAccountName=%s))"
setenv LDAP_USER = x...@network.abc.org
setenv LDAP_PASSWD = "xxxxxxxxx"
setenv AD_GROUP_PREFIX = "OU=TacPlus,DC=network,DC=abc,DC=org"
# setenv REQUIRE_TACACS_GROUP_PREFIX = 1
# exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
Axel Eble
Mar 28, 2015, 12:43:19 PM3/28/15
to event-driv...@googlegroups.com
one thing I note is that you haven't enclosed your scope in quotes - no idea if that makes any change, though.
Did you try to query the LDAP server with this information through ldapsearch?
Next thing to try is run the perlscript in debug mode.
Kevin Tran
Mar 28, 2015, 12:50:38 PM3/28/15
to event-driv...@googlegroups.com, axel...@gmail.com
I tried to comment out all the hosts in mavis then tried to run the check again, I still got the error. Then I tried to rename the tac_plus.cfg to tac_plus.cfg.old and I still got the same error. It appears to me that the perl script "mavis_tacplus_ads.pl" doesn't actually read tac_plus.cfg.
Kevin Tran
Mar 28, 2015, 12:59:51 PM3/28/15
to event-driv...@googlegroups.com, axel...@gmail.com
Here's the debug output. I know LDAP search works because I got other systems using the same LDAP setup and they work fine.
Input attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-13328-1427561745-0
USER test
TACTYPE INFO
Output attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-13328-1427561745-0
USER test
RESULT ERR
SERIAL bCtV0XIIDzWQcJEm4E8HCQ=
USER_RESPONSE I/O Error Connection reset by peer
TACTYPE INFO
Input attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-13328-1427561745-0
USER test
TACTYPE INFO
Output attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-13328-1427561745-0
USER test
RESULT ERR
SERIAL bCtV0XIIDzWQcJEm4E8HCQ=
USER_RESPONSE I/O Error Connection reset by peer
TACTYPE INFO
Marc Huber
Mar 28, 2015, 2:07:32 PM3/28/15
to event-driv...@googlegroups.com
Hi Kevin,
On 26.03.15 17:58, Kevin Tran wrote:
> LDAP_HOSTS not defined at /usr/local/lib/mavis/mavis_tacplus_ldap.pl
> line 278, <DATA> line 522.
>
> when executing this command "/usr/local/lib/mavis/mavis_tacplus_ads.pl
> < /dev/null"
you're calling "/usr/local/lib/mavis/mavis_tacplus_ads.pl < /dev/null"
from the command line, but the Perl script expects to be called from
tac_plus (or e.g. mavistest) with the required environment already set
up. If you want to call the script for testing purposes you need to
manually set the environment variables, e.g.:
printf "0 TACPLUS\n4 $USER\n8 $PASS\n49 AUTH\n=\n" | env
LDAP_HOSTS="..." LDAP_SCOPE=... ...
/usr/local/lib/mavis/mavis_tacplus_ads.pl
(Redirecting stdin to /dev/null isn't likely to give you any useful
result besides verifying that the dependencies are available.)
Cheers,
Marc
On 26.03.15 17:58, Kevin Tran wrote:
> LDAP_HOSTS not defined at /usr/local/lib/mavis/mavis_tacplus_ldap.pl
> line 278, <DATA> line 522.
>
> when executing this command "/usr/local/lib/mavis/mavis_tacplus_ads.pl
> < /dev/null"
from the command line, but the Perl script expects to be called from
tac_plus (or e.g. mavistest) with the required environment already set
up. If you want to call the script for testing purposes you need to
manually set the environment variables, e.g.:
printf "0 TACPLUS\n4 $USER\n8 $PASS\n49 AUTH\n=\n" | env
LDAP_HOSTS="..." LDAP_SCOPE=... ...
/usr/local/lib/mavis/mavis_tacplus_ads.pl
(Redirecting stdin to /dev/null isn't likely to give you any useful
result besides verifying that the dependencies are available.)
Cheers,
Marc
Kevin Tran
Mar 28, 2015, 2:16:25 PM3/28/15
to event-driv...@googlegroups.com, Axel Eble, marc.j...@gmail.com
Hi Marc,
I tried both your suggestion and Axel (by inserting a print statement in his lest response) and here's what I got:Possible unintended interpolation of @LDAP_HOSTS in string at /usr/local/lib/mavis/mavis_tacplus_ldap.pl line 254.
Global symbol "@LDAP_HOSTS" requires explicit package name at /usr/local/lib/mavis/mavis_tacplus_ldap.pl line 254.
BEGIN not safe after errors--compilation aborted at /usr/local/lib/mavis/mavis_tacplus_ldap.pl line 282.
--
You received this message because you are subscribed to a topic in the Google Groups "Event-Driven Servers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/event-driven-servers/krbEUC11PHo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to event-driven-servers+unsub...@googlegroups.com.
Message has been deleted
Kevin Tran
Mar 28, 2015, 2:44:20 PM3/28/15
to event-driv...@googlegroups.com
mavistest results.....
Input attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-16303-1427567946-0
USER test
PASSWORD xxxx
TACTYPE AUTH
Output attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-16303-1427567946-0
USER test
RESULT ERR
PASSWORD xxxx
SERIAL 0Lo9Z32Pn7WTQbw0LgjnMA=
Input attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-16303-1427567946-0
USER test
PASSWORD xxxx
TACTYPE AUTH
Output attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-16303-1427567946-0
USER test
RESULT ERR
PASSWORD xxxx
SERIAL 0Lo9Z32Pn7WTQbw0LgjnMA=
Marc Huber
Mar 28, 2015, 2:58:26 PM3/28/15
to event-driv...@googlegroups.com
Hi Kevin,
On 28.03.15 19:31, Kevin Tran wrote:
> 32 000004DC: LdapErr: DSID-0C0906DD, comment: In order to perform this
> operation a successful bind must be completed on the connection., data
> 0, v1772
the LDAP_USER and LDAP_PASSWD environment variables are set? This looks
pretty much like an AD LDAP rejecting anonymous binds.
Cheers,
Marc
On 28.03.15 19:31, Kevin Tran wrote:
> 32 000004DC: LdapErr: DSID-0C0906DD, comment: In order to perform this
> operation a successful bind must be completed on the connection., data
> 0, v1772
the LDAP_USER and LDAP_PASSWD environment variables are set? This looks
pretty much like an AD LDAP rejecting anonymous binds.
Cheers,
Marc
Kevin Tran
Mar 28, 2015, 3:03:13 PM3/28/15
to event-driv...@googlegroups.com
Yes both were set correctly.
Marc Huber
Mar 29, 2015, 3:46:19 AM3/29/15
to event-driv...@googlegroups.com
Hi Kevin,
please retry with slightly modified Perl script from
http://www.pro-bono-publico.de/projects/unpacked/mavis/perl/mavis_tacplus_ldap.pl
(No change in behavior, but it will show the line number where the LDAP error occurs.)
Cheers,
Marc
http://www.pro-bono-publico.de/projects/unpacked/mavis/perl/mavis_tacplus_ldap.pl
(No change in behavior, but it will show the line number where the LDAP error occurs.)
Cheers,
Marc
Kevin Tran
Mar 29, 2015, 12:52:13 PM3/29/15
to event-driv...@googlegroups.com
Hi Marc,
I just tried your modified script, but still getting the same error message:
# printf "0 TACPLUS\n4 $USER\n8 $PASS\n49 AUTH\n=\n" | env LDAP_HOSTS="ldaps://network.abc.org" LDAP_SCOPE="sub" /usr/local/lib/mavis/mavis_tacplus_ldap.pl
Default server type is 'tacacs_schema'. You *may* need to change that to 'generic' or 'microsoft'.
0 TACPLUS
4 root
6 ERR
8
32 000004DC: LdapErr: DSID-0C0906DD, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1772 (425)
49 AUTH
=0
-Kevin
I just tried your modified script, but still getting the same error message:
# printf "0 TACPLUS\n4 $USER\n8 $PASS\n49 AUTH\n=\n" | env LDAP_HOSTS="ldaps://network.abc.org" LDAP_SCOPE="sub" /usr/local/lib/mavis/mavis_tacplus_ldap.pl
Default server type is 'tacacs_schema'. You *may* need to change that to 'generic' or 'microsoft'.
0 TACPLUS
4 root
6 ERR
8
32 000004DC: LdapErr: DSID-0C0906DD, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1772 (425)
49 AUTH
=0
-Kevin
Marc Huber
Mar 30, 2015, 2:20:30 AM3/30/15
to event-driv...@googlegroups.com
Hi Kevin,
On 29.03.15 18:52, Kevin Tran wrote:
> I just tried your modified script, but still getting the same error
> message:
>
> # printf "0 TACPLUS\n4 $USER\n8 $PASS\n49 AUTH\n=\n" | env
> LDAP_HOSTS="ldaps://network.abc.org" LDAP_SCOPE="sub"
> /usr/local/lib/mavis/mavis_tacplus_ldap.pl
yes. That's because you didn't set all required environment variables.
LDAP_USER et al. are missing.
Cheers,
Marc
On 29.03.15 18:52, Kevin Tran wrote:
> I just tried your modified script, but still getting the same error
> message:
>
> # printf "0 TACPLUS\n4 $USER\n8 $PASS\n49 AUTH\n=\n" | env
> LDAP_HOSTS="ldaps://network.abc.org" LDAP_SCOPE="sub"
> /usr/local/lib/mavis/mavis_tacplus_ldap.pl
LDAP_USER et al. are missing.
Cheers,
Marc
Kevin Tran
Mar 30, 2015, 10:55:34 AM3/30/15
to event-driv...@googlegroups.com
OK I filled the rest of the missing env's and here we go
printf "0 TACPLUS\n4 $USER\n8 $PASS\n49 AUTH\n=\n" | env LDAP_SERVER_TYPE="microsoft" LDAP_HOSTS="ldaps://mydomain:636" LDAP_BASE="dc=xxx,dc=xxx,dc=xxx" LDAP_SCOPE="sub" LDAP_FILTER="(&(objectclass=person)(sAMAccountName=%s))" LDAP_USER="xxx" LDAP_PASSWD="xxx" /usr/local/lib/mavis/mavis_tacplus_ldap.pl
0 TACPLUS
4 root
6 NFD
8
49 AUTH
=16
mavistest -d -1 /usr/local/etc/tac_plus.cfg tac_plus TACPLUS xxx xxx
Input attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-5855-1427727050-0
USER xxx
PASSWORD xxx
printf "0 TACPLUS\n4 $USER\n8 $PASS\n49 AUTH\n=\n" | env LDAP_SERVER_TYPE="microsoft" LDAP_HOSTS="ldaps://mydomain:636" LDAP_BASE="dc=xxx,dc=xxx,dc=xxx" LDAP_SCOPE="sub" LDAP_FILTER="(&(objectclass=person)(sAMAccountName=%s))" LDAP_USER="xxx" LDAP_PASSWD="xxx" /usr/local/lib/mavis/mavis_tacplus_ldap.pl
0 TACPLUS
4 root
6 NFD
8
49 AUTH
=16
mavistest -d -1 /usr/local/etc/tac_plus.cfg tac_plus TACPLUS xxx xxx
Input attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-5855-1427727050-0
USER xxx
PASSWORD xxx
TACTYPE AUTH
Output attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-5855-1427727050-0
USER xxx
RESULT NFD
PASSWORD xxx
SERIAL dly1EneKqAqkhELYmHBedQ=
TACTYPE AUTH
How does it look?
USER xxx
RESULT NFD
PASSWORD xxx
SERIAL dly1EneKqAqkhELYmHBedQ=
TACTYPE AUTH
How does it look?
Kevin Tran
Mar 30, 2015, 11:06:11 AM3/30/15
to event-driv...@googlegroups.com
I now got a different result after I modified my ldap_scope env.
Input attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-6149-1427727674-0
Input attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-6149-1427727674-0
USER xxx
PASSWORD xxx
TACTYPE AUTH
Output attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-6149-1427727674-0
USER xxx
RESULT ACK
PASSWORD xxx
SERIAL 0cV7VeXuNdVrRTIK8WgV8w=
DBPASSWORD xxx
TACTYPE AUTH
USER xxx
RESULT ACK
PASSWORD xxx
SERIAL 0cV7VeXuNdVrRTIK8WgV8w=
DBPASSWORD xxx
TACTYPE AUTH
Marc Huber
Mar 31, 2015, 2:09:55 PM3/31/15
to event-driv...@googlegroups.com
Hi Kevin,
On 30.03.15 17:06, Kevin Tran wrote:
> I now got a different result after I modified my ldap_scope env.
...
> RESULT ACK
this one looks fine, authentication worked.
Cheers,
Marc
On 30.03.15 17:06, Kevin Tran wrote:
> I now got a different result after I modified my ldap_scope env.
> RESULT ACK
this one looks fine, authentication worked.
Cheers,
Marc
Kevin Tran
Mar 31, 2015, 2:44:50 PM3/31/15
to event-driv...@googlegroups.com
Thanks Marc. It's been great working with you.
Reply all
Reply to author
Forward
0 new messages