For more details, please see ourCookie Policy.


Fibre Channel (SAN)

Reply
External Moderator
Posts: 5,589
Registered: ‎02-23-2004

Re: LDAP authenticating with wrong password - FOS v7.2.1d

--->>> I am thinking this might potentionally be a bug that was not previously discovered in FOS. 

 

--->>> - AD is somehow misconfigued (no idea in what way), or
--->>> - FOS misinterprets the response of the AD for some reason.

 

Then you should open a call with Brocade Support or you OEM Vendor if you are the opinion that this is a BUG.

 

I'll try to forward internally this Threads to Support for review.

TechHelp24
Occasional Contributor
Posts: 11
Registered: ‎01-28-2016

Re: LDAP authenticating with wrong password - FOS v7.2.1d

Well, I already had a call open with Brocade about the issue (see the initial post).

 

Since customer is not comfortable with allowing us to use tcpdump/wireshark on the AD (due to security concerns), and they dont have audit logging enabled (performance concerns, as they have more than 50k users), that investigation stopped dead in its tracks.

 

I am currently most interested in two things, both AD related:

- Either confirm or deny my suspicion about the dashes in OUs causing these problems.

- Find out if there are any settings on the AD side that could cause this kind of behaviour on FOS.

 

BR,

D.

External Moderator
Posts: 5,589
Registered: ‎02-23-2004

Re: LDAP authenticating with wrong password - FOS v7.2.1d

--->>>I am currently most interested in two things, both AD related:

- Either confirm or deny my suspicion about the dashes in OUs causing these problems.

 

I'm not sure, but I'll try to find out.

 

And to be honestly I'm not sure how Linux ( FOS is Linux Based ) handle dashes in such certain case.

 

FYI.

 

I've forward the Thread to Support, only with the question of any such BUG.

TechHelp24
Occasional Contributor
Posts: 11
Registered: ‎01-28-2016

Re: LDAP authenticating with wrong password - FOS v7.2.1d

Thanks Antonio,
I appreciate your help.
External Moderator
Posts: 5,589
Registered: ‎02-23-2004

Re: LDAP authenticating with wrong password - FOS v7.2.1d

in the meantime, take a look on this article please.

 

https://technet.microsoft.com/en-us/magazine/2008.12.linux.aspx#id0060006

 

TechHelp24
New Member
Posts: 1
Registered: ‎06-10-2016

Re: LDAP authenticating with wrong password - FOS v7.2.1d

I'm not an LDAP nor AD admin, so excuse me if my terminology is a bit off.

 

We have dashes in group names, no issues.  I verified it with one of the groups the user was a member of.  It also works with long usernames (I tested up to 13 characters).  I could not test usernames w/ dashes, but I think its an allowed character for local accounts and LDAP groups, so I don't see why that would be a problem w/ LDAP users..

 

After banging my head for a day getting ours to work, what I did find is:

* the username that you must specify when logging in should match the userPriciplalName EXACTLY as reported in ldapsearch even if it has an @domain suffix, AND

* the domain you specify in aaaConfig should exactly match your combined DC, AND

* the group must be of type Global/Security, others won't work.

 

 

Highlighted
Occasional Contributor
Posts: 11
Registered: ‎01-28-2016

Re: LDAP authenticating with wrong password - FOS v7.2.1d

Here's the conclusion of this story... We worked on this in private with Brocade support, so I felt the need to share the results in this thread.

 

---------------------------

After investigation, this issue is reproducible with both OpenLDAP & Windows AD directory environments if the directory service is configured to allow anonymous access.

 

Because a directory service that allow anonymous access will allow ldap searches and binds without authentication, FOS will receive the data it is querying for, and as such will consider the user as authenticated (user is who they say they are).

 

FOS will then proceed with additional queries to determine authorization (what user is authorized for, ie. group membership). If the user is a member of a group configured to allow access (via ldapcfg --maprole command on the switch), then the switch will allow the login to complete.

 

Recommendation is for customer to disable anonymous access to the directory services, or not use LDAP authentication.

 

Engineering will be making changes in future code (tentatively 7.4.2) releases that will prevent logins with incorrect or null passwords in AD environments that have anonymous AD access enabled. The changes should be made under DEFECT000602285.

---------------------------

 

Thanks to everyone who contributed to this thread!

BR,

D.

 

Former Brocadian
Posts: 95
Registered: ‎03-23-2015

Re: LDAP authenticating with wrong password - FOS v7.2.1d

Hey @dkosmac,

 

Glad support was able to help you out and huge thank you for coming back to the board and posting the resolution to help others!

Dennis Smith
Manager Brocade Communities
@DennisMSmith

Join the Broadcom Support Community

Get quick and easy access to valuable resources across the Broadcom Community Network.