For authenicating our user in our netscreen firewall’s VPN module, our company uses Openldap server as the authentication server. As a newbie, I simply configured the server as the netscreen manual instructed.
On the WEBUI,
Configuration -> Auth -> Auth Servers, Click “New”
In the Page,
Name: OpenLDAP Server
IP: 192.168.1.24
Account Type: (Select) Auth (Select) L2TP (Select) XAuth
Source Interface: bgroup1 (Zone Trust)
(Select) LDAP
LDAP Port: 389
Common Name: uid
Distinguished Name(dn) : ou=users,dc=walkmen,dc=net
Simple, right? After that I tired to connect to server, no matter what username and password i entered, the netscreen denied me with password error message. So I tried to debug on the OpenLDAP side.
edit /etc/ldap/slapd.conf:
Add line: “loglevel 1023” before modulepath or in the main section.
Then, we check out the system log at /var/log/syslog
We found the following error during netscreen authentication:
Mar 6 10:56:38 ldap01 slapd[17629]: >>> dnPrettyNormal: <uid=miguel,ou=users,dc=walkmen,dc=net>
Mar 6 10:56:38 ldap01 slapd[17629]: <<< dnPrettyNormal: <uid=miguel,ou=users,dc=walkmen,dc=net>, <uid=miguel,ou=users,dc=walkmen,dc=net>
Mar 6 10:56:38 ldap01 slapd[17629]: do_bind: version=2 dn=”uid=miguel,ou=users,dc=walkmen,dc=net” method=128
Mar 6 10:56:38 ldap01 slapd[17629]: conn=5 op=0 BIND dn=”uid=miguel,ou=users,dc=walkmen,dc=net” method=128
Mar 6 10:56:38 ldap01 slapd[17629]: send_ldap_result: conn=5 op=0 p=2
Mar 6 10:56:38 ldap01 slapd[17629]: send_ldap_result: err=2 matched=”" text=”historical protocol version requested, use LDAPv3 instead”
Mar 6 10:56:38 ldap01 slapd[17629]: send_ldap_response: msgid=1 tag=97 err=2
Mar 6 10:56:38 ldap01 slapd[17629]: conn=5 op=0 RESULT tag=97 err=2 text=historical protocol version requested, use LDAPv3 instead
We know that it should be the versioning support problem in OpenLDAP. For backward compatibility, we add line “allow bind_v2″ in the main section of the /etc/ldap/slapd.conf
We retried the authenication. This time, the netscreen authenticated me successfully. Finally we ask, why netscreen do not support LDAP Version 3 and not documented?
Anyway, it’s fixed, lucky!
2 Responses
nmgeek
July 24th, 2009 at 2:07 am
1This is an old post. The solution does not work in OS X Server 10.5.7.
Instead, you need to use the ldapmodify command.
See http://www.stbernard.com/products/support/iprism/help/iPrism/Authentication/LDAP/OSXOpenDirectory/IP0407.htm
thinks
June 19th, 2010 at 9:22 am
2Thinks!!! The same questions.
RSS feed for comments on this post · TrackBack URI
Leave a reply
Categories
Archives
Links
Meta
Calendar