不涉及
ssl vpn 结合ldap认证不成功,查看debug
发现ldap 查询用户失败。
1、检查设备相关配置,调用本地证书
pki domain sslvpn
public-key rsa general name sslvpn
undo crl check enable
sslvpn gateway sslvpn_gateway
ip address 221.5.10X.X
service enable
interface SSLVPN-AC1
ip address 10.1.229.254 255.255.255.0
sslvpn ip address-pool sslvpnpool 10.1.229.1 10.1.229.253
sslvpn context sslvpn_instance
gateway sslvpn_gateway
ip-tunnel interface SSLVPN-AC1
ip-tunnel address-pool sslvpnpool mask 255.255.255.0
ip-route-list H3Colud_Desktop
include 10.1.1.1 255.255.255.255
include 10.1.200.1 255.255.255.255
include 10.1.200.219 255.255.255.255
include 10.1.219.0 255.255.255.0
include 10.1.242.0 255.255.255.0
policy-group resourcegrp
filter ip-tunnel acl 3999
ip-tunnel access-route ip-route-list H3Colud_Desktop
ip-tunnel address-pool sslvpnpool mask 255.255.255.0
default-policy-group resourcegrp
aaa domain rdc
service enable
domain rdc
authentication sslvpn ldap-scheme ***.***
authorization sslvpn ldap-scheme ***.***
accounting sslvpn none
ldap scheme ***.***
authentication-server ***.***
authorization-server ***.***
attribute-map ***.***
ldap server ***.***
login-dn cn=h3cldap,cn=users,dc=grgit,dc=com
search-base-dn dc=grgit,dc=com,cn=users
ip 10.1.1.1
login-password cipher $c$3$6zyzJh/1YDe9Y42IYNHPtHl73Ueps+22bSej
ldap attribute-map ***.*** //添加用户时设置的属性字段
map ldap-attribute memberof prefix cn= delimiter , aaa-attribute user-group
2、
<H3C>debugging ldap all
<H3C>debugging sslvpn aaa
Apr 3 18:11:51:843 2020 H3C LDAP/7/EVENT: -COntext=1;
PAM_LDAP:Processing LDAP authentication.
*Apr 3 18:11:51:843 2020 H3C LDAP/7/EVENT: -COntext=1;
PAM_LDAP:Data of authentication request successfully sent.
*Apr 3 18:11:51:843 2020 H3C LDAP/7/EVENT: -COntext=1;
PAM_LDAP:Processing AAA request data.
*Apr 3 18:11:51:843 2020 H3C LDAP/7/EVENT: -COntext=1;
PAM_LDAP:LDAP server is: 10.1.1.1.
*Apr 3 18:11:51:843 2020 H3C LDAP/7/EVENT: -COntext=1;
PAM_LDAP:Current bind state is 4.
*Apr 3 18:11:51:843 2020 H3C LDAP/7/EVENT: -COntext=1;
PAM_LDAP:Search user when authentication.
*Apr 3 18:11:51:843 2020 H3C LDAP/7/EVENT: -COntext=1;
PAM_LDAP:Username is jiayu.
*Apr 3 18:11:51:843 2020 H3C LDAP/7/EVENT: -COntext=1;
PAM_LDAP[Authen]:Search filter is (&(objectClass=person)(cn=jiayu)).
*Apr 3 18:11:51:843 2020 H3C LDAP/7/EVENT: -COntext=1;
PAM_LDAP[Authen]:Search base DN is dc=grgit,dc=com,cn=users.
*Apr 3 18:11:51:844 2020 H3C LDAP/7/EVENT: -COntext=1;
PAM_LDAP:Response timeout timer successfully created.
*Apr 3 18:11:51:844 2020 H3C LDAP/7/EVENT: -COntext=1;
PAM_LDAP:Get result message errno = 1
Apr 3 18:11:51:844 2020 H3C LDAP/7/EVENT: -COntext=1;
PAM_LDAP:User jiayu search done.
*Apr 3 18:11:51:844 2020 H3C LDAP/7/ERROR: -COntext=1;
PAM_LDAP:Failed to search users.
*Apr 3 18:11:51:844 2020 H3C LDAP/7/EVENT: -COntext=1;
PAM_LDAP:Processing LDAP authentication.
*Apr 3 18:11:51:844 2020 H3C LDAP/7/EVENT: -COntext=1;
PAM_LDAP:Data of authentication reply successfully obtained, resultCode: 1.
去掉cn=users后打debug出现了如下报错
*Apr 7 14:41:27:115 2020 H3C LDAP/7/EVENT: -COntext=1;
PAM_LDAP:User jiayu search done.
*Apr 7 14:41:27:115 2020 H3C LDAP/7/EVENT: -COntext=1;
PAM_LDAP[State]:State switch from authentication searching to binding user.
*Apr 7 14:41:27:115 2020 H3C LDAP/7/ERROR: -COntext=1;
PAM_LDAP:Failed to bind user jiayu for the result of searching DN is NULL.
用户名不对,增加 user-parameters user-name-attribute sAMAccountName解决。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作