mpjpenny
asked on
Juniper Netscreen 1000 SSL authenticating with Domino server via LDAP
Hi there
I've been trying to get our new Juniper Netscreen 1000 SSL box to authenticate remote users to our Domino servers via LDAP but having little success. I can get the Juniper to talk to the Windows 2003 LDAP but Notes refuses to speak to it. This will soon become apparent anyway, but a point worth bearing in mind when reading this is that I am not at all hot on Notes!
Using an LDAP browser I can communicate with our Notes servers fine. Using LDP.exe (free microsoft LDAP browser) or Softerra's free browser, I can see the top level which appears to be named DN and then all the entries below that. I've also found that if I give the browser a DN of "ou=uk,o=abc" I can get it to just show a section of the users. This is all fine but the juniper box still refuses to speak using the settings I give it. Also the logging on the Juniper is pretty poor so all I get is the below line. I haven't managed to work out how to switch on LDAP logging on the Notes servers either as that could give me some more info:
Juniper log reads:
"Login failed using auth server Domino1. Reason: Failed"
I've been speaking to Juniper themselves on several occasions, but they seem to know little about this particular setup. It seems to me that I need a Notes guru rather than someone that knows the Juniper!
The main settings I can give the juniper box are as follows:
Basic settings:
Name: (friendly name)
LDAP Server: (tried both hostname & IP address although guessing it won't matter which I use)
LDAP Port: (the notes server is using 390 instead of 389)
LDAP Server Type: (drop down: Generic, Active Directory, iPlanet, Novel eDirectory - i've obviously been setting this to generic)
Connection: (unencrypted or LDAPS - i'm guessing that LDAPS would only be used on port 636 for secure LDAP so I've set it as unencrypted)
Athentication required?
AdminDN:
Password: (Not sure if I need to fill out this section or not, and if I do exactly how to fill it out. Also if the adminDN field needs filling out, does it require an admin account or basic user?)
Finding user entries
Specify how to find a user entry
Base DN: example: dc=sales,dc=com (tried both dn & ou=uk,o=abc in this field)
Filter: example: cn=<USER> (You seem to have to put something=<USER> where <USER> is how the Juniper box expects the user name returned. Thats my impression of how it works anyway! I've tried various things such as cn=<USER>, fullname=<USER>, uid=<USER> but nothing works)
I've not touched the following section yet as I have no idea how to fill it out:
Determining group membership
If group membership is NOT reflected as attributes of a user's entry, specify how to find a group entries. Note that these are default settings that you can override on a per-group basis in the Server Catalog.
Base DN: example: dc=sales,dc=com
Filter: example: cn=<GROUPNAME>
Member Attribute: Attribute used to identify members of a static group
Query Attribute: Attribute used to determine members of a dynamic group
Nested Group Level: Maximum depth of nested group
Nested Group Search: Nested groups in Server Catalog Faster, but less flexible
Search all nested groups Slower, but more flexible
Lastly:
Bind options
If this server will be used to authenticate users, select one of the following methods for binding.
Bind method: Simple bind StartTLS bind (i've left it as 'simple bind'
Many thanks in advance! Please let me know if more info is required.
Mike Penny
I've been trying to get our new Juniper Netscreen 1000 SSL box to authenticate remote users to our Domino servers via LDAP but having little success. I can get the Juniper to talk to the Windows 2003 LDAP but Notes refuses to speak to it. This will soon become apparent anyway, but a point worth bearing in mind when reading this is that I am not at all hot on Notes!
Using an LDAP browser I can communicate with our Notes servers fine. Using LDP.exe (free microsoft LDAP browser) or Softerra's free browser, I can see the top level which appears to be named DN and then all the entries below that. I've also found that if I give the browser a DN of "ou=uk,o=abc" I can get it to just show a section of the users. This is all fine but the juniper box still refuses to speak using the settings I give it. Also the logging on the Juniper is pretty poor so all I get is the below line. I haven't managed to work out how to switch on LDAP logging on the Notes servers either as that could give me some more info:
Juniper log reads:
"Login failed using auth server Domino1. Reason: Failed"
I've been speaking to Juniper themselves on several occasions, but they seem to know little about this particular setup. It seems to me that I need a Notes guru rather than someone that knows the Juniper!
The main settings I can give the juniper box are as follows:
Basic settings:
Name: (friendly name)
LDAP Server: (tried both hostname & IP address although guessing it won't matter which I use)
LDAP Port: (the notes server is using 390 instead of 389)
LDAP Server Type: (drop down: Generic, Active Directory, iPlanet, Novel eDirectory - i've obviously been setting this to generic)
Connection: (unencrypted or LDAPS - i'm guessing that LDAPS would only be used on port 636 for secure LDAP so I've set it as unencrypted)
Athentication required?
AdminDN:
Password: (Not sure if I need to fill out this section or not, and if I do exactly how to fill it out. Also if the adminDN field needs filling out, does it require an admin account or basic user?)
Finding user entries
Specify how to find a user entry
Base DN: example: dc=sales,dc=com (tried both dn & ou=uk,o=abc in this field)
Filter: example: cn=<USER> (You seem to have to put something=<USER> where <USER> is how the Juniper box expects the user name returned. Thats my impression of how it works anyway! I've tried various things such as cn=<USER>, fullname=<USER>, uid=<USER> but nothing works)
I've not touched the following section yet as I have no idea how to fill it out:
Determining group membership
If group membership is NOT reflected as attributes of a user's entry, specify how to find a group entries. Note that these are default settings that you can override on a per-group basis in the Server Catalog.
Base DN: example: dc=sales,dc=com
Filter: example: cn=<GROUPNAME>
Member Attribute: Attribute used to identify members of a static group
Query Attribute: Attribute used to determine members of a dynamic group
Nested Group Level: Maximum depth of nested group
Nested Group Search: Nested groups in Server Catalog Faster, but less flexible
Search all nested groups Slower, but more flexible
Lastly:
Bind options
If this server will be used to authenticate users, select one of the following methods for binding.
Bind method: Simple bind StartTLS bind (i've left it as 'simple bind'
Many thanks in advance! Please let me know if more info is required.
Mike Penny
Sjef Bosman
Is there anything in the Domino logfile pertaining this setup, I mean, when you get the error Login failed, what does the log database say??
ASKER
Nothing at all! (at least nothing pertaining to the failed LDAP attempts) Apparently you need to switch on LDAP logging on the Notes side but so far i've been unable to work out how to do that. Any thoughts on how to set that up would be appreciated.
Silly question maybe, but the documents you found searchin Google on "authenticate domino ldap ssl" were no success? There seem to be some pretty interesting ones.
ASKER
Silly answer to your silly question: I have been on Google for the last two days and no I have not found the answer there so far. No offence meant, but I use Experts Exchange to receive an answer from an expert, not to be told to Google it.
Update:
I've now managed to switch on logging on the Notes LDAP service, but whilst it appears to log when the Juniper box itself fails to authenticate, it appears to log nothing when it IS authenticating. I.E. Notes now isnt logging anything but its still failing. Unless i'm looking in the wrong place for the activity log entries. I'm checking the log.nsf.
It seems to me that the main problem could be that I do not know how to retrieve the correct DN from the Domino server. Is there an area that I can retrieve the correct DN or is it not that simple?
Thanks
Update:
I've now managed to switch on logging on the Notes LDAP service, but whilst it appears to log when the Juniper box itself fails to authenticate, it appears to log nothing when it IS authenticating. I.E. Notes now isnt logging anything but its still failing. Unless i'm looking in the wrong place for the activity log entries. I'm checking the log.nsf.
It seems to me that the main problem could be that I do not know how to retrieve the correct DN from the Domino server. Is there an area that I can retrieve the correct DN or is it not that simple?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No probs! =)
The Junipers logging (in this case at least) is about as much use as an ashtray on a motorbike. This is all I get: "Login failed using auth server Domino1. Reason: Failed" I believe there is network activity as I did get the activity log on the Notes box to show an LDAP authentication error when I purposely got the login details wrong. Once those are correct though the Notes box logs nothing else.
I like the idea of the Sniffer thanks. Didn't think of that. I guess it must be clear text if its standard LDAP? I have a good sniffer installed on my laptop so I might stick the juniper on a hub and give that a go later.
We were under a lot of pressure to get this finished so I have a Notes expert in today. Will post again / award etc later on if necessary!
Thanks
The Junipers logging (in this case at least) is about as much use as an ashtray on a motorbike. This is all I get: "Login failed using auth server Domino1. Reason: Failed" I believe there is network activity as I did get the activity log on the Notes box to show an LDAP authentication error when I purposely got the login details wrong. Once those are correct though the Notes box logs nothing else.
I like the idea of the Sniffer thanks. Didn't think of that. I guess it must be clear text if its standard LDAP? I have a good sniffer installed on my laptop so I might stick the juniper on a hub and give that a go later.
We were under a lot of pressure to get this finished so I have a Notes expert in today. Will post again / award etc later on if necessary!
Thanks
ASKER
You are a god! I sniffed it and whilst the juniper box was happily sending packets with another LDAP profile i'd setup to a Windows box, it wasn't sending a thing when a logon attempt was made whilst set to use the Notes server for LDAP. I deleted the Notes profile, recreated it and it started sending packets on logon attempts straight away. A couple of minor tweaks later and its all working!
Many thanks!
Many thanks!
You're welcome!
Sjef :)
Sjef :)