[j-nsp] SRX100 LDAP
Шепелев Андрей
xamalon4eg at gmail.com
Tue Mar 18 06:54:56 EDT 2014
Hi All !
I`m trying to made a web portal auth with LDAP integration on SRX 100.
Here is the config:
## Last changed: 2014-03-11 05:44:05 UTC
version 11.2R4.3;
system {
host-name test-srx100.adm.n.tp.ru;
root-authentication {
encrypted-password "$1$yo2A3wox$K/.Epl658XW1r4Z9BgDWm0"; ##
SECRET-DATA
}
name-server {
10.60.0.5;
8.8.8.8;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
processes {
general-authentication-service {
traceoptions {
file auth-debug;
flag all;
}
}
}
}
interfaces {
fe-0/0/0 {
unit 0;
}
fe-0/0/1 {
vlan-tagging;
unit 101 {
description Users;
vlan-id 101;
family inet {
address 10.60.0.200/24;
}
}
unit 105 {
description Management;
vlan-id 105;
family inet {
address 172.20.0.200/24;
}
}
}
fe-0/0/2 {
unit 0;
}
fe-0/0/3 {
unit 0;
}
fe-0/0/4 {
unit 0;
}
fe-0/0/5 {
unit 0;
}
fe-0/0/6 {
unit 0;
}
fe-0/0/7 {
unit 0 {
description ISP1;
family inet {
address 46.250.34.22/24;
}
}
}
vlan {
unit 0;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 46.250.34.1;
route 10.60.0.0/21 next-hop 10.60.0.1;
route 172.20.0.0/24 next-hop 172.20.0.1;
}
}
protocols {
stp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
firewall-authentication {
pass-through {
access-profile TPAD;
web-redirect;
}
}
}
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
fe-0/0/1.101;
fe-0/0/1.105;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
fe-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
fe-0/0/7.0;
}
}
}
}
access {
profile TPAD {
authentication-order ldap;
ldap-options {
base-distinguished-name dc=tp,dc=ru;
search {
search-filter sAMAccountName=;
admin-search {
distinguished-name cn=junos,ou=users,dc=tp,dc=ru;
password "$9$NOdY4jHmfQFDjApuOREwY2oDi"; ## SECRET-DATA
}
}
}
ldap-server {
10.60.0.5;
}
}
firewall-authentication {
pass-through {
default-profile TPAD;
}
web-authentication {
default-profile TPAD;
}
}
}
vlans {
vlan-trust {
vlan-id 3;
}
}
and thus far i only managed to made web portal show me the web page. But
all my tries to made LDAP work failed. It always said: incorrect password,
also if i use monitor trafic command, i saw only uskess packets and no
packets addressed to the LDAP server.
Any traceoptions find no clue, it looks like srx don`t want to try to send
requests to LDAP.
Any clues?
thx
More information about the juniper-nsp
mailing list