[j-nsp] SRX100 LDAP
Ben Dale
bdale at comlinx.com.au
Wed Mar 19 03:26:25 EDT 2014
It's been a long time since I've played with this, but it's not something simple like:
set access-profile TPAD
is it? The Junos doco doesn't mention it, but for some applications you need to specifically activate the access-profile.
On 18 Mar 2014, at 8:54 pm, Шепелев Андрей <xamalon4eg at gmail.com> wrote:
> Hi All !
>
> I`m trying to made a web portal auth with LDAP integration on SRX 100.
>
> Here is the config:
>
> ## Last changed: 2014-03-11 05:44:05 UTC
> version 11.2R4.3;
> system {
> host-name test-srx100.adm.n.tp.ru;
> root-authentication {
> encrypted-password "$1$yo2A3wox$K/.Epl658XW1r4Z9BgDWm0"; ##
> SECRET-DATA
> }
> name-server {
> 10.60.0.5;
> 8.8.8.8;
> }
> services {
> ssh;
> telnet;
> xnm-clear-text;
> web-management {
> http;
> }
> }
> syslog {
> archive size 100k files 3;
> user * {
> any emergency;
> }
> file messages {
> any critical;
> authorization info;
> }
> file interactive-commands {
> interactive-commands error;
> }
> }
> max-configurations-on-flash 5;
> max-configuration-rollbacks 5;
> license {
> autoupdate {
> url https://ae1.juniper.net/junos/key_retrieval;
> }
> }
> processes {
> general-authentication-service {
> traceoptions {
> file auth-debug;
> flag all;
> }
> }
> }
> }
> interfaces {
> fe-0/0/0 {
> unit 0;
> }
> fe-0/0/1 {
> vlan-tagging;
> unit 101 {
> description Users;
> vlan-id 101;
> family inet {
> address 10.60.0.200/24;
> }
> }
> unit 105 {
> description Management;
> vlan-id 105;
> family inet {
> address 172.20.0.200/24;
> }
> }
> }
> fe-0/0/2 {
> unit 0;
> }
> fe-0/0/3 {
> unit 0;
> }
> fe-0/0/4 {
> unit 0;
> }
> fe-0/0/5 {
> unit 0;
> }
> fe-0/0/6 {
> unit 0;
> }
> fe-0/0/7 {
> unit 0 {
> description ISP1;
> family inet {
> address 46.250.34.22/24;
> }
> }
> }
> vlan {
> unit 0;
> }
> }
> routing-options {
> static {
> route 0.0.0.0/0 next-hop 46.250.34.1;
> route 10.60.0.0/21 next-hop 10.60.0.1;
> route 172.20.0.0/24 next-hop 172.20.0.1;
> }
> }
> protocols {
> stp;
> }
> security {
> screen {
> ids-option untrust-screen {
> icmp {
> ping-death;
> }
> ip {
> source-route-option;
> tear-drop;
> }
> tcp {
> syn-flood {
> alarm-threshold 1024;
> attack-threshold 200;
> source-threshold 1024;
> destination-threshold 2048;
> timeout 20;
> }
> land;
> }
> }
> }
> nat {
> source {
> rule-set trust-to-untrust {
> from zone trust;
> to zone untrust;
> rule source-nat-rule {
> match {
> source-address 0.0.0.0/0;
> }
> then {
> source-nat {
> interface;
> }
> }
> }
> }
> }
> }
> policies {
> from-zone trust to-zone untrust {
> policy trust-to-untrust {
> match {
> source-address any;
> destination-address any;
> application any;
> }
> then {
> permit {
> firewall-authentication {
> pass-through {
> access-profile TPAD;
> web-redirect;
> }
> }
> }
> }
> }
> }
> }
> zones {
> security-zone trust {
> host-inbound-traffic {
> system-services {
> all;
> }
> protocols {
> all;
> }
> }
> interfaces {
> fe-0/0/1.101;
> fe-0/0/1.105;
> }
> }
> security-zone untrust {
> screen untrust-screen;
> host-inbound-traffic {
> system-services {
> all;
> }
> protocols {
> all;
> }
> }
> interfaces {
> fe-0/0/0.0 {
> host-inbound-traffic {
> system-services {
> dhcp;
> tftp;
> }
> }
> }
> fe-0/0/7.0;
> }
> }
> }
> }
> access {
> profile TPAD {
> authentication-order ldap;
> ldap-options {
> base-distinguished-name dc=tp,dc=ru;
> search {
> search-filter sAMAccountName=;
> admin-search {
> distinguished-name cn=junos,ou=users,dc=tp,dc=ru;
> password "$9$NOdY4jHmfQFDjApuOREwY2oDi"; ## SECRET-DATA
> }
> }
> }
> ldap-server {
> 10.60.0.5;
> }
> }
> firewall-authentication {
> pass-through {
> default-profile TPAD;
> }
> web-authentication {
> default-profile TPAD;
> }
> }
> }
> vlans {
> vlan-trust {
> vlan-id 3;
> }
> }
>
>
> and thus far i only managed to made web portal show me the web page. But
> all my tries to made LDAP work failed. It always said: incorrect password,
> also if i use monitor trafic command, i saw only uskess packets and no
> packets addressed to the LDAP server.
> Any traceoptions find no clue, it looks like srx don`t want to try to send
> requests to LDAP.
>
> Any clues?
>
> thx
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list