[j-nsp] SRX100 LDAP
Шепелев Андрей
xamalon4eg at gmail.com
Thu Mar 20 23:54:05 EDT 2014
tried everything nothing helps... i`m begining to think that i have broken
srx =)) or something like that. it did not want even trying to athorize the
users .... very strange
version 11.2R4.3;
system {
host-name test-srx100.adm.n.tp.ru;
root-authentication {
encrypted-password "$1$yo2A3wox$K/.Epl658XW1r4Z9BgDWm0"; ##
SECRET-DATA
}
name-server {
10.60.0.5;
8.8.8.8;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
processes {
general-authentication-service {
traceoptions {
file auth-debug;
flag all;
flag ldap;
}
}
}
}
interfaces {
fe-0/0/0 {
unit 0;
}
fe-0/0/1 {
vlan-tagging;
unit 101 {
description Users;
vlan-id 101;
family inet {
address 10.60.0.200/24;
}
}
unit 105 {
description Management;
vlan-id 105;
family inet {
address 172.20.0.200/24;
}
}
}
fe-0/0/2 {
unit 0;
}
fe-0/0/3 {
unit 0;
}
fe-0/0/4 {
unit 0;
}
fe-0/0/5 {
unit 0;
}
fe-0/0/6 {
unit 0;
}
fe-0/0/7 {
unit 0 {
description ISP1;
family inet {
address 46.250.34.22/24;
}
}
}
vlan {
unit 0;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 46.250.34.1;
route 10.60.0.0/21 next-hop 10.60.0.1;
route 172.20.0.0/24 next-hop 172.20.0.1;
}
}
protocols {
stp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
firewall-authentication {
pass-through {
access-profile TPAD;
web-redirect;
}
}
}
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
fe-0/0/1.101;
fe-0/0/1.105;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
fe-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
fe-0/0/7.0;
}
}
}
}
access {
profile TPAD {
authentication-order ldap;
ldap-options {
base-distinguished-name dc=tp,dc=ru;
search {
search-filter cn=;
admin-search {
distinguished-name cn=junos,ou=users,dc=tp,dc=ru;
password "$9$NOdY4jHmfQFDjApuOREwY2oDi"; ## SECRET-DATA
}
}
}
ldap-server {
10.60.0.5;
}
}
ldap-options {
base-distinguished-name DC=tp,DC=ru;
search {
search-filter sAMAccountName=;
admin-search {
distinguished-name cn=junos,dc=tp,dc=ru;
password "$9$k.TFtu1RcyAtWLX7VbfTQ3Ap"; ## SECRET-DATA
}
}
}
ldap-server {
10.60.0.5 port 389;
}
firewall-authentication {
pass-through {
default-profile TPAD;
}
web-authentication {
default-profile TPAD;
}
traceoptions {
file ldap;
flag all;
}
}
}
access-profile TPAD;
vlans {
vlan-trust {
vlan-id 3;
}
}
2014-03-20 1:30 GMT+06:00 Bikram Singh <sbikram at live.com>:
>
>
>
> > set access ldap-options base-distinguished-name DC=tp,DC=ru
> > set access ldap-options search search-filter sAMAccountName=
> > set access ldap-options search admin-search distinguished-name
> > cn=junos,dc=tp,dc=ru
> > set access ldap-options search admin-search password
> > "$9$k.TFtu1RcyAtWLX7VbfTQ3Ap"
> > set access ldap-server 10.60.0.5 port 3268
> >
> > but it did not help :(((
>
> What LDAP server are you using ? Can u change the search-filter
> (sAMAccountName=) to "cn="
>
> I use openldap server and below is the working ldap config
>
>
> profile Profile-1 {
> authentication-order ldap;
> ldap-options {
> base-distinguished-name DC=Domain,DC=com;
> search {
> search-filter cn=;
> admin-search {
> distinguished-name cn=admin,dc=Domain,dc=com;
> password "$9ccnjsgd89olsksio092oaP"; ## SECRET-DATA
> }
> }
> }
> ldap-server {
> 192.168.203.150 {
> port 389;
> source-address 192.168.203.200;
> }
> }
> }
> firewall-authentication {
> web-authentication {
> default-profile Profile-1;
> banner {
> success "LOGIN SUCCESSFULL";
> }
> }
> traceoptions {
> file web;
> flag all;
> }
> }
>
>
>
> show interfaces ge-0/0/1
> unit 0 {
> family inet {
> address 192.168.203.200/24 {
> preferred;
> }
> address 192.168.203.201/24 {
> web-authentication http;
> }
> }
> }
>
>
> - Bikram
>
More information about the juniper-nsp
mailing list