- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
on 06-28-2018 07:30 AM - edited on 09-27-2019 11:13 AM by Retired Member
Expedition offers local user authentication and external user authentication via LDAP and Radius servers.
In this example, we will illustrate how to configure external authentication via a Windows Active Directory server.
We have created a server under the domain sctc.domain.local, defined a group called "developers" and added a user "didac gil" with logon name "didacgil9".
In the figure, we can notice that users authenticate with the suffix "@sctc.domain.local". We will have to take account of this value for providing the correct settings in Expedition to complete the user authentication.
In Expedition, we will first define the LDAP authentication server. Only Superusers have rights for server registration or modification.
We have two different approaches for user authentication.
Define a server providing the desired server's name, the server's address and port, server type (Windows or Linux), Search DN parameters and SSL and/or TLS usage.
In our case, we our server responds at sctc.domain.local port:389 and we have named LDAP_approach1.
The users that will use this server for authentication belong to the developers group, therefore we have provided the following Search DN: "CN=developers,DC=sctc,DC=domain,DC=local". Contact your Active Directory administrator to verify your correct Search DN parameters.
After saving, we will test the server settings clicking on the diagnostics icon. We will be required to enter an existing user's credentials.
A feedback will be provided with the results of the connection.
Through this approach, users will have to provide their full account name for authentication. In our case, didacgil9@sctc.domain.local will be the user name account required to have a valid authentication.
In this case, we will facilitate the user's logon, providing the suffix already in the server settings. This way, a user will only have to write their account name "didacgil9".
Notice that using this approach, all users must share the same suffix in order to be able to validate their credentials.
The LDAP connection is via simple bind connections. We use the user's credentials itself to verify that those credentials are valid.
The credentials are transferred via the request without ofuscation, but the connection is done via HTTPS. However, as pointed out by psuJohn, the request should be moved to a POST request so it is not even stored in the httpd logs.
We will make this change.
When testing the connection, we will provide the user's account and password, and we should be able to get the feedback on the transaction, stating that either all went fine or that there was an error such as not being able to reach the LDAP server or that the provided settings (DN or user credentials) are not valid to authenticate the user.
we have the same problem as gzygadlo
you cannot select the server type and when you try to add the server you get the message:
"The following errors have ocurred:, Enter the server type"
Anyone have success with using TLS/SSL? With Microsofts recent announcement that they will only accept encrypted connections I need to get this switched over.
I have not personally tested this for a long time, but I remember a team that got the TLS/SSL LDAP working. They tested first with a LDAP client to make sure the settings they were using were correct, as they also had issues to make sure all the settings were the correct ones.
Later, they applied the as well in Expedition and they could authenticate.
I just installed 1.1.63.1, and when I try either Radius or LDAP I get an instant error and no network traffic is generated to either server from Expedition:
My Apache2 error.log for a test request:
[Mon Mar 23 20:49:45.977222 2020] [:error] [pid 36392] [client 10.0.10.2:2282] PHP Notice: Undefined variable: app in /var/www/html/bin/Authentication.php on line 76, referer: https://expedition.columbia.csc/
[Mon Mar 23 20:49:45.977364 2020] [:error] [pid 36392] [client 10.0.10.2:2282] PHP Notice: Trying to get property of non-object in /var/www/html/bin/Authentication.php on line 76, referer: https://expedition.columbia.csc/
[Mon Mar 23 20:49:45.977416 2020] [:error] [pid 36392] [client 10.0.10.2:2282] PHP Notice: Trying to get property of non-object in /var/www/html/bin/Authentication.php on line 76, referer: https://expedition.columbia.csc/
[Mon Mar 23 20:49:45.977484 2020] [:error] [pid 36392] [client 10.0.10.2:2282] PHP Fatal error: Uncaught Error: Call to a member function getUser() on null in /var/www/html/bin/Authentication.php:76\nStack trace:\n#0 /var/www/html/bin/authentication/servers/testServers.php(54): require_once()\n#1 /var/www/html/bin/authentication/servers/testServers.php(35): test(Array)\n#2 {main}\n thrown in /var/www/html/bin/Authentication.php on line 76, referer: https://expedition.columbia.csc/
In order to improve the forum experience, let's try to keep the questions focused in a single topic.
Please, try to refresh your session in Expedition and let us know if that resolved the issue.
I rebooted my workstation last night for other reasons, so this was after my first connect to my Expedition server, I had a tail running on the logs: The first was a Radius test, the second an LDAP test. (I saw no traffic generated to either LDAP/RADIUS server)
I am logged in as Admin, if that matters, there are no local users yet.
[Tue Mar 24 15:08:40.241160 2020] [:error] [pid 36885] [client 10.0.10.2:1336] PHP Notice: Undefined variable: app in /var/www/html/bin/Authentication.php on line 76, referer: https://expedition.columbia.csc/
[Tue Mar 24 15:08:40.241301 2020] [:error] [pid 36885] [client 10.0.10.2:1336] PHP Notice: Trying to get property of non-object in /var/www/html/bin/Authentication.php on line 76, referer: https://expedition.columbia.csc/
[Tue Mar 24 15:08:40.241352 2020] [:error] [pid 36885] [client 10.0.10.2:1336] PHP Notice: Trying to get property of non-object in /var/www/html/bin/Authentication.php on line 76, referer: https://expedition.columbia.csc/
[Tue Mar 24 15:08:40.241416 2020] [:error] [pid 36885] [client 10.0.10.2:1336] PHP Fatal error: Uncaught Error: Call to a member function getUser() on null in /var/www/html/bin/Authentication.php:76\nStack trace:\n#0 /var/www/html/bin/authentication/servers/testServers.php(54): require_once()\n#1 /var/www/html/bin/authentication/servers/testServers.php(35): test(Array)\n#2 {main}\n thrown in /var/www/html/bin/Authentication.php on line 76, referer: https://expedition.columbia.csc/
[Tue Mar 24 15:08:58.418969 2020] [:error] [pid 36388] [client 10.0.10.2:1338] PHP Notice: Undefined variable: app in /var/www/html/bin/Authentication.php on line 76, referer: https://expedition.columbia.csc/
[Tue Mar 24 15:08:58.419119 2020] [:error] [pid 36388] [client 10.0.10.2:1338] PHP Notice: Trying to get property of non-object in /var/www/html/bin/Authentication.php on line 76, referer: https://expedition.columbia.csc/
[Tue Mar 24 15:08:58.419176 2020] [:error] [pid 36388] [client 10.0.10.2:1338] PHP Notice: Trying to get property of non-object in /var/www/html/bin/Authentication.php on line 76, referer: https://expedition.columbia.csc/
[Tue Mar 24 15:08:58.419246 2020] [:error] [pid 36388] [client 10.0.10.2:1338] PHP Fatal error: Uncaught Error: Call to a member function getUser() on null in /var/www/html/bin/Authentication.php:76\nStack trace:\n#0 /var/www/html/bin/authentication/servers/testServers.php(54): require_once()\n#1 /var/www/html/bin/authentication/servers/testServers.php(35): test(Array)\n#2 {main}\n thrown in /var/www/html/bin/Authentication.php on line 76, referer: https://expedition.columbia.csc/
Could we do a Zoom session?
Please contact me to fwmigrate@paloaltonetworks.com.
I would like to debug in your settings to find out the cause.
Hello,
Thanks for sharing your How To, but I need to secure my connection of my Expedition Tool and our LDAP servers.
The security ask to use LDAP with SSL, but I have an error.
Someone Have the same issue or just me ?
Best regards,