Aruba Employee

COTD: Debugging LDAP

Note: Aruba 3.x
Want to debug an LDAP server like Microsoft AD? Need some way to figure out what attributes are being returned for role derivation?
You can use the "aaa query-user" command to query an LDAP server WITHOUT needing the user's password. The trick is knowing how to use it because by default it will return a response like this:
(Greig) #aaa query-user AAD greig
Authentication failed
(Greig) #

Not very useful on the surface of it, however here is what you can do to pull out the information you need-
Firstly you need to enable debugging for the authmgr process:
(Greig) #configure t
Enter Configuration commands, one per line. End with CNTL/Z
(Greig) (config) #logging level debugging security process authmgr
(Greig) (config) #
Next, run your command:
(Greig) (config) #end
(Greig) #aaa query-user AAD greig
Authentication failed
(Greig) #
And now have a look at the debug log-
(Greig) #show log security 150
Jul 18 12:23:46 :109000: |authmgr| objectClass: top
Jul 18 12:23:46 :109000: |authmgr| objectClass: person
Jul 18 12:23:46 :109000: |authmgr| objectClass:
Jul 18 12:23:46 :109000: |authmgr| objectClass: user
Jul 18 12:23:46 :109000: |authmgr| cn: Greig Bannister
Jul 18 12:23:46 :109000: |authmgr| sn: Bannister
The debug log will return all the LDAP attributes that the server has about this user and then you can use these attributes in your derivation rules.
Note that this does require a configured LDAP server AND the
administrative username and password configured in the switch for the server, so you do have to authorise the switch to have access prior to being able to query of course. But the good thing is you do not need a users password in order to plan for your role derivation.
For reference, here is an LDAP configuration for our internal AD server. You would of course need to customise this to work with whatever server you are using:
(Greig) #show aaa authentication-server ldap AAD
LDAP Server "AAD"
Parameter Value
--------- -----
Admin-DN cn=,cn=Users,dc=arubanetworks,dc=com
Allow Clear-Text Disabled
Auth Port 389
Base-DN OU=Corp,DC=arubanetworks,DC=com
Filter (objectclass=*)
Key Attribute sAMAccountName
Timeout 20 sec
Mode Enabled
(Greig) #
Search Airheads
Showing results for 
Search instead for 
Did you mean: