How to debug EDirectory on Sophos UTM

  • Article ID: 115556
  • Updated: 13 Feb 2014

Novell eDirectory is an X.500 compatible directory service for centrally managing access to resources on multiple servers and computers within a given network. eDirectory is a hierarchical, object-oriented database that represents all the assets in an organization in a logical tree. Those assets can include people, servers, workstations, applications, printers, services, groups, etc.

Known to apply to the following Sophos product(s) and version(s)


Sophos UTM Software Appliance

Operating systems
V7, V8, V9

What To Do

Debugging – LDAP search

First of all you need the credentials for the bind user:
cc
MAIN
auth
edirectory
bind_dn$
..
bind_pw$

Check if bind user is working

  • ldapsearch -h EDIR_SERVER_IP -p 389 -D "cn=BINDUSER,ou=SUPPORT,o=SOPHOS" -w PASSWORD -x -LLL ldapsearch -h 10.5.3.4 -p 389 -D "cn=operator,ou=SUPPORT,o=SOPHOS" -w geheim -x –LLL 
If there is something wrong with the bind user, you will get the following output:
ldap_bind: Invalid credentials (49) additional info: NDS error: failed authentication (-669)

Check bind user when SSL is activated

  • ldapsearch -h 192.168.0.20 -p 389 -D "cn=sophos,o=support,c=de" -x -w Password -LLL  

If this error occurs, try LDAP search with the options below:

  • ldapsearch -H ldaps://192.168.0.20:636 -D "cn=sophos,o=support,c=de" -x -w Password –LLL

ERROR: no user found in eDir for IP

  • Search in aua.log for the IP address in hex:

 

aua[15987]: eDir for IP: do_auth_edir() - call getAuthenticationByIP with IP:10.5.2.166 getAuthenticationByIP() dump of different syntax of the IP we need to $VAR1 = { 'dotted' => '10.5.2.166', 'base64' => 'MSMKBQKr', 'binary' => '1# ^E^B\ufffd', 'hex' => '1#\\0a\\05\\02\\ab' getAuthenticationByIP() eDirectory SSO Auth failed -

 

no user found in eDir for IP: 10.5.2.166
  • Check this via ldapsearch, you get no output from the edir:
ldapsearch -h 10.5.3.2 -p 389 -D "cn=operator,ou=SERVER,o=WERKE" -w geheim -x - LLL "(&(objectClass=organizationalPerson)(networkAddress=*) (networkAddress=1#\\0a\\05\\02\\ab))"
  •  Compare this with a user which is working:
aua[19897]: do_auth_edir() - call getAuthenticationByIP with IP:10.5.2.180 getAuthenticationByIP() dump of different syntax of the IP we need to $VAR1 = { 'dotted' => '10.5.2.180', 'base64' => 'MSMKBQLy', 'binary' => '1# ^E^B\ufffd', 'hex' => '1#\\0a\\05\\02\\b2' do_auth_edir() access granted U:10.5.2.180 F:http R:OK C:edir
  •  Check this via ldapsearch once again: 

 

ldapsearch -h 10.5.3.4 -p 389 -D "cn=operator,ou=SERVER,o=WERKE" -w geheim -x - LLL "(&(objectClass=organizationalPerson)(networkAddress=*) (networkAddress=1#\\0a\\05\\02\\b2))" dn: cn=Admin,ou=LAGER,ou=GAS,o=WERKE fullName: König Hans

 

Check network address in eDir for special user

ldapsearch -h 10.5.3.4 -p 389 -D "cn=operator,ou=SERVER,o=WERKE" -w geheim -x - LLL "(&(cn=username))"

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments