Booches.nl

RSA LDAP query failed

While configuring a LDAP mapping for a RSA Authentication Manager 6.1 with an Active Directory Domain Controller, I received the following error while running the Synchronisation task

c:\RSA\prog\sdldapsync.exe -j 102

“[LDAP search] Search failed (check Base DN)”

At first I thought about a typo while configuring the Synchronisation task. To test the LDAP connection with the domain controller I installed Softerra’s LDAP Browser. With this tool the LDAP connection is working perfectly when using the same credentials, BaseDN and LDAP Query Filter.

After searching the internet I found the MaxPageSize issue in Windows. I reported the same issue in a blog about eSafe and LDAP. When running the sdaceldap command you can see that the MaxPageSize is reached by the LDAP query.

Correct usage: sdaceldap <-h hostname> <-p port> [-b basedn] [-s scope] [-d import|compare] [-o output file] [-m schema map file] <-D binddn -w passwd> <-Z -P path> filter

 

C:\RSA\utils\toolkit>sdaceldap.exe -h 10.1.1.100 -p 389 -b ou=Users,dc=booches,=nl -s sub -d import -o AD_Users.csv -m active.map -D SA_LDAP@booches.nl -w LDAP_passwd “objectclass=user”

 

Host: 10.1.1.100
Port: 389
Distinguished Name: ou=Users,dc=booches,dc=nl

Scope: sub
Mode: import
Output Filename: AD_Users.csv
Mapfile: active.map
Bind: SA_LDAP@booches.nl
Filter: objectclass=user

Starting Import:

ldap_search_s Sizelimit exceeded

The output shows that the Sizelimit is exceeded. I find a tool on the internet which can be used to retrieve the MaxPageSize from a Windows machine. This tool is called AdFind.

Executing this tool on the Domain Controller tells me the MaxPageSize is set to 2000.

c:>adfind -e -config -f “&(objectcategory=querypolicy)(name=default quer
y policy)” ldapadminlimits

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: dc01.booches.nl:389
Directory: Windows Server 2003
Base DN: CN=Configuration,DC=booches,DC=nl

dn:CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,
CN=Services,CN=Configuration,DC=booches,DC=nl
>lDAPAdminLimits: MaxPageSize=2000
>lDAPAdminLimits: MaxReceiveBuffer=10485760
>lDAPAdminLimits: MaxDatagramRecv=1024
>lDAPAdminLimits: MaxPoolThreads=4
>lDAPAdminLimits: MaxResultSetSize=262144
>lDAPAdminLimits: MaxTempTableSize=10000
>lDAPAdminLimits: MaxQueryDuration=120
>lDAPAdminLimits: MaxNotificationPerConn=5
>lDAPAdminLimits: MaxConnIdleTime=900
>lDAPAdminLimits: InitRecvTimeout=120
>lDAPAdminLimits: MaxConnections=5000

1 Objects returned

To minimize the number of objects that are returned in a single search I configured a LDAP Query Filter, which is shown below:

(&(&(&(objectClass=user)(objectClass=person))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(!(objectClass=computer)))

or the equivalent

(&(objectClass=user)(objectClass=person)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!objectClass=computer))

This query has the following properties. The object should have the objectClasses user AND person AND the account should NOT be disabled AND should not contain the objectClass computer. This already excludes some objects, like workstations and servers.

More information about the MaxPageSize and the way to change the value can be found here. More information about Limiting LDAP Searches with MaxPageSize can be found here.

Cisco 877W wireless authentication failed

At home I have a Cisco 877W router. I use the wireless functionality to connect the different laptops to the networks. After upgrading the software from the router I have problems with the wireless authentication. The router is working perfectly, but after some time the laptops are able to connect to the wireless network. Vista tells me to enter the correct pre-shared key, so this doesn’t help much.

In the buffer logging I see the following error messages:

Jan 6 2009  22:48:05.666 CET: %DOT11-7-CCKM_AUTH_FAILED: Station <mac address> CCKM authentication failed

Looking at different forums more people experience the same problem. They offer different solutions like:

• Changing the broadcast key change interval
• Enable AES encryption

Both solutions didn’t work for me. Because I noticed the problems after upgrading the software, I decided to downgrade the software. I downgraded from ADVSECURITY Version 12.4(22)T to ADVSECURITY 12.4(15)T8.

I searched the Cisco website and Bug Toolkit, but I couldn’t find any possible bug information about my problem. But I am sure this problem is related to the IOS image previously used. After downgrading I didn’t have any more problems with the wireless environment.

Access rules DMZ components

Finally he first post in 2009, so before starting, HAPPY NEW YEAR!!!!! I know it’s late, but who cares….

This post is about opening specific ports from the DMZ to the internal network. This specific topic often results in discussions about which ports to open. One of the biggest discussion points is the use of internal DNS servers. In my opinion a DMZ server should never use an internal DNS server, because this could be a possible security issues if the server gets hacked. For DNS resolving of internal host I always configure hosts files.

In the next sections I list the ports for different services, which I normally open. The listed services are services which I often encounter during work.

ISA REVERSE PROXY

When configuring an ISA reverse proxy, it is most often used for publishing websites, Microsoft Outlook WebAccess or PDA synchronization to the Internet. When configuring this service I open the following ports.

FROM INTERNET TO DMZ

FROM DMZ TO INTERNAL

* the usage of RADIUS or LDAP depends on the authentication method used

CITRIX ACCESS / SECURE GATEWAY

When using Citrix Secure Gateway (CSG) I normally install the WebInterface on the same server in the DMZ. With a Citrix Access Gateway (CAG), the WebInterface is often installed on an internal server. So implementing CAG needs one extra ports. The following ports are configured by default.

FROM INTERNET TO DMZ

FROM DMZ TO INTERNAL

* This port is needed when RSA SecurID tokens are used for authentication

EXCHANGE EDGE SERVER

The last service listed is the configuration of an Exchange Edge server in the DMZ. When using an Exchange Edge server you should configure the following ports.

FROM INTERNET TO DMZ

FROM DMZ TO INTERNET

FROM DMZ TO INTERNAL

FROM INTERNAL TO DMZ

I hope this post will help you when configuring specific services in a DMZ environment. Of course the lists above are not absolute and can be different in specific situations. I always use the above lists as a road map.