Forum Discussion
Nimbostratusdifference response in different platform
hi all,
i wonder if anyone has met with this kind of issue before.
i was configuring AD authentication in APM. i configured the AAA server with AD and the necessary information. on 3900, i am able to query to the AD and retrieve the necessary group information. however, when i use exactly the same configuration on viprion and 8900, the AD query was rejected.
i carried on and tried a test with my VE version as the platform. This time, i am able to query to the AD and retrieve the group info.
Anyone met this before??
5 Replies
kunjanYou can try a cmd line test using adtest to check if that works.
adtest -t query -h "host.siterequest.com" -r "siterequest.com" -A Administrator -W password1!a -u user1
You may have to verify the DNS and NTP settings as well.
- Kevin_Stewart
Employee
I cannot imagine that the platform itself would make a difference here. I would suggest starting with a tcpdump capture to see what that query traffic looks like. If you see good back and forth data between APM and the AD, then:
-
Enable debug logging in APM and tail the APM log (tail -f /var/log/apm).
-
Run a WireShark capture on the DC and set a display filter for "kerberos or dns or ldap" (without the quotes).
-
henry_kay_36032hi kelivn,
i did a dump and both give me the same result but one can query and one cannot. didn't get to try the wireshark yet. will try it out and see what is the outcome
- Kevin_Stewart
i did a dump and both give me the same result but one can query and one cannot
Where you looking at the port 389 LDAP traffic? You should be able to expose that data in the tcpdump with the -Xs0 option.
tcpdump -lnni 0.0 -Xs0 port 389It won't be pretty to look at it, but you should be able to see some of the LDAP request and response data. A WireShark capture will do the same thing, but give you an expanded view of the LDAP.
- henry_kay_36032
let me try out your command. update you guys later :)
