FreeRadius cannot Authenticate to Windows AD
Michael Calizo
mike.calizo at gmail.com
Fri Dec 16 05:26:29 CET 2005
Hi Guru's,
I have installed freeradius and used each LDAP module to authenticate to
WINDOWS 2003 AD. The problem is it cant do the authentication, seems that i
missed the radius.conf LDAP module configuration which causes the LDAP
module to failed when connecting to MSAD. Below is my radius.conf config
file.
Hoping that you guys can help me, coz i have been googling all day for this
config and i can not make this thing work... Thnx in advance..
radius.conf:
ldap {
server = "oberon.chikka.ph"
# identity = "cn=admin,o=My Org,c=UA"
identity = "cn=backops,cn=Admin,dc=chikka,dc=ph"
password = _bant at 3a-@n
# password = mypass
basedn = "dc=chikka,dc=ph"
# filter =
"(SamAccountName=%{Stripped-User-Name:-%{User-Name}})"
#filter = "(SamAccountName=%U)"
#filter = "(SamAccountName=%u)"
# base_filter = "(objectclass=radiusprofile)"
base_filter =
"(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(memberOf=Admin,DC=chikka,DC=ph))"
filter =
"(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689)
connections
start_tls = no
# tls_cacertfile = /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"
ictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#
# NOTICE: The password_header directive is NOT case
insensitive
#
# password_header = "{clear}"
#
# The server can usually figure this out on its own, and
pull
# the correct User-Password or NT-Password from the
database.
#
# Note that NT-Passwords MUST be stored as a 32-digit hex
# string, and MUST start off with "0x", such as:
#
# 0x000102030405060708090a0b0c0d0e0f
#
# Without the leading "0x", NT-Passwords will not work.
# This goes for NT-Passwords stored in SQL, too.
#
# password_attribute = userPassword
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = memberOf
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
}
Here is my the radiusd -X -A LOG...
rad_recv: Access-Request packet from host 192.168.1.13:37146, id=42,
length=59
User-Name = "myaccount"
User-Password = "mypass"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "myaccount", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type ldap
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "myaccount" with password "mypass"
radius_xlat: '(&(sAMAccountName=myaccount)'
radius_xlat: 'dc=domain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 192.168.1.1:389, authentication 0
rlm_ldap: bind as cn=backops,cn=Admin,dc=domain,dc=com/passofbackops to
192.168.1.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: LDAP login failed: check identity, password settings in ldap
section of radiusd.conf
rlm_ldap: (re)connection attempt failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authenticate]: module "ldap" returns fail for request 0
modcall: group Auth-Type returns fail for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 42 to 192.168.1.13:37146
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 42 with timestamp 43a23bb5
Nothing to do. Sleeping until we see a request.
--
Mike Calizo
Registered Linux User # 365113
_________________________________________________
Even the longest journey has to start with a small first-step
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20051216/26efc0db/attachment.html>
More information about the Freeradius-Users
mailing list