Can not authenticate against Active directory as LDAP server

[Alhagie Puye]

Make sure the password has double-quotes around it.


I had to do that to get it working.

Have you tried using ldapsearch first to make sure that you are feeding
it the correct parameters?

Try something like

ldapsearch -LLL -h 10.1.1.1 -x -b 'dc=corp,dc=van,dc=com'
'(&(memberof=CN=rptpcps,OU=Users,DC=corp,DC=van,DC=com)(samaccountname=a
puye))' -D apuye at corp.van.com -w yourpassword

Change it to match your environment.

Hope that helps.

Alhagie Puye - Network Engineer
Datawave Group of Companies
(604)295-1817  

> >-----Original Message-----
> >From: freeradius-users-bounces at lists.freeradius.org 
> >[mailto:freeradius-users-bounces at lists.freeradius.org] On 
> >Behalf Of Anup Parkhi
> >Sent: November 29, 2005 6:44 PM
> >To: freeradius-users at lists.freeradius.org
> >Subject: Can not authenticate against Active directory as LDAP server
> >
> >My environment is
> >
> >FreeRadius: 1.0.5 on RedHat
> >Funk Odyssey supplicant. (Tried with XP supplicant also)
> >Authenticator: HP procurve switch
> >EAP: EAP-MD5
> >Directory: Active directory as LDAP server
> >
> >I am getting the following error while authenticating users 
> >in Active directory. Any help is appreciated. I went through 
> >ldap_how_to.txt and changed my radiusd.conf to tailor for 
> >active directory but it is still failing.
> >
> >My configuration sections are
> >lldap {
> >               server = "10.11.12.137"
> >               identity = 
> >"cn=Administrator,cn=users,dc=parkhi,dc=net"
> >               password = mypassword
> >               basedn = "cn=users,dc=parkhi,dc=net"
> >               filter =
> >"(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
> >               # base_filter = "(objectclass=radiusprofile)"
> >
> >               # set this to 'yes' to use TLS encrypted connections
> >               # to the LDAP database by using the StartTLS extended
> >               # operation.
> >               # The StartTLS operation is supposed to be 
> >used with normal
> >               # ldap connections instead of using ldaps (port 689) 
> >connections                start_tls = no
> >
> >               # tls_cacertfile        = /path/to/cacert.pem
> >               # tls_cacertdir         = /path/to/ca/dir/
> >               # tls_certfile          = /path/to/radius.crt
> >               # tls_keyfile           = /path/to/radius.key
> >               # tls_randfile          = /path/to/rnd
> >               # tls_require_cert      = "demand"
> >
> >               # default_profile = 
> >"cn=radprofile,ou=dialup,o=My Org,c=UA"
> ># profile_attribute = "radiusProfileDn"
> >               #access_attr = "dialupAccess"
> >
> >               # Mapping of RADIUS dictionary attributes to LDAP
> >               # directory attributes.
> >               dictionary_mapping = ${raddbdir}/ldap.attrmap
> >
> >               ldap_connections_number = 10
> >
> >               #
> >               # NOTICE: The password_header directive is 
> >NOT case insensitive
> >               #
> >               # password_header = "{clear}"
> >               #
> >               #  The server can usually figure this out on 
> >its own, and pull
> >               #  the correct User-Password or NT-Password 
> >from the database.
> >               #
> >               #  Note that NT-Passwords MUST be stored as a 
> >32-digit hex
> >               #  string, and MUST start off with "0x", such as:
> >               #
> >               #       0x000102030405060708090a0b0c0d0e0f
> >               #
> >#  Without the leading "0x", NT-Passwords will not work.
> >               #  This goes for NT-Passwords stored in SQL, too.
> >               #
> >               password_attribute = User-Password
> >               # groupname_attribute = cn
> >               # groupmembership_filter = 
> >"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(obj
> >ectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
> >               # groupmembership_attribute = radiusGroupName
> >               timeout = 4
> >               timelimit = 3
> >               net_timeout = 1
> >               compare_check_items = no
> >               # do_xlat = yes
> >               # access_attr_used_for_allow = yes
> >       }
> >
> >authorize {
> >       preprocess
> >       suffix
> >       files
> >       ldap
> >}
> >
> >authenticate {
> >       Auth-Type LDAP {
> >               ldap
> >       }
> >}
> >
> >
> >
> >the console output of radiusd -X
> >
> >
> >
> >
> >
> >Cleaning up request 4 ID 229 with timestamp 438d0d46 Nothing 
> >to do.  Sleeping until we see a request.
> >rad_recv: Access-Request packet from host 10.11.12.107:1024, id=230,
> >length=214
> >       Framed-MTU = 1480
> >       NAS-IP-Address = 10.11.12.107
> >       NAS-Identifier = "HP ProCurve Switch 2824"
> >       User-Name = "test"
> >       Service-Type = Framed-User
> >       Framed-Protocol = PPP
> >       NAS-Port = 24
> >       NAS-Port-Type = Ethernet
> >       NAS-Port-Id = "24"
> >       Called-Station-Id = "00-0f-20-8d-04-c8"
> >       Calling-Station-Id = "00-c0-9f-0d-4a-1f"
> >       Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
> >       Tunnel-Type:0 = VLAN
> >       Tunnel-Medium-Type:0 = IEEE-802
> >       Tunnel-Private-Group-Id:0 = "1010"
> >       EAP-Message = 0x020100090174657374
> >       Message-Authenticator = 0xaf12ec64c245045bbf5a5cc4985025de
> >Processing the authorize section of radiusd.conf
> >modcall: entering group authorize for request 5
> >modcall[authorize]: module "preprocess" returns ok for request 5
> >   rlm_realm: No '@' in User-Name = "test", looking up realm NULL
> >   rlm_realm: No such realm "NULL"
> >modcall[authorize]: module "suffix" returns noop for request 5
> >   users: Matched test at 66
> >modcall[authorize]: module "files" returns ok for request 5
> >rlm_ldap: - authorize
> >rlm_ldap: performing user authorization for test
> >radius_xlat:  '(sAMAccountName=test)'
> >radius_xlat:  'cn=users,dc=parkhi,dc=net'
> >rlm_ldap: ldap_get_conn: Checking Id: 0
> >rlm_ldap: ldap_get_conn: Got Id: 0
> >rlm_ldap: performing search in cn=users,dc=parkhi,dc=net, with filter
> >(sAMAccou)rlm_ldap: looking for check items in directory...
> >rlm_ldap: looking for reply items in directory...
> >rlm_ldap: user test authorized to use remote access
> >rlm_ldap: ldap_release_conn: Release Id: 0
> >modcall[authorize]: module "ldap" returns ok for request 5
> >rad_check_password:  Found Auth-Type LDAP
> >auth: type "LDAP"
> >Processing the authenticate section of radiusd.conf
> >modcall: entering group Auth-Type for request 5
> >rlm_ldap: - authenticate
> >rlm_ldap: Attribute "User-Password" is required for authentication.
> >modcall[authenticate]: module "ldap" returns invalid for request 5
> >modcall: group Auth-Type returns invalid for request 5
> >auth: Failed to validate the user.
> >Delaying request 5 for 1 seconds
> >Finished request 5
> >
> >
> >-
> >List info/subscribe/unsubscribe? See 
> >http://www.freeradius.org/list/users.html
> >


Disclaimer: This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed.  If you have received it by mistake please notify the sender by return e-mail and delete this message from your system.  Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited.  E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change.  We will use alternate communication means upon request.