wireless - freeradius - MS ldap

Alhagie Puye APuye at datawave.com
Wed Jan 4 21:15:21 CET 2006


  

> >-----Original Message-----
> >From: 
> >freeradius-users-bounces+apuye=datawave.com at lists.freeradius.
> >org 
> >[mailto:freeradius-users-bounces+apuye=datawave.com at lists.fre
> >eradius.org] On Behalf Of Dickson, John
> >Sent: January 4, 2006 11:32 AM
> >To: FreeRadius users mailing list
> >Subject: RE: wireless - freeradius - MS ldap
> >
> > Here is my ldap section:
> >
> >ldap {
> >		server = "10.1.1.29"
> >		identity = dmadmin1
> >		password = rDkf at my
> >		basedn = "dc=ssotest,dc=mccsso,dc=mccneb,dc=edu"
> >		filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> >		# base_filter = "(objectclass=radiusprofile)"
> >
> >		# set this to 'yes' to use TLS encrypted connections
> >		# to the LDAP database by using the StartTLS extended
> >		# operation.
> >		# The StartTLS operation is supposed to be used with
> >normal
> >		# ldap connections instead of using ldaps (port 689)
> >connections
> >		start_tls = no
> >
> >		# tls_cacertfile	= /path/to/cacert.pem
> >		# tls_cacertdir		= /path/to/ca/dir/
> >		# tls_certfile		= /path/to/radius.crt
> >		# tls_keyfile		= /path/to/radius.key
> >		# tls_randfile		= /path/to/rnd
> >		# tls_require_cert	= "demand"
> >
> >		# default_profile = "cn=radprofile,ou=dialup,o=My
> >Org,c=UA"
> >		# profile_attribute = "radiusProfileDn"
> >		access_attr = "dialupAccess"
> >
> >		# Mapping of RADIUS dictionary attributes to LDAP
> >		# directory attributes.
> >		dictionary_mapping = ${raddbdir}/ldap.attrmap
> >
> >		ldap_connections_number = 5
> >
> >		#
> >		# NOTICE: The password_header directive is NOT case
> >insensitive
> >		#
> >		# password_header = "{clear}"
> >		#
> >		# Set:
> >		#	password_attribute = nspmPassword
> >		#
> >		# to get the user's password from a Novell eDirectory
> >		# backend. This will work *only if* freeRADIUS is
> >		# configured to build with --with-edir option.
> >		#
> >		#
> >		#  The server can usually figure this out on its own,
> >and pull
> >		#  the correct User-Password or NT-Password from the
> >database.
> >		#
> >		#  Note that NT-Passwords MUST be stored as a 32-digit
> >hex
> >		#  string, and MUST start off with "0x", such as:
> >		#
> >		#	0x000102030405060708090a0b0c0d0e0f
> >		#
> >		#  Without the leading "0x", NT-Passwords will not work.
> >		#  This goes for NT-Passwords stored in SQL, too.
> >		#
> >		# password_attribute = userPassword
> >		#
> >		# Un-comment the following to disable Novell eDirectory
> >account
> >		# policy check and intruder detection. This will work
> >*only if*
> >		# FreeRADIUS is configured to build with --with-edir
> >option.
> >		#
> >		# edir_account_policy_check=no
> >		#
> >		# groupname_attribute = cn
> >		# groupmembership_filter =
> >"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(obj
> >ectClass=Gr
> >oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
> >		# groupmembership_attribute = radiusGroupName
> >		timeout = 4
> >		timelimit = 3
> >		net_timeout = 1
> >		# compare_check_items = yes
> >		# do_xlat = yes
> >		# access_attr_used_for_allow = yes
> >	}
> >
> >
> >Verify first that you can infact query Active Directory with this
> >username/password combination.
> >
> >There is a utility called ldapsearch. I believe it comes 
> >with OpenLDAP.
> >Use that to directly query AD for verification.
> >
> >Here is an example:
> >
> >ldapsearch -LLL -h name.serverdm.domain.edu -x -b
> >'dc=domain,dc=com''(samaccountname=powerful)' -D powerful  
> >-w userspass
> >
> >This seeems to work:
> >
> >[john at magellan ~]$ ldapsearch -LLL -h name.serverdm.domain.edu -x -b
> >'ou=Users,dc=name,dc=serverdm,dc=domain,dc=edu'  -D
> >any-user at serverdm.domain.edu -w Passw0rd
> >No such object (32)
> >Matched DN: DC=serverdm,DC=domain,DC=edu
> >Additional information: 0000208D: NameErr: DSID-031001CD, 
> >problem 2001
> >(NO_OBJECT), data 0, best match of:
> >        'DC=serverdm,DC=domain,DC=edu'

Nope. That didn't work.....

Please read up on ldapsearch "man ldapsearch". Until you can CAN verify
that the username/password is correct, it won't do you any good messing
with FreeRADIUS
> >
> >
> >What does your "ldap" section in radiusd.conf look like? Can 
> >you please
> >provide copy?
> >
> >
> >This will make sure that the credentials are correct or not.
> >
> >
> >- 
> >List info/subscribe/unsubscribe? See 
> >http://www.freeradius.org/list/users.html
> >


This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed.  If you have received it by mistake please notify the sender by return e-mail and delete this message from your system.  Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited.  E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change.  We will use alternate communication means upon request.




More information about the Freeradius-Users mailing list