LDAP(Active Directory) password AND groups not working together

duckeo duckeo at gmail.com
Mon Jun 26 06:28:47 CEST 2006


I'm pretty sure the problem lies in my interpretation of the users
file documentation, but I'm now stuck.

The aim is to authenticate users to their MS active directory account
via LDAP, and then check that the user is a member of the WirelessVPN
group -- if these two conditions meet then the user is granted access.

What's happening at the moment is as long as the user EXISTS the
authentication will pass, even if the password is incorrect. If the
useraccount does not exist it will fail.

Output from debug during a CORRECT username but INCORRECT password (blablalba):

rad_recv: Access-Request packet from host 10.200.148.49:3678, id=81, length=50
        User-Name = "radiustest"
        User-Password = "blablabla"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  modcall[authorize]: module "preprocess" returns ok for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for radiustest
radius_xlat:  '(&(sAMAccountname=radiustest)(objectClass=person))'
radius_xlat:  'OU=Domain Users,DC=foo,DC=bar,DC=foo,DC=bar'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in OU=Domain
Users,DC=foo,DC=bar,DC=foo,DC=bar, with filter
(&(sAMAccountname=radiustest)(objectClass=person))
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user radiustest authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 4
  modcall[authorize]: module "chap" returns noop for request 4
  modcall[authorize]: module "mschap" returns noop for request 4
    rlm_realm: No '@' in User-Name = "radiustest", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 4
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 4
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'OU=Domain Users,DC=foo,DC=bar,DC=foo,DC=bar'
radius_xlat:  '(&(objectClass=group)(member=CN=Test\\,
Radius,OU=testing,OU=Domain Users,DC=foo,DC=bar,DC=foo,DC=bar))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in OU=Domain
Users,DC=foo,DC=bar,DC=foo,DC=bar, with filter
(&(cn=RadiusWirelessVPN)(&(objectClass=group)(member=CN=Test\\,
Radius,OU=testing,OU=Domain Users,DC=foo,DC=bar,DC=foo,DC=bar)))
rlm_ldap::ldap_groupcmp: User found in group RadiusWirelessVPN
rlm_ldap: ldap_release_conn: Release Id: 0
    users: Matched entry DEFAULT at line 216
  modcall[authorize]: module "files" returns ok for request 4
modcall: group authorize returns ok for request 4
  rad_check_password:  Found Auth-Type Accept
  rad_check_password: Auth-Type = Accept, accepting the user
radius_xlat:  'You are now connected FooBar Network.'
Sending Access-Accept of id 81 to 10.200.148.49:3678
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Framed-IP-Address = 255.255.255.254
        Framed-IP-Netmask = 255.255.255.255
        Reply-Message = "You are now connected to the FooBar Network"
Finished request 4
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 4 ID 81 with timestamp 449f618f
Nothing to do.  Sleeping until we see a request.

Configuration:
radiusd.conf
---
        ## LDAP lookup to Microsoft Active Directory (2003)
        ldap {
                server = "Foobar.com"
                identity = "ServiceAccount at Foobar"
                password = "xxxx"
                basedn = "OU=Domain Users,DC=foo,DC=bar,DC=foo,DC=bar"
                filter =
"(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))"
                timeout = 40
                timelimit = 30
                net_timeout = 10

                # Mapping of RADIUS dictionary attributes to LDAP
                # directory attributes.
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 5
                password_attribute = userPassword

                groupmembership_filter =
"(&(objectClass=group)(member=%{Ldap-UserDn}))"
                groupmembership_attribute = "memberOf"
        }


users
---

DEFAULT Auth-Type := LDAP, Ldap-Group == "RadiusWirelessVPN",
Auth-Type := Accept
        Service-Type = Framed,
        Framed-Protocol = PPP,
        Framed-IP-Address = 255.255.255.254,
        Framed-IP-Netmask = 255.255.255.255,
        Reply-Message = "You are now connected to FooBar",

DEFAULT Auth-Type := Reject
        Reply-Message = "Access Rejected - Please check your username
and password and try again."



More information about the Freeradius-Users mailing list