LDAP + SASL Freeradius 3.0.11

Matthew Beckler mbeckler at overturecenter.org
Thu May 5 22:25:11 CEST 2016


I'm currently learning Freeradius so most of this is new to me.
My ultimate goal is to authenticate users via winbind and check group membership via LDAP to Active Directory in post_auth.
I was feeling good until I got to ldap section.

I have the following working:
Winbind authentication
LDAPSearch is working for testing with : ldapsearch -LLL -Y "DIGEST-MD5" -h dc.dc.local -U ldaplookup -W -b "ou=Users,ou=OU,dc=dc,dc=local" sAMAccountName=usertoget

However when running freeradius -X I receive the following:

rlm_ldap (ldap): Connecting to ldap://dc.dc.local:389
rlm_ldap (ldap): Starting SASL mech(s): DIGEST-MD5
SASL/DIGEST-MD5 authentication started
rlm_ldap (ldap): Bind credentials incorrect: Invalid credentials
rlm_ldap (ldap): Server said: 8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1.
rlm_ldap (ldap): Opening connection failed (0)
rlm_ldap (ldap): Removing connection pool
/etc/freeradius/mods-enabled/ldap[8]: Instantiation failed for module "ldap"

Obviously I have checked username and password at least 10 times and pasted them in. It appears 52e is correct username but bad password.

I'm probably setting up my ldap config wrong so here are the sections I have changed I did not change anything else below this line. Maybe I'm doing this totally incorrectly.

ldap {

        server = 'dc.dc.local'
        #  Port to connect on, defaults to 389, will be ignored for LDAP URIs.
#       port = 389
        #  Administrator account for searching and possibly modifying. If using SASL + KRB5 these should be commented out.
        identity = 'ldaplookup'
        password = ****************
        #  Unless overridden in another section, the dn from which all searches will start from.
        base_dn = 'ou=Users,ou=Company,dc=dc,dc=local'
        #  SASL parameters to use for admin binds
        #  When we're prompted by the SASL library, these control the responses given, as well as the identity and password directives above.
        #  If any directive is commented out, a NULL response will be provided to cyrus-sasl.
        #  Unfortunately the only way to control Keberos here is through environmental variables, as cyrus-sasl provides no API to set the krb5 config directly.
        #  Full documentation for MIT krb5 can be found here:
        #       http://web.mit.edu/kerberos/krb5-devel/doc/admin/env_variables.html
        #  At a minimum you probably want to set KRB5_CLIENT_KTNAME.
        sasl {
                # SASL mechanism
                mech = 'DIGEST-MD5'
                # SASL authorisation identity to proxy.
#               proxy = 'autz_id'
                # SASL realm. Used for kerberos.
#               realm = 'example.org'

Thanks for any assistance 

More information about the Freeradius-Users mailing list