guide on configuring freeradius 3 LDAP

Douglas C Ward douglas at ugutech.com
Thu Jan 18 21:41:41 CET 2018 

I just tried things, and ran into…

(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> dward at iacollaborative.com
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated

… so I assumed there was something in the default file. I saw in there…

#       Auth-Type LDAP {
#               ldap
#       }

so I uncommented that, restarted the server in debug, and got this error…

radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/radiusd.conf
} # server
server default { # from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/default
 # Loading authenticate {...}
/usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/default[513]: Failed to find "pam" as a module or policy.
/usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/default[513]: Please verify that the configuration exists in /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/pam.
/usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/default[476]: Errors parsing authenticate section. 

… so I assume there’s some further config I’m missing.

—Douglas

> On Jan 18, 2018, at 2:10 PM, Douglas Ward <douglas at ugutech.com> wrote:
> 
> Thanks Alan, I’ll give that a go. I had gotten the impression that there were additional files to configure beyond the mods-available/ldap . Ill report back.
> 
> -- Douglas
> 
> 
>> On Jan 18, 2018, at 1:29 PM, Alan DeKok <aland at deployingradius.com> wrote:
>> 
>>> On Jan 18, 2018, at 1:18 PM, Douglas C Ward <douglas at ugutech.com> wrote:
>>> I just joined the list recently, in hopes to get some help in configuring LDAP on my FreeRADIUS server. I have found a lot of documentation for FreeRADIUS v2, dating from 2011 and 2014, etc. But no clear step-by-step to enable LDAP for v3. My server is version 3.0.15. I have worked through the initial setup on the http://wiki.freeradius.org/guide/Getting-Started <http://wiki.freeradius.org/guide/Getting-Started> and was able to connect with “Access-Accept”. But now I want to connect an LDAP server (specifically, a VLDAP server from OneLogin). I have all their docs, and have all the base DN and Bind DN info. But the documentation at http://wiki.freeradius.org/modules/Rlm_ldap <http://wiki.freeradius.org/modules/Rlm_ldap> seem to “start in the middle” for me. It says you "can"…
>>> 
>>> "To enable LDAP in your FreeRADIUS server, you can:
>>> 
>>> • instantiate an ldap module - which sets up the server name, the base DN, etc
>>> • authenticate using an ldap module instance - which makes the FreeRADIUS server verify the user's identity in the LDAP directory, usually involving some form of checking the validity of the password
>>> • authorize using an ldap module instance - which makes the FreeRADIUS server verify the user's level of authorization in the LDAP directory, usually involving verifying group membership or similar"
>>> 
>>> … but I don’t have enough experience to evaluate those options, or know how to do any of them. So I am looking for a simple  “how to enable LDAP on FreeRADIUS 3” that I can follow to get things working, and learn from there. Thank you.
>> 
>> Edit raddb/mods-available/ldap.  Configure it.
>> 
>> i.e. *read* the comments.  They tell you what the options do, and how they work.  Fill in the configuration as necessary.
>> 
>> Start the server in debug mode.  Send it a test packet using "radtest".  Use a name/password that's in LDAP.
>> 
>> If it gets Access-Accept, you're good!
>> 
>> If not, *read* the debug output to see what it's doing.  If you don't understand it, post it here.
>> 
>> It really is that simple.  The "radtest" example *should* work if the LDAP module (a) talks to the LDAP server, and (b) is configured to search the right part of the LDAP tree.
>> 
>> The default configuration is designed to work with minimal edits.  So do minimal edits, and it will work.
>> 
>> Alan DeKok.
>> 
>> 
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list