guide on configuring freeradius 3 LDAP

Douglas C Ward douglas at ugutech.com
Fri Jan 19 17:24:19 CET 2018 

Not that you’re sitting on the edge of your seats, but with OneLogin’s techs, we confirmed that everything is 100% correct in my FreeRADIUS setup, but that there’s some error on their end. They’re digging into it. I’ll post the exciting conclusion so that other people in my situation will know what the fix is.

Thanks,

—Douglas

> On Jan 19, 2018, at 9:55 AM, Douglas C Ward <douglas at ugutech.com> wrote:
> 
> Talking to an engineer at OneLogin, their VLDAP server only supports TLS1.1, what TLS version does FreeRADIUS 3.0.15 use by default, and can I force it to use 1.1?
> 
> —Douglas
> 
>> On Jan 18, 2018, at 11:33 PM, Douglas C Ward <douglas at ugutech.com <mailto:douglas at ugutech.com>> wrote:
>> 
>> Answers below...
>> 
>>> On Jan 18, 2018, at 9:20 PM, Nathan Ward <lists+freeradius at daork.net> wrote:
>>> 
>>>> 
>>>> On 19/01/2018, at 3:37 PM, Douglas C Ward <douglas at ugutech.com> wrote:
>>>> 
>>>> Thanks Alan, good stuff. That user is the main admin user for the whole OneLogin account, so I assume that it has the authority to query the LDAP. I’m following the instructions at
>>>> 
>>>> https://support.onelogin.com/hc/en-us/articles/206444116-Using-the-OneLogin-Virtual-LDAP-Service#virtualdn <https://support.onelogin.com/hc/en-us/articles/206444116-Using-the-OneLogin-Virtual-LDAP-Service#virtualdn>
>>>> 
>>>> where it specifies…
>>>> Host name	ldap.us.onelogin.com
>>>> Port	
>>>> 389: Use for ldap://. For example, if you are not using SSL, use this port number. This port is primarily provided for your convenience for testing and debugging purposes.
>>>> 636: Use for ldaps://. For example, if you are using SSL, use this port number. We recommend that you use this port for your production implementation.
>>>> Base DN	dc=<subdomain>,dc=onelogin,dc=com
>>>> User's Virtual DN	cn=<email>,ou=users,dc=<subdomain>,dc=onelogin,dc=com
>>>> User's Password	
>>>> Password value.
>>> 
>>> I notice that you’re using 389 which is non-encrypted - once you get that working, probably a good idea to try ldaps if it’s over the Internet - first though, get 389 working before adding in that complexity..
>> 
>> With the LDAP Admin Tool, it works with port 636 doing SSL/TLS too. I will be making the production connection use that, as soon as I get the non SSL/TLS 389 to work.
>>> 
>>>> And I’ve been very careful to put those in correctly. I’ve also used the admin credentials with ldapsoft.com <http://ldapsoft.com/> <http://ldapsoft.com/ <http://ldapsoft.com/>> <http://ldapsoft.com/ <http://ldapsoft.com/><http://ldapsoft.com/ <http://ldapsoft.com/>>> <http://ldapsoft.com/ <http://ldapsoft.com/> <http://ldapsoft.com/ <http://ldapsoft.com/>> <http://ldapsoft.com/ <http://ldapsoft.com/> <http://ldapsoft.com/ <http://ldapsoft.com/>>>> ’s LDAP Admin Tool, and my credentials test correctly, and I get a full list of users in the table view. I’m not sure what else to try here.
>>> 
>>> Can you try your manual client with the same filter? (uid=dward at iacollaborative.com <mailto:uid=dward at iacollaborative.com><mailto:uid=dward at iacollaborative.com <mailto:uid=dward at iacollaborative.com>><mailto:uid=dward at iacollaborative.com <mailto:uid=dward at iacollaborative.com><mailto:uid=dward at iacollaborative.com <mailto:uid=dward at iacollaborative.com>>><mailto:uid=dward at iacollaborative.com <mailto:uid=dward at iacollaborative.com><mailto:uid=dward at iacollaborative.com <mailto:uid=dward at iacollaborative.com>><mailto:uid=dward at iacollaborative.com <mailto:uid=dward at iacollaborative.com><mailto:uid=dward at iacollaborative.com <mailto:uid=dward at iacollaborative.com>>>>)?
>>> 
>>> They seem to want to use cn=username at domain rather than uid=username at domain. The uid attribute appears to be the same as uidNumber when I had a look at the OneLogin docs. I don’t know that that’s causing your problem - but it probably doesn’t help.
>> 
>> I tried with substituting uid= for cn= in LDAP Admin Tool, and it doesn’t like like it, saying the credentials are invalid.
>>> 
>>> If you can get the search to work with cn=, and uid= doesn’t work in your client, you want to update the “filter” parameter under “user” in mods-available/ldap.
>> 
>> and I tried changing the uid= for cn= in the filter section of the mods-available/ldap file, no dice.
>> 
>> On the OneLogin server, it shows a successful VLDAP login for the admin user admin at iacollaborative.com <mailto:admin at iacollaborative.com> <mailto:admin at iacollaborative.com <mailto:admin at iacollaborative.com>> <mailto:admin at iacollaborative.com <mailto:admin at iacollaborative.com> <mailto:admin at iacollaborative.com <mailto:admin at iacollaborative.com>>> every attempt, but nothing for the dward@ user.
>> 
>>> It’s kinda odd to use cn there, but, whatever!
>>> 
>>>> Just curious, what would the error message say if I was on 3.0.16?
>>> 
>>> 
>>> If chase_referrals is on, the error is "Operations error with LDAP database.  Please see the LDAP server configuration / documentation for more information.”
>> 
>> Thank you, good to know.
>> 
>> —Douglas
>>> 
>>> --
>>> Nathan Ward
>>> 
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html><http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>><http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html><http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html><http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>

More information about the Freeradius-Users mailing list