guide on configuring freeradius 3 LDAP

Nathan Ward lists+freeradius at daork.net
Thu Jan 25 23:36:34 CET 2018


Hi,

> On 24/01/2018, at 3:35 AM, Douglas C Ward <douglas at ugutech.com> wrote:
> 
> 
> 
>> On Jan 21, 2018, at 10:41 PM, Nathan Ward <lists+freeradius at daork.net <mailto:lists+freeradius at daork.net>> wrote:
>> 
>> 
>> 
>> 
>> OK, thanks for that.
>> 
>> So this tells us several things.
>> 1) Your admin credentials are correct (though we can actually improve this, more later)
>> 2) You need to use “cn=“ and not “uid=“ in the filter.
>> 3) You must do user binds, rather than pull a userPassword attribute from LDAP, as the userPassword attribute is not visible even to the admin. This means that you can only use RADIUS for auth when you have a User-Password attribute - i.e. CHAP etc. will not work.
>> 4) The OneLogin LDAP seems to work OK.. but one more test.
>> 
>> This time, type your “dward” password, *not* the admin password.
>> $ ldapsearch -h ldap.us.onelogin.com <http://ldap.us.onelogin.com/> -x -D 'cn=dward at iacollaborative.com <mailto:cn=dward at iacollaborative.com>,ou=users,dc=iacollaborative,dc=onelogin,dc=com' -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' '(cn=dward at iacollaborative.com <mailto:cn=dward at iacollaborative.com>)’ dn
>> 
>> The result should have a success in there, and should say somewhere:
>> dn: cn=dward at iacollaborative.com <mailto:cn=dward at iacollaborative.com>,ou=users,dc=iacollaborative,dc=onelogin,dc=com
>> 
>> If so, we have done a successful "User Bind” - these are almost exactly the same protocol steps as FreeRADIUS will do (actually slightly more), which means OneLogin is working great.
>> If not, post the command and response as you did above, and don’t do anything else.
> 
> testserver:~ testadmin$ ldapsearch -h ldap.us.onelogin.com <http://ldap.us.onelogin.com/> -x -D 'cn=dward at iacollaborative.com <mailto:cn=dward at iacollaborative.com>,ou=users,dc=iacollaborative,dc=onelogin,dc=com' -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' '(cn=dward at iacollaborative.com <mailto:cn=dward at iacollaborative.com>)’ dn
>> <blah blah blah>
>> ldapsearch -h ldap.us.onelogin.com <http://ldap.us.onelogin.com/> -x -D 'cn=dward at iacollaborative.com <mailto:cn=dward at iacollaborative.com>,ou=users,dc=iacollaborative,dc=onelogin,dc=com' -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' '(cn=dward at iacollaborative.com <mailto:cn=dward at iacollaborative.com>)’ dn
> -bash: syntax error near unexpected token `('
> testserver:~ testadmin$ ldapsearch -h ldap.us.onelogin.com <http://ldap.us.onelogin.com/> -x -D 'cn=dward at iacollaborative.com <mailto:cn=dward at iacollaborative.com>,ou=users,dc=iacollaborative,dc=onelogin,dc=com' -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' '(cn=dward at iacollaborative.com <mailto:cn=dward at iacollaborative.com>)' dn
> Enter LDAP Password: 
> # extended LDIF
> #
> # LDAPv3
> # base <dc=iacollaborative,dc=onelogin,dc=com> with scope subtree
> # filter: (cn=dward at iacollaborative.com <mailto:cn=dward at iacollaborative.com>)
> # requesting: dn 
> #
> 
> # dward at iacollaborative.com <mailto:dward at iacollaborative.com>, users, iacollaborative.onelogin.com <http://iacollaborative.onelogin.com/>
> dn: cn=dward at iacollaborative.com <mailto:cn=dward at iacollaborative.com>, ou=users, dc=iacollaborative, dc=onelogin, d
> c=com
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1
> 
> —————
> 
> So I see that the dn= result you anticipated is there, but the result still says “result: 0 success” . Let me know if I should try it with the ldap config edit.

Yeah so that result: 0 Success is referring to the return code of the search function. It is 0, which in most C APIs means “success”.

You should be able to make the other stuff work, per the rest of my email. Let me know how you get on :-)

--
Nathan Ward



More information about the Freeradius-Users mailing list