Use Active Directory Group to authorize a users on Freeradius 3.0.x

Sat Feb 22 17:16:53 CET 2020

> rlm_ldap (ldap): Bind with *cn=Administrator,cn=Users,dc=mydomain,dc=com*

This doesn't match your ldap search binding:
> "ou=drc,dc=mydomain,dc=com"

May be this is the issue? Please double check your ldap settings!
Regards
Uwe

On 21.02.2020 23:40, Igor Sousa wrote:
> Hello everybody,
>
> I have had some problems about to authorize users based on Active Directory
> (Samba 4 DCs) groups.
>
> I have followed
> http://deployingradius.com/documents/configuration/active_directory.html to
> configure ntlm_auth and it works perfectly.
>
> As I need restrict access to some AD groups, I need to configure ldap
> module. I've alright configured ldap module, but it has been pure Openldap
> (uid stores username and usePassword stores password). Then, to set up ldap
> module to access AD ldap, I've read comments on mods-available/ldap  and I
> have set up "server", "identity", "password" and "base_dn" on the
> mods-enabled/ldap. I have also set up
>
> to use the attribute stores username on AD
> user {
> ...
> filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
> ...
> }
>
> and
>
> group {
> ...
> filter = '(objectClass=group)'
> ...
> name_attribute = cn
>
> membership_filter =
> "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
>
> membership_attribute = 'memberOf'
> ...
> }
>
> When I have tried to run radiusd -X, it has shown a error message about
> bind tried to ldap server:
>
> rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://dc01.mydomain.com:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind with cn=Administrator,cn=Users,dc=mydomain,dc=com to
> ldap://dc01.mydomain.com:389 failed: Strong(er) authentication required
> rlm_ldap (ldap): Server said: BindSimple: Transport encryption required..
> rlm_ldap (ldap): Opening connection failed (0)
> rlm_ldap (ldap): Removing connection pool
> /etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap"
>
> I've suspected about SASL due I haven't been notify that LDAP use STARTTLS
> or SSL over TLS. Then I've commented identity and password and radiusd -X
>
> rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://dc01.mydomain.com:389
> rlm_ldap (ldap): Starting SASL mech(s): GSSAPI
> SASL/GSSAPI authentication started
> rlm_ldap (ldap): Bind with (anonymous) to ldap://dc01.mydomain.com:389
> failed: Local error
> rlm_ldap (ldap): Opening connection failed (0)
> rlm_ldap (ldap): Removing connection pool
> /etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap"
>
> I run kinit Administrator before run the ldapsearch below and hasn't shown
> any ERROR.
>
> Please, can someone help me about my problem?
>
> [root at centos8 ~]# ldapsearch -LLL -h dc01.mydomain.com -b
> "ou=drc,dc=mydomain,dc=com" sAMAccountName
> SASL/GSS-SPNEGO authentication started
>
> SASL username: Administrator at MYDOMAIN.COM
>
> SASL SSF: 256
>
> SASL data security layer installed.
>
> --
> Igor Sousa
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html