Use Active Directory Group to authorize a users on Freeradius 3.0.x

Igor Sousa igorvolt at gmail.com
Thu Feb 27 21:45:31 CET 2020


Hi Uwe,

Yes, I have enabled SASL part in ldap module because ldap bind with
identity and password failed and requests "Strong(er)
authentication required / Server said: BindSimple: Transport encryption
required.". The ldap runs on 389/tcp port and no TLS has configured on it.
I'll test on 3.0.20 version to verify if has a bug that fixed in the latest
version.

--
Igor Sousa


Em ter., 25 de fev. de 2020 às 04:19, <uj2.hahn at posteo.de> escreveu:

> Seems you enabled the SASL part in ldap module. Is there a reason for it?
> I guess I run a very similar installation (a test instance with OpenLDAP
> and a production one
> with Active Directory). And both work fine w/o SASL.
> And both I run with ldap protocol on port 389.
>
> Uwe
>
> On 24.02.2020 15:06, Igor Sousa wrote:
> > Hi Loius,
> >
> > My freeradius server is a domain member of mydomain.com and, before I
> > configured ldap module, I had tested ntlm_auth configuration and it had
> > worked perfectly. As I've said in the first email of this thread, I had
> > followed
> > http://deployingradius.com/documents/configuration/active_directory.html
> to
> > configure ntlm_auth.
> >
> > My problem is the ldap module. The employee that administrates
> mydomain.com
> > has said me the ldap server on this domain isn't configured to operate
> over
> > TLS or SSL. He has confirmed to me that ldap on dc01 is listening on
> > 389/TCP port and it isn't configured over START TLS, then there aren't
> need
> > to accept certificates to connect to it. Due it, I've tried to use SASL +
> > KRB5 to communicate freeradius server to ldap on dc01.mydomain.com. It
> > doesn't work, though. When I've tried to run a search with ldapsearch
> using
> > SASL on command prompt of freeradius server, it works perfectly fine. My
> > question is why it doesn't work on freeradius service.
> >
> > PS1: I can to connect ldap service on dc01 with Apache Studio application
> > in 389/TCP port with no SSL or TLS configuration.
> >
> > PS2: I've noticed the freeradius version (3.0.16) on official CentOS 8
> > repository isn't the latest version. I'll try to install latest (3.0.20)
> > version from source and try it.
> >
> > Regards,
> > --
> > Igor Sousa
> >
> >
> > Em seg., 24 de fev. de 2020 às 05:00, L.P.H. van Belle via
> Freeradius-Users
> > <freeradius-users at lists.freeradius.org> escreveu:
> >
> >> Hai Igor,
> >>
> >> Samba messages:  Strong(er) authentication required
> >>
> >> Thats it.
> >>
> >> man smb.conf
> >>      ntlm auth (G)
> >>
> >> And set : ntlm auth = mschapv2-and-ntlmv2-only
> >> For the AD-Dc's and member's where needed.
> >>
> >> bind with (anonymous) to ldap://dc01.mydomain.com:389 failed:
> >> Local error, you need to setup a separated user to do these ldap binds.
> >>
> >> And last, did you setup certicates for the server and services?
> >> If not i suggest do that and use the ldaps ports, MS is perpairing for
> >> that also so be ahead of it.
> >>
> >> See if above is sufficient to fix it, but im sure this is your problem.
> >>
> >>
> >> Greetz,
> >>
> >> Louis
> >>
> >>
> >>> -----Oorspronkelijk bericht-----
> >>> Van: Freeradius-Users
> >>> [mailto:freeradius-users-bounces+belle=bazuin.nl at lists.freerad
> >> ius.org] Namens Igor Sousa
> >>> Verzonden: zaterdag 22 februari 2020 19:47
> >>> Aan: FreeRadius users mailing list
> >>> Onderwerp: Re: Use Active Directory Group to authorize a
> >>> users on Freeradius 3.0.x
> >>>
> >>> I don't see any problem about ldap serach bind. The
> >>> DN:cn=Administrator,cn=Users,dc=mydomain,dc=com, just as the
> >>> name says, is
> >>> the administrator user of mydomain.com and can search any other
> >>> Organisation Unit of mydomain.com. All my users, except
> >>> Administrator, are
> >>> in the ou=drc,dc=mydomain,dc=com. Samba 4 domain works perfectly in
> >>> Windows/Linux as in other system my company has.
> >>>
> >>>
> >>> When I have tried to run radiusx -X with identity set in ldap
> >>> module, the
> >>> radiusd -X has informed
> >>>
> >>> rlm_ldap (ldap): Bind with
> >>> cn=Administrator,cn=Users,dc=mydomain,dc=com to
> >>> ldap://dc01.mydomain.com:389 failed: Strong(er)
> >>> authentication required
> >>> rlm_ldap (ldap): Server said: BindSimple: Transport
> >>> encryption required.
> >>>
> >>>
> >>> The employee who implemented Samba DC on my company has notified me he
> >>> hasn't set ldap to run over ssl or start tls. Due it, I have
> >>> tried to use
> >>> SASL. It has worked fine when I have tried run a simple search using
> >>> ldapsearch after kinit like this
> >>>
> >>> [root at centos8 ~]# kinit -a Administrator
> >>> [root at centos8 ~]# ldapsearch -LLL -h dc01.mydomain.com -b
> >>> "ou=drc,dc=mydomain,dc=com" sAMAccountName
> >>> SASL/GSS-SPNEGO authentication started
> >>>
> >>> SASL username: Administrator at MYDOMAIN.COM
> >>>
> >>> SASL SSF: 256
> >>>
> >>> SASL data security layer installed.
> >>>
> >>> <all users on ou=drc was shown>
> >>>
> >>>
> >>> But it hasn't worked with freeradius ldap module.
> >>>
> >>> rlm_ldap (ldap): Opening additional connection (0), 1 of 32
> >>> pending slots
> >>> used
> >>> rlm_ldap (ldap): Connecting to ldap://dc01.mydomain.com:389
> >>> rlm_ldap (ldap): Starting SASL mech(s): GSSAPI
> >>> SASL/GSSAPI authentication started
> >>> rlm_ldap (ldap): Bind with (anonymous) to
> >>> ldap://dc01.mydomain.com:389 failed:
> >>> Local error
> >>> rlm_ldap (ldap): Opening connection failed (0)
> >>> rlm_ldap (ldap): Removing connection pool
> >>> /etc/raddb/mods-enabled/ldap[8]: Instantiation failed for
> >>> module "ldap"
> >>>
> >>>
> >>> PS: I've used freeradius from centos 8 repo, 3.0.16 version,
> >>> and the host
> >>> centos8 is a domain member on mydomain.com.
> >>>
> >>> --
> >>> Igor Sousa
> >>>
> >>>
> >>> Em sáb., 22 de fev. de 2020 às 13:17, <uj2.hahn at posteo.de> escreveu:
> >>>
> >>>>> rlm_ldap (ldap): Bind with
> >>> *cn=Administrator,cn=Users,dc=mydomain,dc=com*
> >>>> This doesn't match your ldap search binding:
> >>>>> "ou=drc,dc=mydomain,dc=com"
> >>>> May be this is the issue? Please double check your ldap settings!
> >>>> Regards
> >>>> Uwe
> >>>>
> >>>> On 21.02.2020 23:40, Igor Sousa wrote:
> >>>>> Hello everybody,
> >>>>>
> >>>>> I have had some problems about to authorize users based on Active
> >>>> Directory
> >>>>> (Samba 4 DCs) groups.
> >>>>>
> >>>>> I have followed
> >>>>>
> >>> http://deployingradius.com/documents/configuration/active_dire
> >>> ctory.html
> >>>> to
> >>>>> configure ntlm_auth and it works perfectly.
> >>>>>
> >>>>> As I need restrict access to some AD groups, I need to
> >>> configure ldap
> >>>>> module. I've alright configured ldap module, but it has been pure
> >>>> Openldap
> >>>>> (uid stores username and usePassword stores password).
> >>> Then, to set up
> >>>> ldap
> >>>>> module to access AD ldap, I've read comments on
> >>> mods-available/ldap  and
> >>>> I
> >>>>> have set up "server", "identity", "password" and "base_dn" on the
> >>>>> mods-enabled/ldap. I have also set up
> >>>>>
> >>>>> to use the attribute stores username on AD
> >>>>> user {
> >>>>> ...
> >>>>> filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
> >>>>> ...
> >>>>> }
> >>>>>
> >>>>> and
> >>>>>
> >>>>> group {
> >>>>> ...
> >>>>> filter = '(objectClass=group)'
> >>>>> ...
> >>>>> name_attribute = cn
> >>>>>
> >>>>> membership_filter =
> >>>>>
> >>> "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User
> >>> -Name}:-%{User-Name}}))"
> >>>>> membership_attribute = 'memberOf'
> >>>>> ...
> >>>>> }
> >>>>>
> >>>>> When I have tried to run radiusd -X, it has shown a error
> >>> message about
> >>>>> bind tried to ldap server:
> >>>>>
> >>>>> rlm_ldap (ldap): Opening additional connection (0), 1 of
> >>> 32 pending slots
> >>>>> used
> >>>>> rlm_ldap (ldap): Connecting to ldap://dc01.mydomain.com:389
> >>>>> rlm_ldap (ldap): Waiting for bind result...
> >>>>> rlm_ldap (ldap): Bind with
> >>> cn=Administrator,cn=Users,dc=mydomain,dc=com
> >>>> to
> >>>>> ldap://dc01.mydomain.com:389 failed: Strong(er)
> >>> authentication required
> >>>>> rlm_ldap (ldap): Server said: BindSimple: Transport
> >>> encryption required..
> >>>>> rlm_ldap (ldap): Opening connection failed (0)
> >>>>> rlm_ldap (ldap): Removing connection pool
> >>>>> /etc/raddb/mods-enabled/ldap[8]: Instantiation failed for
> >>> module "ldap"
> >>>>> I've suspected about SASL due I haven't been notify that LDAP use
> >>>> STARTTLS
> >>>>> or SSL over TLS. Then I've commented identity and
> >>> password and radiusd -X
> >>>>> rlm_ldap (ldap): Opening additional connection (0), 1 of
> >>> 32 pending slots
> >>>>> used
> >>>>> rlm_ldap (ldap): Connecting to ldap://dc01.mydomain.com:389
> >>>>> rlm_ldap (ldap): Starting SASL mech(s): GSSAPI
> >>>>> SASL/GSSAPI authentication started
> >>>>> rlm_ldap (ldap): Bind with (anonymous) to
> >>> ldap://dc01.mydomain.com:389
> >>>>> failed: Local error
> >>>>> rlm_ldap (ldap): Opening connection failed (0)
> >>>>> rlm_ldap (ldap): Removing connection pool
> >>>>> /etc/raddb/mods-enabled/ldap[8]: Instantiation failed for
> >>> module "ldap"
> >>>>> I run kinit Administrator before run the ldapsearch below
> >>> and hasn't
> >>>> shown
> >>>>> any ERROR.
> >>>>>
> >>>>> Please, can someone help me about my problem?
> >>>>>
> >>>>> [root at centos8 ~]# ldapsearch -LLL -h dc01.mydomain.com -b
> >>>>> "ou=drc,dc=mydomain,dc=com" sAMAccountName
> >>>>> SASL/GSS-SPNEGO authentication started
> >>>>>
> >>>>> SASL username: Administrator at MYDOMAIN.COM
> >>>>>
> >>>>> SASL SSF: 256
> >>>>>
> >>>>> SASL data security layer installed.
> >>>>>
> >>>>> --
> >>>>> Igor Sousa
> >>>>> -
> >>>>> List info/subscribe/unsubscribe? See
> >>>> http://www.freeradius.org/list/users.html
> >>>>
> >>>> -
> >>>> List info/subscribe/unsubscribe? See
> >>>> http://www.freeradius.org/list/users.html
> >>> -
> >>> List info/subscribe/unsubscribe? See
> >>> http://www.freeradius.org/list/users.html
> >>>
> >>
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list