Freeradius/Radtest fails to authenticate against Google LDAP

Christian Bednarz christian.bednarz at lanes-planes.com
Mon Feb 8 18:26:14 CET 2021 

Hi all.

I try hard to get Freeradius working with Google LDAP, but I feel totally stuck and desperate.

My starting point was following the Google documentation ( https://support.google.com/a/answer/9089736?hl=en#zippy=%2Cfreeradius <https://support.google.com/a/answer/9089736?hl=en#zippy=,freeradius> ), which some people pointed to being not really accurate. After some adjustments I find myself stuck in the wood. Admittingly I have just very basic knowledge of Linux (I use Ubuntu 20).

When I run radtest I get this result:

root at freeradius1:/home/serveradmin# radtest it-test2 at lanes-planes.com <mailto:it-test2 at lanes-planes.com> PASSWORD 127.0.0.1 1 testing123
Sent Access-Request Id 50 from 0.0.0.0:39324 to 127.0.0.1:1812 length 95
	User-Name = "it-test2 at lanes-planes.com <mailto:it-test2 at lanes-planes.com>"
	User-Password = „PASSWORD"
	NAS-IP-Address = 127.0.1.1
	NAS-Port = 1
	Message-Authenticator = 0x00
	Cleartext-Password = „PASSWORD"
Received Access-Reject Id 50 from 127.0.0.1:1812 to 127.0.0.1:39324 length 20
(0) -: Expected Access-Accept got Access-Reject

Here is the debug output of freeradius -X:

(0) Received Access-Request Id 50 from 127.0.0.1:39324 to 127.0.0.1:1812 length 95
(0)   User-Name = "it-test2 at lanes-planes.com"
(0)   User-Password = „PASSWORD"
(0)   NAS-IP-Address = 127.0.1.1
(0)   NAS-Port = 1
(0)   Message-Authenticator = 0xf9bad2a09e9c1eb0e3c9317b52b40faf
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "lanes-planes.com" for User-Name = "it-test2 at lanes-planes.com"
(0) suffix: Found realm "lanes-planes.com"
(0) suffix: Adding Stripped-User-Name = "it-test2"
(0) suffix: Adding Realm = "lanes-planes.com"
(0) suffix: Authentication realm is LOCAL
(0)     [suffix] = ok
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap:    --> (uid=it-test2)
(0) ldap: Performing search in "dc=lanes-planes,dc=com" with filter "(uid=it-test2)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: Search returned no results
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
rlm_ldap (ldap): Waiting for bind result...
ber_get_next failed.
rlm_ldap (ldap): Bind successful
(0)     [ldap] = notfound
(0)     [expiration] = noop
(0)     [logintime] = noop
(0)     if (User-Password) {
(0)     if (User-Password)  -> TRUE
(0)     if (User-Password)  {
(0)       update control {
(0)         Auth-Type := ldap
(0)       } # update control = noop
(0)     } # if (User-Password)  = noop
Not doing PAP as Auth-Type is already set.
(0)     [pap] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = ldap
(0) Auth-Type sub-section not found.  Ignoring.
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> it-test2 at lanes-planes.com
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.9 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 50 from 127.0.0.1:1812 to 127.0.0.1:39324 length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 50 with timestamp +39
Ready to process requests


If anyone of you could point me to the right direction what would be need to be corrected to get this work that would be just awesome. If it helps, I would also be willing to share other config files, like sites-enabled/defaults. Thanks.

Best regards
Christian

More information about the Freeradius-Users mailing list