Hi Guru's,<br>
<br>
<br>
I have installed freeradius and used each LDAP module to authenticate
to WINDOWS 2003 AD. The problem is it cant do the authentication, seems
that i missed the radius.conf LDAP module configuration which causes
the LDAP module to failed when connecting to MSAD. Below is
my radius.conf config file.<br>
<br>
<br>
Hoping that you guys can help me, coz i have been googling all day for
this config and i can not make this thing work... Thnx in
advance.. <br>
<br>
radius.conf:<br>
<br>
ldap {<br>
server = "<a href="http://oberon.chikka.ph">oberon.chikka.ph</a>"<br>
# identity = "cn=admin,o=My Org,c=UA"<br>
identity = "cn=backops,cn=Admin,dc=chikka,dc=ph"<br>
password = _bant@3a-@n<br>
# password = mypass<br>
basedn = "dc=chikka,dc=ph"<br>
# filter =
"(SamAccountName=%{Stripped-User-Name:-%{User-Name}})"<br>
#filter = "(SamAccountName=%U)"<br>
#filter = "(SamAccountName=%u)"<br>
# base_filter = "(objectclass=radiusprofile)"<br>
base_filter =
"(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(memberOf=Admin,DC=chikka,DC=ph))"<br>
filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"<br>
<br>
# set this to 'yes' to use TLS encrypted connections<br>
# to the LDAP database by using the StartTLS extended<br>
# operation.<br>
# The StartTLS operation is supposed to be used with normal<br>
# ldap connections instead of using ldaps (port 689) connections<br>
start_tls = no<br>
<br>
# tls_cacertfile =
/path/to/cacert.pem<br>
# tls_cacertdir =
/path/to/ca/dir/<br>
# tls_certfile =
/path/to/radius.crt<br>
#
tls_keyfile
= /path/to/radius.key<br>
# tls_randfile =
/path/to/rnd<br>
# tls_require_cert = "demand"<br>
<br>
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"<br>
# profile_attribute = "radiusProfileDn"<br>
access_attr = "dialupAccess"<br>
<br>
ictionary_mapping = ${raddbdir}/ldap.attrmap<br>
<br>
ldap_connections_number = 5<br>
<br>
#<br>
# NOTICE: The password_header directive is NOT case insensitive<br>
#<br>
# password_header = "{clear}"<br>
#<br>
# The server can usually figure this out on its own, and pull<br>
# the correct User-Password or NT-Password from the database.<br>
#<br>
# Note that NT-Passwords MUST be stored as a 32-digit hex<br>
# string, and MUST start off with "0x", such as:<br>
#<br>
# 0x000102030405060708090a0b0c0d0e0f<br>
#<br>
# Without the leading "0x", NT-Passwords will not work.<br>
# This goes for NT-Passwords stored in SQL, too.<br>
#<br>
# password_attribute = userPassword<br>
groupname_attribute = cn<br>
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"<br>
groupmembership_attribute = memberOf<br>
timeout = 4<br>
timelimit = 3<br>
net_timeout = 1<br>
# compare_check_items = yes<br>
# do_xlat = yes<br>
# access_attr_used_for_allow = yes<br>
}<br>
<br>
<br>
Here is my the radiusd -X -A LOG...<br>
<br>
rad_recv: Access-Request packet from host <a href="http://192.168.1.13:37146">192.168.1.13:37146</a>, id=42, length=59<br>
User-Name = "myaccount"<br>
User-Password = "mypass"<br>
NAS-IP-Address = <a href="http://255.255.255.255">255.255.255.255</a><br>
NAS-Port = 1812<br>
Processing the authorize section of radiusd.conf<br>
modcall: entering group authorize for request 0<br>
modcall[authorize]: module "preprocess" returns ok for request 0<br>
modcall[authorize]: module "chap" returns noop for request 0<br>
modcall[authorize]: module "mschap" returns noop for request 0<br>
rlm_realm: No '@' in User-Name = "myaccount", looking up realm NULL<br>
rlm_realm: No such realm "NULL"<br>
modcall[authorize]: module "suffix" returns noop for request 0<br>
rlm_eap: No EAP-Message, not doing EAP<br>
modcall[authorize]: module "eap" returns noop for request 0<br>
users: Matched DEFAULT at 152<br>
modcall[authorize]: module "files" returns ok for request 0<br>
modcall: group authorize returns ok for request 0<br>
rad_check_password: Found Auth-Type ldap<br>
auth: type "LDAP"<br>
Processing the authenticate section of radiusd.conf<br>
modcall: entering group Auth-Type for request 0<br>
rlm_ldap: - authenticate<br>
rlm_ldap: login attempt by "myaccount" with password "mypass"<br>
radius_xlat: '(&(sAMAccountName=myaccount)'<br>
radius_xlat: 'dc=domain,dc=com'<br>
rlm_ldap: ldap_get_conn: Checking Id: 0<br>
rlm_ldap: ldap_get_conn: Got Id: 0<br>
rlm_ldap: attempting LDAP reconnection<br>
rlm_ldap: (re)connect to <a href="http://192.168.1.1:389">192.168.1.1:389</a>, authentication 0<br>
rlm_ldap: bind as cn=backops,cn=Admin,dc=domain,dc=com/passofbackops to <a href="http://192.168.1.1:389">192.168.1.1:389</a><br>
rlm_ldap: waiting for bind result ...<br>
rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf<br>
rlm_ldap: (re)connection attempt failed<br>
rlm_ldap: ldap_release_conn: Release Id: 0<br>
modcall[authenticate]: module "ldap" returns fail for request 0<br>
modcall: group Auth-Type returns fail for request 0<br>
auth: Failed to validate the user.<br>
Delaying request 0 for 1 seconds<br>
Finished request 0<br>
Going to the next request<br>
--- Walking the entire request list ---<br>
Waking up in 1 seconds...<br>
--- Walking the entire request list ---<br>
Sending Access-Reject of id 42 to <a href="http://192.168.1.13:37146">192.168.1.13:37146</a><br>
Waking up in 4 seconds...<br>
--- Walking the entire request list ---<br>
Cleaning up request 0 ID 42 with timestamp 43a23bb5<br>
Nothing to do. Sleeping until we see a request.<br>
<br clear="all"><br>-- <br>Mike Calizo<br>Registered Linux User # 365113<br><br>_________________________________________________<br>Even the longest journey has to start with a small first-step<br>