<div dir="ltr">Hi there!<br><br>Finally I figured it out. The problem lay on the ldap module. We were trying to authenticate users from different domains using LDAP for group searching and assigning some attributes.<br><br>
SOLVED:<br><br>The ldap module is running two different instances, one instance for the first domain, second instance for the other one:<br><br>ldap domain1 {<br> <i>necessary data for configuring ldap</i><br>
}<br><br>ldap domain2 {<div> <i>necessary data for configuring ldap</i><br> }</div><div><br></div><div>Then, reading <a href="http://wiki.freeradius.org/modules/Rlm_ldap">http://wiki.freeradius.org/modules/Rlm_ldap</a> --> Group Support section.<br>
<br>I configured the file users as the documentation says: "domain1-Ldap-Group == " ;nevertheless, ldap search failed. It only searched inside one domain; consequently, only users from that domain were found.<br>
<br>HOWEVER, I read again <a href="http://wiki.freeradius.org/modules/Rlm_ldap">http://wiki.freeradius.org/modules/Rlm_ldap</a> and I found the key.<br><br>This sentence made the difference: "<span style="color:rgb(51,51,51);font-family:helvetica,arial,freesans,clean,sans-serif;font-size:13px;line-height:21.3439998626709px">Make sure though that the ldap module is instantiated before the files module so that it will have time to register the corresponding attribute. One solution would be to add the ldap module in the instantiate{} block in radiusd.conf"<br>
<br>The problem was that Radius were loading the file users before the ldap module... so the LDAP attributes were not counting in the process search.<br><br>I changed the radius.conf in order to load ldap module before users file.</span></div>
<div><span style="color:rgb(51,51,51);font-family:helvetica,arial,freesans,clean,sans-serif;font-size:13px;line-height:21.3439998626709px"><br></span></div><div><span style="color:rgb(51,51,51);font-family:helvetica,arial,freesans,clean,sans-serif;font-size:13px;line-height:21.3439998626709px"><div>
modules {</div><div> $INCLUDE ${confdir}/modules/</div><div> $INCLUDE eap.conf</div><div> $INCLUDE sql.conf</div><div> ldap</div><div>}</div><div><br></div><div>and <br><br><div>instantiate {</div>
<div> exec</div><div> expr</div><div> expiration</div><div> logintime</div><div> domain1</div><div> domain2</div><div>}</div></div></span></div><div><span style="color:rgb(51,51,51);font-family:helvetica,arial,freesans,clean,sans-serif;font-size:13px;line-height:21.3439998626709px"><br>
</span></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px">Finally, the users file config:<br><br><div>DEFAULT domain1-Ldap-Group == "gr_users_wifi"</div>
<div> Tunnel-Type = VLAN,</div><div> Tunnel-Medium-Type = IEEE-802,</div><div> Tunnel-Private-Group-Id:0 = "X"</div><div>DEFAULT domain2-Ldap-Group == "gr_users_wifi_domain2"</div>
<div> Tunnel-Type = VLAN,</div><div> Tunnel-Medium-Type = IEEE-802,</div><div> Tunnel-Private-Group-Id:0 = "X"</div></span></font></div><div><br></div><div>It works!!!</div><div><br></div><div>
Thanks a lot for the wiki! It was very useful even though sometimes it is not read enough.<br><br><br></div><div>Have a good one,<br><br><br></div><div><br></div><div><br><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Fri, Jan 24, 2014 at 10:20 AM, Luis Diaz <span dir="ltr"><<a href="mailto:ldiaz@rumbo.com" target="_blank">ldiaz@rumbo.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hi there!<br><br>First of all, I'd like to thank everybody in this forum for the help you provide. This forum has been very helpful for me in order to deploy and make my FreeRADIUS server work.<br><br>
<div>
However, I'm facing a config problem that I couldn't solve just searching on this forum. So, I need a little bit of help with it.<br><br>I'm running FreeRADIUS Version 2.2.0 and I've managed to make the server work to authenticate users against our AD. I'm using ntlm_auth + mschap + ldap. Everything works very fine with domain users. I have no problem.</div>
<div><br>I use the ldap module in order to authenticate just some users inside specific groups and also, assigning the VLAN dynamically.<br><br>The issue comes when I try to authenticate users from a different domain. I highlight that both domains share a trust relationship.<br>
I read on the forum that just configuring NTLM module adding the trusted domain would work, but for the moment, it doesn't work.<br><br>I'll show you part of my config for this purpose: <br><br>NTLM_AUTH Module:</div>
<div><br></div><div><div>exec ntlm_auth {</div><div> wait = yes</div><div> program = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}} --domain=%{%{mschap:NT-Domain}:-MAIN-DOMAIN} --domain=%{%{mschap:NT-Domain}:-TRUSTED-DOMAIN}--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"</div>
<div>}</div><br></div><div>If I exec the command: <br><br><div>ntlm_auth --request-nt-key --domain=TRUSTED-DOMAIN --username=USER-TURSTED-DOMAIN --password=********</div><div>NT_STATUS_OK: Success (0x0)<br><br>As you can see, ntlm module works. However, when the request comes through the radius I get a prompt from ldap module saying "object (user) not found". <br>
<br>This is the error from the debug output:<br><br><div>[ldap] object not found</div><div>rlm_ldap::ldap_groupcmp: search failed<br><br><br>The user from the trusted domain is inside the same group for users from my domain. The ldap search works for user form my domain, but fails when it tries to search a user from the trusted domain. <br>
<br>I guess the problem lies on the ldap module. However, I don't fully understand where the config problem can be.</div></div></div><div><br><br>Any help would be appreciate it very much.<br><br><br>Thank you so much in advance. And have a great day!<br>
<br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div>
</div>
</blockquote></div><div><br></div>
</div></div>