<p style="padding:0 0 0 0; margin:0 0 0 0;">Hi, Im trying to use FR 3 to connect to remote AD via ldap module, tried playing with parameters but with no luck. Idk what i miss.</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;">I use own certificates. PEAP with MSCHAPv2.</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;"> </p>
<p style="padding:0 0 0 0; margin:0 0 0 0;">I config. <strong>ldap</strong> module :</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;">server = "pegasus.fri.uniza.sk"</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;"> port = 636</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;"> base_dn = "dc=fri,dc=uniza,dc=sk"</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;"> user {</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;"> base_dn = "ou=People,dc=fri,dc=uniza,dc=sk"</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;"> filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;"> scope = 'sub'</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;"> }</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;"> options {</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;"><span style="font-size: 10pt;"> chase_referrals = yes</span></p>
<p style="padding:0 0 0 0; margin:0 0 0 0;"> rebind = yes</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;"><span class="Apple-tab-span" style="white-space: pre;"> </span>}</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;"> tls {</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;"><span style="font-size: 10pt;"> ca_path = ${certdir}</span> </p>
<p style="padding:0 0 0 0; margin:0 0 0 0;"><span class="Apple-tab-span" style="white-space: pre;"> </span> ca_file = ${certdir}/cacert.cer</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;"> certificate_file = ${certdir}/friradius.cer</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;"> private_key_file = ${certdir}/friradius.key</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;"> require_cert = "demand"</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;"> }</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;"> </p>
<p style="padding:0 0 0 0; margin:0 0 0 0;">In <strong>sites-available/default and inner-tunnel</strong> I just added :</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;">authorize {</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;"> ldap</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;">}</p>
<div><strong>In eap I config ></strong></div>
<div>
<div>eap {</div>
<div> default_eap_type = peap</div>
<div> tls {</div>
<div> tls = tls-common</div>
<div> }</div>
<div> ttls {</div>
<div> tls = tls-common</div>
<div> default_eap_type = mschapv2</div>
<div> copy_request_to_tunnel = yes</div>
<div> use_tunneled_reply = yes</div>
<div> virtual_server = "inner-tunnel"</div>
<div> }</div>
<div> peap {</div>
<div> tls = tls-common</div>
<div> default_eap_type = mschapv2</div>
<div> copy_request_to_tunnel = yes</div>
<div> use_tunneled_reply = yes</div>
<div> virtual_server = "inner-tunnel"</div>
<div> }</div>
</div>
<div>In <strong>mschap ></strong></div>
<div>
<div>mschap {</div>
<div> use_mppe = no</div>
<div> require_encryption = yes</div>
<div> require_strong = yes</div>
<div> passchange {</div>
<div> }</div>
<div>}</div>
</div>
<div>Also added realm to <strong>proxy</strong> ></div>
<div>
<div>realm fri.uniza.sk {</div>
<div>}</div>
</div>
<p style="padding:0 0 0 0; margin:0 0 0 0;"><strong>Its starting all-right :</strong></p>
<p style="padding:0 0 0 0; margin:0 0 0 0;">"Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;">Listening on auth address * port 1812 as server default</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;">Listening on acct address * port 1813 as server default</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;">Opening new proxy socket 'proxy address * port 0'</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;">Listening on proxy address * port 47617</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;">Ready to process requests."</p>
<div><strong>But when I try radtest :</strong></div>
<div>
<div>radtest -t mschap matisko@fri.uniza.sk <password>localhost 0 testing123</div>
</div>
<div>
<div>rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=213, length=20</div>
</div>
<div><strong>Debug is : </strong></div>
<div>
<div>(1) suffix : Looking up realm "fri.uniza.sk" for User-Name = "hajtmanek@fri.uniza.sk"</div>
<div>(1) suffix : Found realm "fri.uniza.sk"</div>
<div>(1) suffix : Adding Stripped-User-Name = "hajtmanek"</div>
<div>(1) suffix : Adding Realm = "fri.uniza.sk"</div>
<div>(1) suffix : Authentication realm is LOCAL.</div>
<div>(1) [suffix] = ok</div>
<div>(1) eap : No EAP-Message, not doing EAP</div>
<div>(1) [eap] = noop</div>
<div>(1) [files] = noop</div>
<div>rlm_ldap (ldap): Reserved connection (4)</div>
<div>(1) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})</div>
<div>(1) ldap : --> (uid=hajtmanek)</div>
<div>(1) ldap : EXPAND ou=People,dc=fri,dc=uniza,dc=sk</div>
<div>(1) ldap : --> ou=People,dc=fri,dc=uniza,dc=sk</div>
<div>(1) ldap : Performing search in 'ou=People,dc=fri,dc=uniza,dc=sk' with filter '(uid=hajtmanek)', scope 'sub'</div>
<div>(1) ldap : Waiting for search result...</div>
<div>(1) <strong>ERROR</strong>: ldap : Failed performing search: Please set 'chase_referrals=yes' and 'rebind=yes'. See the ldap module configuration for details.</div>
<div>(1) <strong>ERROR</strong>: ldap : Server said: 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1.</div>
<div>rlm_ldap (ldap): Released connection (4)</div>
<div>rlm_ldap (ldap): Opening additional connection (5)</div>
<div>rlm_ldap (ldap): Connecting to pegasus.fri.uniza.sk:636</div>
<div>TLS: warning: cacertdir not implemented for gnutls</div>
<div>rlm_ldap (ldap): Waiting for bind result...</div>
<div>rlm_ldap (ldap): Bind successful</div>
<div>(1) [ldap] = fail</div>
<div>(1) } # authorize = fail</div>
<div>(1) Invalid user (ldap: Failed performing search: Please set 'chase_referrals=yes' and 'rebind=yes'. See the ldap module configuration for details.): [hajtmanek/pokus123] (from client localhost port 0)</div>
<div>(1) Using Post-Auth-Type Reject</div>
</div>
<div>Binding is succesfull, referals and rebind are changed. SSL handshake I think is ok (according to wireshark :) ).</div>