The issue in my previous post was resolved by following the instructions in: http://support.microsoft.com/kb/326690 As I stated in my previous post I was running a 2000 SP4 domain and we just upgraded to a 2003 domain. After the upgrade ldap queries were failing. This basically allows anonymous ldap lookups (limited information) as 2000 did. I did put authentication credentials in for my ldap user so I'm not sure why it's using anonymous bind still. I would prefer to have the added security of 2003. My ldap configuration is below if anyone has any advice so I wouldn't have to enable anonymous bind within the domain. ___________________________________________________________ kesm0724 wrote:
Hello All,
I had FreeRADIUS Version 2.0.5 working fine until I upgraded our domain this past weekend to Server 2003. When I try to authenticate to our configured devices this morning I see the following generic error in the debug:
rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns fails
The odd part about it is that I still have our previous 2000 domain controllers in place but it appears LDAP group checking is not working. I have only dcpromo'd the new 2003 controllers and have not made them global catalogs. Would anyone have any idea why my group checking would no longer be working?
With LDAP debug turned on....not much more informative:
rlm_ldap: performing user authorization for voila\webtest expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) -> (sAMAccountName=webtest) expand: dc=voila,dc=com -> dc=voila,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: closing existing LDAP connection rlm_ldap: (re)connect to control.voila.com:389, authentication 0 rlm_ldap: bind as cn=testuser,cn=users,dc=voila,dc=com/mypass to control.voila.com:389 rlm_ldap: waiting for bind result ... request done: ld 0x98c6708 msgid 1 rlm_ldap: Bind was successful rlm_ldap: performing search in dc=voila,dc=com, with filter (sAMAccountName=webtest) request done: ld 0x98c6708 msgid 4 request done: ld 0x98c6708 msgid 2 rlm_ldap: ldap_search() failed: Operations error rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns fail Invalid user: [voila\\webtest/<via Auth-Type = mschap>] (from client Test port 1176 cli xxxxxxxxx) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> voila\webtest
Complete Debug:
Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host xxxxxxxxxxx port 1059, id=117, length=191 User-Name = "voila\\testuser" NAS-Port = 1175 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = "xxxxxxxxxxx" Calling-Station-Id = "xxxxxxxxxx" Tunnel-Client-Endpoint:0 = "xxxxxxxxxxxxx" MS-CHAP-Challenge = 0x949d0f260c0a83423f766c1ba4786e6f MS-CHAP2-Response = 0x00008c51e82b0b401baffa11bbe4804841af0000000000000000b90e47cdede219ef0896903add05ea5ada973c6c8d58d431 NAS-IP-Address = xxxxxxxxxx NAS-Port-Type = Virtual +- entering group authorize ++[preprocess] returns ok expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/xxxxxxxxx/auth-detail-20080915 rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/xxxxxxxxxx/auth-detail-20080915 expand: %t -> Mon Sep 15 11:52:00 2008 ++[auth_log] returns ok ++[chap] returns noop rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok rlm_realm: No '@' in User-Name = "voila\testuser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_realm: No '"' in User-Name = "voila\testuser", looking up realm NULL rlm_realm: No such realm "NULL" ++[ntdomain] returns noop ++[unix] returns notfound rlm_ldap: Entering ldap_groupcmp() expand: dc=voila,dc=com -> dc=voila,dc=com expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) -> (sAMAccountName=testuser) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to control.voila.com:389, authentication 0 rlm_ldap: bind as cn=project,cn=users,dc=voila,dc=com/mypass to control.voila.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=voila,dc=com, with filter (sAMAccountName=testuser) rlm_ldap: ldap_search() failed: Operations error rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for voila\testuser expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) -> (sAMAccountName=testuser) expand: dc=voila,dc=com -> dc=voila,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: closing existing LDAP connection rlm_ldap: (re)connect to control.voila.com:389, authentication 0 rlm_ldap: bind as cn=project,cn=users,dc=voila,dc=com/mypass to control.voila.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=voila,dc=com, with filter (sAMAccountName=testuser) rlm_ldap: ldap_search() failed: Operations error rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns fail Invalid user: [voila\\testuser/<via Auth-Type = mschap>] (from client Test port 1175 cli xxxxxxxxxxxxx) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> voila\testuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 117 to xxxxxxxxxxxx port 1059 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 117 with timestamp +18 Ready to process requests.
___________
Freeradius - 2.0.5
[root@ras modules]# rpm -qa | grep openldap openldap-devel-2.3.27-8.el5_2.4 openldap-2.3.27-8.el5_2.4 [root@ras modules]# rpm -qa | grep samba samba-common-3.0.28-1.el5_2.1 samba-3.0.28-1.el5_2.1 samba-client-3.0.28-1.el5_2.1
______________________________________________
LDAP.CONF
ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "control.voila.com" identity = "cn=testuser,cn=users,dc=voila,dc=com" password = mypass basedn = "dc=voila,dc=com"
# CHANGED filter object search to look for 'SamAccountName'
# filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" filter = "(sAMAccountName=%{mschap:User-Name:-%{User-Name}})" # filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# base_filter = "(objectclass=radiusprofile)"
# How many connections to keep open to the LDAP server. # This saves time over opening a new LDAP socket for # every authentication request. ldap_connections_number = 5
# seconds to wait for LDAP query to finish. default: 20 # seconds to wait for LDAP query to finish. default: 20 timeout = 4
# seconds LDAP server has to process the query (server-side # time limit). default: 20 # # LDAP_OPT_TIMELIMIT is set to this value. timelimit = 3
# # seconds to wait for response of the server. (network # failures) default: 10 # # LDAP_OPT_NETWORK_TIMEOUT is set to this value. net_timeout = 1
# # This subsection configures the tls related items # that control how FreeRADIUS connects to an LDAP # server. It contains all of the "tls_*" configuration # entries used in older versions of FreeRADIUS. Those # configuration entries can still be used, but we recommend # using these. # tls { # Set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections start_tls = no
# cacertfile = /path/to/cacert.pem # cacertdir = /path/to/ca/dir/ # certfile = /path/to/radius.crt # keyfile = /path/to/radius.key # randfile = /path/to/rnd
# Certificate Verification requirements. Can be: # "never" (don't even bother trying) # "allow" (try, but don't fail if the cerificate # can't be verified) # "demand" (fail if the certificate doesn't verify.) # # The default is "allow" # require_cert = "demand" } # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" # access_attr = "User-Password"
# Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the # user's password from a Novell eDirectory # backend. This will work ONLY IF FreeRADIUS has been # built with the --with-edir configure option. # # See also the following links: # # http://www.novell.com/coolsolutions/appnote/16745.html
# https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SA... # # Novell may require TLS encrypted sessions before returning # the user's password. # # password_attribute = User-Password
# Un-comment the following to disable Novell # eDirectory account policy check and intruder # detection. This will work *only if* FreeRADIUS is # configured to build with --with-edir option. # edir_account_policy_check = no
# # Group membership checking. Disabled by default. # groupname_attribute = cn #groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" groupmembership_filter = "(|(&(objectClass=group)(member=%{check:LDAP-UserDn}))(&(objectClass=GroupOfNames)(member=%{check:LDAP-UserDn})))" groupmembership_attribute = memberOf
# compare_check_items = yes do_xlat = yes # access_attr_used_for_allow = yes
# # By default, if the packet contains a User-Password, # and no other module is configured to handle the # authentication, the LDAP module sets itself to do # LDAP bind for authentication. # # # THIS WILL ONLY WORK FOR PAP AUTHENTICATION. # # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). # # You can disable this behavior by setting the following # configuration entry to "no". # # allowed values: {no, yes}
# set_auth_type = yes
# ldap_debug: debug flag for LDAP SDK # (see OpenLDAP documentation). Set this to enable # huge amounts of LDAP debugging on the screen. # You should only use this if you are an LDAP expert. # # default: 0x0000 (no debugging messages) # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) ldap_debug = 0x0028
______________________________________________________
Samba / Windbind responses:
[root@ras modules]# wbinfo -t checking the trust secret via RPC calls succeeded
[root@ras modules]# wbinfo -a testuser%mypass plaintext password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc0000064) error messsage was: No such user Could not authenticate user testuser%mypass with plaintext password challenge/response password authentication succeeded
wbinfo -u and wbinfo -g enumerate all users/groups.
-- View this message in context: http://www.nabble.com/LDAP-Group-membership-check-not-working-after-upgrade-... Sent from the FreeRadius - User mailing list archive at Nabble.com.