Hi,
On 24/01/2018, at 3:35 AM, Douglas C Ward <douglas@ugutech.com> wrote:
On Jan 21, 2018, at 10:41 PM, Nathan Ward <lists+freeradius@daork.net <mailto:lists+freeradius@daork.net>> wrote:
OK, thanks for that.
So this tells us several things. 1) Your admin credentials are correct (though we can actually improve this, more later) 2) You need to use “cn=“ and not “uid=“ in the filter. 3) You must do user binds, rather than pull a userPassword attribute from LDAP, as the userPassword attribute is not visible even to the admin. This means that you can only use RADIUS for auth when you have a User-Password attribute - i.e. CHAP etc. will not work. 4) The OneLogin LDAP seems to work OK.. but one more test.
This time, type your “dward” password, *not* the admin password. $ ldapsearch -h ldap.us.onelogin.com <http://ldap.us.onelogin.com/> -x -D 'cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>,ou=users,dc=iacollaborative,dc=onelogin,dc=com' -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' '(cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>)’ dn
The result should have a success in there, and should say somewhere: dn: cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>,ou=users,dc=iacollaborative,dc=onelogin,dc=com
If so, we have done a successful "User Bind” - these are almost exactly the same protocol steps as FreeRADIUS will do (actually slightly more), which means OneLogin is working great. If not, post the command and response as you did above, and don’t do anything else.
testserver:~ testadmin$ ldapsearch -h ldap.us.onelogin.com <http://ldap.us.onelogin.com/> -x -D 'cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>,ou=users,dc=iacollaborative,dc=onelogin,dc=com' -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' '(cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>)’ dn
<blah blah blah> ldapsearch -h ldap.us.onelogin.com <http://ldap.us.onelogin.com/> -x -D 'cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>,ou=users,dc=iacollaborative,dc=onelogin,dc=com' -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' '(cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>)’ dn -bash: syntax error near unexpected token `(' testserver:~ testadmin$ ldapsearch -h ldap.us.onelogin.com <http://ldap.us.onelogin.com/> -x -D 'cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>,ou=users,dc=iacollaborative,dc=onelogin,dc=com' -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' '(cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>)' dn Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=iacollaborative,dc=onelogin,dc=com> with scope subtree # filter: (cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>) # requesting: dn #
# dward@iacollaborative.com <mailto:dward@iacollaborative.com>, users, iacollaborative.onelogin.com <http://iacollaborative.onelogin.com/> dn: cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>, ou=users, dc=iacollaborative, dc=onelogin, d c=com
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
—————
So I see that the dn= result you anticipated is there, but the result still says “result: 0 success” . Let me know if I should try it with the ldap config edit.
Yeah so that result: 0 Success is referring to the return code of the search function. It is 0, which in most C APIs means “success”. You should be able to make the other stuff work, per the rest of my email. Let me know how you get on :-) -- Nathan Ward