Make sure the password has double-quotes around it. I had to do that to get it working. Have you tried using ldapsearch first to make sure that you are feeding it the correct parameters? Try something like ldapsearch -LLL -h 10.1.1.1 -x -b 'dc=corp,dc=van,dc=com' '(&(memberof=CN=rptpcps,OU=Users,DC=corp,DC=van,DC=com)(samaccountname=a puye))' -D apuye@corp.van.com -w yourpassword Change it to match your environment. Hope that helps. Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817
-----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of Anup Parkhi Sent: November 29, 2005 6:44 PM To: freeradius-users@lists.freeradius.org Subject: Can not authenticate against Active directory as LDAP server
My environment is
FreeRadius: 1.0.5 on RedHat Funk Odyssey supplicant. (Tried with XP supplicant also) Authenticator: HP procurve switch EAP: EAP-MD5 Directory: Active directory as LDAP server
I am getting the following error while authenticating users in Active directory. Any help is appreciated. I went through ldap_how_to.txt and changed my radiusd.conf to tailor for active directory but it is still failing.
My configuration sections are lldap { server = "10.11.12.137" identity = "cn=Administrator,cn=users,dc=parkhi,dc=net" password = mypassword basedn = "cn=users,dc=parkhi,dc=net" filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no
# tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" #access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 10
# # NOTICE: The password_header directive is NOT case insensitive # # password_header = "{clear}" # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with "0x", such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading "0x", NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # password_attribute = User-Password # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(obj ectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 compare_check_items = no # do_xlat = yes # access_attr_used_for_allow = yes }
authorize { preprocess suffix files ldap }
authenticate { Auth-Type LDAP { ldap } }
the console output of radiusd -X
Cleaning up request 4 ID 229 with timestamp 438d0d46 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.11.12.107:1024, id=230, length=214 Framed-MTU = 1480 NAS-IP-Address = 10.11.12.107 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "test" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 24 NAS-Port-Type = Ethernet NAS-Port-Id = "24" Called-Station-Id = "00-0f-20-8d-04-c8" Calling-Station-Id = "00-c0-9f-0d-4a-1f" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1010" EAP-Message = 0x020100090174657374 Message-Authenticator = 0xaf12ec64c245045bbf5a5cc4985025de Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 users: Matched test at 66 modcall[authorize]: module "files" returns ok for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for test radius_xlat: '(sAMAccountName=test)' radius_xlat: 'cn=users,dc=parkhi,dc=net' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=users,dc=parkhi,dc=net, with filter (sAMAccou)rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 5 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 5 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 5 modcall: group Auth-Type returns invalid for request 5 auth: Failed to validate the user. Delaying request 5 for 1 seconds Finished request 5
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Disclaimer: This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request.