Hi Loius, My freeradius server is a domain member of mydomain.com and, before I configured ldap module, I had tested ntlm_auth configuration and it had worked perfectly. As I've said in the first email of this thread, I had followed http://deployingradius.com/documents/configuration/active_directory.html to configure ntlm_auth. My problem is the ldap module. The employee that administrates mydomain.com has said me the ldap server on this domain isn't configured to operate over TLS or SSL. He has confirmed to me that ldap on dc01 is listening on 389/TCP port and it isn't configured over START TLS, then there aren't need to accept certificates to connect to it. Due it, I've tried to use SASL + KRB5 to communicate freeradius server to ldap on dc01.mydomain.com. It doesn't work, though. When I've tried to run a search with ldapsearch using SASL on command prompt of freeradius server, it works perfectly fine. My question is why it doesn't work on freeradius service. PS1: I can to connect ldap service on dc01 with Apache Studio application in 389/TCP port with no SSL or TLS configuration. PS2: I've noticed the freeradius version (3.0.16) on official CentOS 8 repository isn't the latest version. I'll try to install latest (3.0.20) version from source and try it. Regards, -- Igor Sousa Em seg., 24 de fev. de 2020 às 05:00, L.P.H. van Belle via Freeradius-Users <freeradius-users@lists.freeradius.org> escreveu:
Hai Igor,
Samba messages: Strong(er) authentication required
Thats it.
man smb.conf ntlm auth (G)
And set : ntlm auth = mschapv2-and-ntlmv2-only For the AD-Dc's and member's where needed.
bind with (anonymous) to ldap://dc01.mydomain.com:389 failed: Local error, you need to setup a separated user to do these ldap binds.
And last, did you setup certicates for the server and services? If not i suggest do that and use the ldaps ports, MS is perpairing for that also so be ahead of it.
See if above is sufficient to fix it, but im sure this is your problem.
Greetz,
Louis
-----Oorspronkelijk bericht----- Van: Freeradius-Users [mailto:freeradius-users-bounces+belle=bazuin.nl@lists.freerad ius.org] Namens Igor Sousa Verzonden: zaterdag 22 februari 2020 19:47 Aan: FreeRadius users mailing list Onderwerp: Re: Use Active Directory Group to authorize a users on Freeradius 3.0.x
I don't see any problem about ldap serach bind. The DN:cn=Administrator,cn=Users,dc=mydomain,dc=com, just as the name says, is the administrator user of mydomain.com and can search any other Organisation Unit of mydomain.com. All my users, except Administrator, are in the ou=drc,dc=mydomain,dc=com. Samba 4 domain works perfectly in Windows/Linux as in other system my company has.
When I have tried to run radiusx -X with identity set in ldap module, the radiusd -X has informed
rlm_ldap (ldap): Bind with cn=Administrator,cn=Users,dc=mydomain,dc=com to ldap://dc01.mydomain.com:389 failed: Strong(er) authentication required rlm_ldap (ldap): Server said: BindSimple: Transport encryption required.
The employee who implemented Samba DC on my company has notified me he hasn't set ldap to run over ssl or start tls. Due it, I have tried to use SASL. It has worked fine when I have tried run a simple search using ldapsearch after kinit like this
[root@centos8 ~]# kinit -a Administrator [root@centos8 ~]# ldapsearch -LLL -h dc01.mydomain.com -b "ou=drc,dc=mydomain,dc=com" sAMAccountName SASL/GSS-SPNEGO authentication started
SASL username: Administrator@MYDOMAIN.COM
SASL SSF: 256
SASL data security layer installed.
<all users on ou=drc was shown>
But it hasn't worked with freeradius ldap module.
rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://dc01.mydomain.com:389 rlm_ldap (ldap): Starting SASL mech(s): GSSAPI SASL/GSSAPI authentication started rlm_ldap (ldap): Bind with (anonymous) to ldap://dc01.mydomain.com:389 failed: Local error rlm_ldap (ldap): Opening connection failed (0) rlm_ldap (ldap): Removing connection pool /etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap"
PS: I've used freeradius from centos 8 repo, 3.0.16 version, and the host centos8 is a domain member on mydomain.com.
-- Igor Sousa
Em sáb., 22 de fev. de 2020 às 13:17, <uj2.hahn@posteo.de> escreveu:
rlm_ldap (ldap): Bind with *cn=Administrator,cn=Users,dc=mydomain,dc=com*
This doesn't match your ldap search binding:
"ou=drc,dc=mydomain,dc=com"
May be this is the issue? Please double check your ldap settings! Regards Uwe
On 21.02.2020 23:40, Igor Sousa wrote:
Hello everybody,
I have had some problems about to authorize users based on Active Directory (Samba 4 DCs) groups.
I have followed
http://deployingradius.com/documents/configuration/active_dire ctory.html to
configure ntlm_auth and it works perfectly.
As I need restrict access to some AD groups, I need to configure ldap module. I've alright configured ldap module, but it has been pure Openldap (uid stores username and usePassword stores password). Then, to set up ldap module to access AD ldap, I've read comments on mods-available/ldap and I have set up "server", "identity", "password" and "base_dn" on the mods-enabled/ldap. I have also set up
to use the attribute stores username on AD user { ... filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" ... }
and
group { ... filter = '(objectClass=group)' ... name_attribute = cn
membership_filter =
membership_attribute = 'memberOf' ... }
When I have tried to run radiusd -X, it has shown a error
message about
bind tried to ldap server:
rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://dc01.mydomain.com:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind with cn=Administrator,cn=Users,dc=mydomain,dc=com to ldap://dc01.mydomain.com:389 failed: Strong(er) authentication required rlm_ldap (ldap): Server said: BindSimple: Transport encryption required.. rlm_ldap (ldap): Opening connection failed (0) rlm_ldap (ldap): Removing connection pool /etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap"
I've suspected about SASL due I haven't been notify that LDAP use STARTTLS or SSL over TLS. Then I've commented identity and password and radiusd -X
rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://dc01.mydomain.com:389 rlm_ldap (ldap): Starting SASL mech(s): GSSAPI SASL/GSSAPI authentication started rlm_ldap (ldap): Bind with (anonymous) to ldap://dc01.mydomain.com:389 failed: Local error rlm_ldap (ldap): Opening connection failed (0) rlm_ldap (ldap): Removing connection pool /etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap"
I run kinit Administrator before run the ldapsearch below and hasn't shown any ERROR.
Please, can someone help me about my problem?
[root@centos8 ~]# ldapsearch -LLL -h dc01.mydomain.com -b "ou=drc,dc=mydomain,dc=com" sAMAccountName SASL/GSS-SPNEGO authentication started
SASL username: Administrator@MYDOMAIN.COM
SASL SSF: 256
SASL data security layer installed.
-- Igor Sousa - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User -Name}:-%{User-Name}}))" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html