I have been using FR since
around the .4 release days, so they will have to fight pretty hard to get me to
dump it for ACS. J
I looked into this but unfortunately
messing with the AD schema attributes is usually frowned upon. Another FR
user suggested I create multiple LDAP statements each pointing to a lower OU in
the tree that is not so large. This seems like a logical idea except I
can’t seem to make it work right in 2.0.0. I know I have done this
in a previous FR version, but I am stumped at this point. Here are the
relevant portions -
Radiusd.conf:
modules {
ldap a {
####### Active Directory LDAP Setup #######
server = *.*.*.1
#port = 3268
identity = "cn=***,ou=***,dc=***,dc=***"
password = *
basedn = "ou=a,dc=***,dc=***"
filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 10
timeout = 10
timelimit = 10
net_timeout = 1
edir_account_policy_check = no
}
ldap b {
####### Active Directory LDAP Setup #######
server = *.*.*.1
#port = 3268
identity = "cn=***,ou=***,dc=***,dc=***"
password = *
basedn = "ou=b,dc=***,dc=***"
filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 10
timeout = 10
timelimit = 10
net_timeout = 1
edir_account_policy_check = no
}
ldap
c {
####### Active Directory LDAP Setup #######
server = *.*.*.1
#port = 3268
identity = "cn=***,ou=***,dc=***,dc=***"
password = *
basedn = "ou=c,dc=***,dc=***"
filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 10
timeout = 10
timelimit = 10
net_timeout = 1
edir_account_policy_check = no
}
Sites-available/default:
authorize {
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
#ldap
a
b
c
}
authenticate {
# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
Auth-Type LDAP {
a
b
c
}
The debug from radiusd –X:
Listening on authentication
address * port 1812
Listening on accounting
address * port 1813
Ready to process requests.
rad_recv: Access-Request
packet from host *.*.*.* port 32856, id=154, length=60
User-Name = "testuser"
User-Password = "testing"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_realm: No '\' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[ntdomain] returns noop
rlm_eap: No EAP-Message,
not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user
authorization for testuser
WARNING: Deprecated
conditional expansion ":-". See "man unlang" for
details
expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) ->
(sAMAccountName=testuser)
expand: ou=a,dc=***,dc=*** -> ou=a,dc=***,dc=***
rlm_ldap: ldap_get_conn:
Checking Id: 0
rlm_ldap: ldap_get_conn: Got
Id: 0
rlm_ldap: attempting LDAP
reconnection
rlm_ldap: (re)connect to *.*.*.*:389,
authentication 0
rlm_ldap: bind as cn=***,ou=***,dc=***,dc=***/***
to *.*.*.*:389
rlm_ldap: waiting for bind
result ...
rlm_ldap: Bind was
successful
rlm_ldap: performing search
in ou=a,dc=***,dc=***, with filter (sAMAccountName=testuser)
rlm_ldap: object not found
or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn:
Release Id: 0
++[a] returns notfound
rlm_ldap: - authorize
rlm_ldap: performing user
authorization for testuser
WARNING: Deprecated
conditional expansion ":-". See "man unlang" for
details
expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) ->
(sAMAccountName=testuser)
expand: ou=b,dc=***,dc=*** -> ou=b,dc=***,dc=***
rlm_ldap: ldap_get_conn:
Checking Id: 0
rlm_ldap: ldap_get_conn: Got
Id: 0
rlm_ldap: attempting LDAP
reconnection
rlm_ldap: (re)connect to *.*.*.*:389,
authentication 0
rlm_ldap: bind as cn=***,ou=***,dc=***,dc=***/***
to *.*.*.*:389
rlm_ldap: waiting for bind
result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search
in ou=b,dc=***,dc=***, with filter (sAMAccountName=testuser)
rlm_ldap: looking for check
items in directory...
rlm_ldap: looking for reply
items in directory...
WARNING: No "known
good" password was found in LDAP. Are you sure that the user is
configured correctly?
rlm_ldap: user testuser
authorized to use remote access
rlm_ldap: ldap_release_conn:
Release Id: 0
++[b] returns ok
rlm_ldap: - authorize
rlm_ldap: performing user
authorization for testuser
WARNING: Deprecated
conditional expansion ":-". See "man unlang" for
details
expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) ->
(sAMAccountName=testuser)
expand: ou=c,dc=***,dc=*** -> ou=c,dc=***,dc=***
rlm_ldap: ldap_get_conn:
Checking Id: 0
rlm_ldap: ldap_get_conn: Got
Id: 0
rlm_ldap: attempting LDAP
reconnection
rlm_ldap: (re)connect to *.*.*.*:389,
authentication 0
rlm_ldap: bind as cn=***,ou=***,dc=***,dc=***/***
to *.*.*.*:389
rlm_ldap: waiting for bind
result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search
in ou=c,dc=***,dc=***, with filter (sAMAccountName=testuser)
rlm_ldap: object not found
or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn:
Release Id: 0
++[c] returns notfound
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No
"known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
auth: No authenticate method
(Auth-Type) configuration found for the request: Rejecting the user
auth: Failed to validate the
user.
Login incorrect (rlm_ldap:
User not found): [testuser/testing] (from client PCMCRADIUS2 port 1)
Found Post-Auth-Type
Reject
+- entering group REJECT
expand: %{User-Name} -> testuser
attr_filter: Matched
entry DEFAULT at line 11
++[attr_filter.access_reject]
returns updated
Delaying reject of request 0
for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for
request 0
Sending Access-Reject of id
154 to *.*.*.* port 32856
Waking up in 4.9 seconds.
Cleaning up request 0 ID 154
with timestamp +9
Ready to process requests.
>Alan DeKok wrote:
>Capelle, Mark (PCMC-GB)
wrote:
>> I have an issue
since pointing FR to a point higher in my AD tree
>> (which will return
more objects). I get the following error in my FR
>> logs when I try to
authenticate a user:
>>
>> Fri Feb 22 10:37:14
2008 : Error: rlm_ldap: ldap_search() failed:
>> Operations error
> That's usually do
to internal AD redirects, IIRC.
> See also
doc/rlm_ldap, which talks about "operations error".
>> Has anyone else
encountered this and found a solution? I am fighting
>> like hell to not
install the corporate standard Cisco ACS box at my
>> site, but if I
can?t manage to get this working I may have to finally
>> cave L.
> Ugh. Most
sites I hear about are moving away from commercial products to FreeRADIUS.
> Alan DeKok.