I forgot to include my last conf files. ########################################################### ldap.conf: ########################################################### ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "jetsms-srv2003.jetdom.local" port = "389" identity = "cn=pfsense,cn=Users,dc=jetdom,dc=local" password = Tramontane10520 basedn = "cn=Users,dc=jetdom,dc=local" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=*)" # How many connections to keep open to the LDAP server. # This saves time over opening a new LDAP socket for # every authentication request. ldap_connections_number = 5 # seconds to wait for LDAP query to finish. default: 20 timeout = 4 # seconds LDAP server has to process the query (server-side # time limit). default: 20 # # LDAP_OPT_TIMELIMIT is set to this value. timelimit = 3 # # seconds to wait for response of the server. (network # failures) default: 10 # # LDAP_OPT_NETWORK_TIMEOUT is set to this value. net_timeout = 1 # # This subsection configures the tls related items # that control how FreeRADIUS connects to an LDAP # server. It contains all of the "tls_*" configuration # entries used in older versions of FreeRADIUS. Those # configuration entries can still be used, but we recommend # using these. # tls { # Set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections start_tls = no cacertfile = /usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem cacertdir = /usr/pbi/freeradius-i386/etc/raddb/certs/ certfile = /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt keyfile = /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key randfile = /usr/pbi/freeradius-i386/etc/raddb/certs/random # Certificate Verification requirements. Can be: # "never" (don't even bother trying) # "allow" (try, but don't fail if the certificate # can't be verified) # "demand" (fail if the certificate doesn't verify.) # # The default is "allow" require_cert = "never" } ### default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" ### ### profile_attribute = "radiusProfileDn" ### ### access_attr = "dialupAccess" ### # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${confdir}/ldap.attrmap ################## THE BELOW IS NOT COMPILED WITH FREERADIUS ################################# # Set password_attribute = nspmPassword to get the # user's password from a Novell eDirectory # backend. This will work ONLY IF FreeRADIUS has been # built with the --with-edir configure option. # # See also the following links: # # http://www.novell.com/coolsolutions/appnote/16745.html # https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SA... # # Novell may require TLS encrypted sessions before returning # the user's password. # # password_attribute = userPassword # Un-comment the following to disable Novell # eDirectory account policy check and intruder # detection. This will work *only if* FreeRADIUS is # configured to build with --with-edir option. # edir_account_policy_check = no ################## THE ABOVE IS NOT COMPILED WITH FREERADIUS ################################# # # Group membership checking. Disabled by default. # groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = memberOf compare_check_items = no do_xlat = yes access_attr_used_for_allow = yes # # The following two configuration items are for Active Directory # compatibility. If you see the helpful "operations error" # being returned to the LDAP module, uncomment the next # two lines. # ### MS Active Directory Compatibility is disabled ### # # By default, if the packet contains a User-Password, # and no other module is configured to handle the # authentication, the LDAP module sets itself to do # LDAP bind for authentication. # # THIS WILL ONLY WORK FOR PAP AUTHENTICATION. # # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). # # You can disable this behavior by setting the following # configuration entry to "no". # # allowed values: {no, yes} # set_auth_type = yes # ldap_debug: debug flag for LDAP SDK # (see OpenLDAP documentation). Set this to enable # huge amounts of LDAP debugging on the screen. # You should only use this if you are an LDAP expert. # # default: 0x0000 (no debugging messages) # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) #ldap_debug = 0x0028 # # Keepalive configuration. This MAY NOT be supported by your # LDAP library. If these configuration entries appear in the # output of "radiusd -X", then they are supported. Otherwise, # they are unsupported, and changing them will do nothing. # keepalive { # LDAP_OPT_X_KEEPALIVE_IDLE idle = 60 # LDAP_OPT_X_KEEPALIVE_PROBES probes = 3 # LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3 } } ################################################## Users.conf: ################################################## /usr/pbi/freeradius-i386/etc/raddb/users "test" Cleartext-Password := "squidtest" DEFAULT Ldap-Group == "InternetAccess", Auth-Type := Accept DEFAULT Ldap-Group != "InternetAccess", Auth-Type := Reject On Tue, Apr 21, 2015 at 12:07 AM, Jose Torres-Berrocal < jetsystemservices@gmail.com> wrote:
I noticed that my problem is that when using group options I get authorized successfully but does not get authenticated (Using Compare Check Items = No results in Access-Accept). When not using group options I get authorized and authenticated succesfully.
Is there a way to do a two pass process? If I could run the first pass without group options and the second pass if authenticated run with group options, I will get my desired result.
By the way I found how to run in debug mode in pfsense and do some custome changes in the Users.conf file.
On Wed, Mar 25, 2015 at 2:24 PM, Jose Torres-Berrocal < jetsystemservices@gmail.com> wrote:
I am using the Freeradius2 2.1.12_1/2.2.5_3 pkg v1.6.10 in pfsense 2.1.5
I can't modify the conf files manually. I have to use the pfsense WebGui.
I could authenticate the users of the LDAP succesfully but when I try to authenticate using group membership options it fails with the following logs.
Wed Mar 25 13:39:09 2015 : Info: Loaded virtual server <default> Wed Mar 25 13:39:09 2015 : Info: Ready to process requests. Wed Mar 25 13:39:27 2015 : Auth: Invalid user ( [ldap] Pairs do not match): [administrator] (from client squid port 111) Wed Mar 25 13:39:33 2015 : Auth: Invalid user ( [ldap] Pairs do not match): [administrator] (from client squid port 111) Wed Mar 25 13:39:34 2015 : Auth: Invalid user ( [ldap] Pairs do not match): [administrator] (from client squid port 111)
On pfsense I do not see an option to run in debug mode, but probably you can help me with the pfsense produced ldap conf file. I do not use fancy stuff. After I get it working I may try to add TLS configuration to have encrypted comm or passwords.
The LDAP is an Active Directory on a Windows 2003 Server. The group name is InternetAccess. (Is this case sensitive?) I do not have a radiusprofile, where there is mention of radiusprofile is a default generated line. (In pfsense I may change the line but can not removed it or comment it.)
LDAP CONF:
/usr/pbi/freeradius-i386/etc/raddb/modules/ldap # -*- text -*- # # $
# Lightweight Directory Access Protocol (LDAP) # # This module definition allows you to use LDAP for # authorization and authentication. # # See raddb/sites-available/default for reference to the # ldap module in the authorize and authenticate sections. # # However, LDAP can be used for authentication ONLY when the # Access-Request packet contains a clear-text User-Password # attribute. LDAP authentication will NOT work for any other # authentication method. # # This means that LDAP servers don't understand EAP. If you # force "Auth-Type = LDAP", and then send the server a # request containing EAP authentication, then authentication # WILL NOT WORK. # # The solution is to use the default configuration, which does # work. # # Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We # really can't emphasize this enough. # ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "jetsms-srv2003.jetdom.local" port = "389" identity = "cn=pfsense,cn=Users,dc=jetdom,dc=local" password = Mypassword basedn = "cn=Users,dc=jetdom,dc=local" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)"
# How many connections to keep open to the LDAP server. # This saves time over opening a new LDAP socket for # every authentication request. ldap_connections_number = 5
# seconds to wait for LDAP query to finish. default: 20 timeout = 4
# seconds LDAP server has to process the query (server-side # time limit). default: 20 # # LDAP_OPT_TIMELIMIT is set to this value. timelimit = 3
# # seconds to wait for response of the server. (network # failures) default: 10 # # LDAP_OPT_NETWORK_TIMEOUT is set to this value. net_timeout = 1
# # This subsection configures the tls related items # that control how FreeRADIUS connects to an LDAP # server. It contains all of the "tls_*" configuration # entries used in older versions of FreeRADIUS. Those # configuration entries can still be used, but we recommend # using these. # tls { # Set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections start_tls = no
cacertfile = /usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem cacertdir = /usr/pbi/freeradius-i386/etc/raddb/certs/ certfile = /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt keyfile = /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key randfile = /usr/pbi/freeradius-i386/etc/raddb/certs/random
# Certificate Verification requirements. Can be: # "never" (don't even bother trying) # "allow" (try, but don't fail if the certificate # can't be verified) # "demand" (fail if the certificate doesn't verify.) # # The default is "allow" require_cert = "never" }
### default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" ### ### profile_attribute = "radiusProfileDn" ### ### access_attr = "dialupAccess" ###
# Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${confdir}/ldap.attrmap ################## THE BELOW IS NOT COMPILED WITH FREERADIUS ################################# # Set password_attribute = nspmPassword to get the # user's password from a Novell eDirectory # backend. This will work ONLY IF FreeRADIUS has been # built with the --with-edir configure option. # # See also the following links: # # http://www.novell.com/coolsolutions/appnote/16745.html # https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SA... # # Novell may require TLS encrypted sessions before returning # the user's password. # # password_attribute = userPassword
# Un-comment the following to disable Novell # eDirectory account policy check and intruder # detection. This will work *only if* FreeRADIUS is # configured to build with --with-edir option. # edir_account_policy_check = no ################## THE ABOVE IS NOT COMPILED WITH FREERADIUS ################################# # # Group membership checking. Disabled by default. # groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = InternetAccess
compare_check_items = yes do_xlat = yes access_attr_used_for_allow = yes
# # The following two configuration items are for Active Directory # compatibility. If you see the helpful "operations error" # being returned to the LDAP module, uncomment the next # two lines. #
### MS Active Directory Compatibility is disabled ###
# # By default, if the packet contains a User-Password, # and no other module is configured to handle the # authentication, the LDAP module sets itself to do # LDAP bind for authentication. # # THIS WILL ONLY WORK FOR PAP AUTHENTICATION. # # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). # # You can disable this behavior by setting the following # configuration entry to "no". # # allowed values: {no, yes} # set_auth_type = yes
# ldap_debug: debug flag for LDAP SDK # (see OpenLDAP documentation). Set this to enable # huge amounts of LDAP debugging on the screen. # You should only use this if you are an LDAP expert. # # default: 0x0000 (no debugging messages) # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) #ldap_debug = 0x0028
# # Keepalive configuration. This MAY NOT be supported by your # LDAP library. If these configuration entries appear in the # output of "radiusd -X", then they are supported. Otherwise, # they are unsupported, and changing them will do nothing. # keepalive { # LDAP_OPT_X_KEEPALIVE_IDLE idle = 60
# LDAP_OPT_X_KEEPALIVE_PROBES probes = 3
# LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3 } }