-----Original Message----- From: freeradius-users-bounces+apuye=datawave.com@lists.freeradius. org [mailto:freeradius-users-bounces+apuye=datawave.com@lists.fre eradius.org] On Behalf Of Dickson, John Sent: January 4, 2006 11:32 AM To: FreeRadius users mailing list Subject: RE: wireless - freeradius - MS ldap
Here is my ldap section:
ldap { server = "10.1.1.29" identity = dmadmin1 password = rDkf@my basedn = "dc=ssotest,dc=mccsso,dc=mccneb,dc=edu" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no
# tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
# # NOTICE: The password_header directive is NOT case insensitive # # password_header = "{clear}" # # Set: # password_attribute = nspmPassword # # to get the user's password from a Novell eDirectory # backend. This will work *only if* freeRADIUS is # configured to build with --with-edir option. # # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with "0x", such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading "0x", NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # # password_attribute = userPassword # # Un-comment the following to disable Novell eDirectory account # policy check and intruder detection. This will work *only if* # FreeRADIUS is configured to build with --with-edir option. # # edir_account_policy_check=no # # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(obj ectClass=Gr oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes }
Verify first that you can infact query Active Directory with this username/password combination.
There is a utility called ldapsearch. I believe it comes with OpenLDAP. Use that to directly query AD for verification.
Here is an example:
ldapsearch -LLL -h name.serverdm.domain.edu -x -b 'dc=domain,dc=com''(samaccountname=powerful)' -D powerful -w userspass
This seeems to work:
[john@magellan ~]$ ldapsearch -LLL -h name.serverdm.domain.edu -x -b 'ou=Users,dc=name,dc=serverdm,dc=domain,dc=edu' -D any-user@serverdm.domain.edu -w Passw0rd No such object (32) Matched DN: DC=serverdm,DC=domain,DC=edu Additional information: 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=serverdm,DC=domain,DC=edu'
Nope. That didn't work..... Please read up on ldapsearch "man ldapsearch". Until you can CAN verify that the username/password is correct, it won't do you any good messing with FreeRADIUS
What does your "ldap" section in radiusd.conf look like? Can you please provide copy?
This will make sure that the credentials are correct or not.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request.
participants (1)
-
Alhagie Puye