Freeradius 3 with LDAP Authentication Bind as User
Hi Experts, I am trying to setup my radius server to authenticate users with their AD password. I do not have access to our corporate Active Directory so I cannot use Samba and winbind, I only have access to the LDAP server that ties into AD. Each user has read only access to LDAP so they can bind with the correct credentials and verify the password. I have successfully setup freeradius to connect to the LDAP server and verify credentials as long as the ‘identity’ and ‘password’ are provided in the ldap module. What I would like to do is bind as the verifying user instead of using a single account. Scouring the internet has proven fruitless, so I was hoping you can point me in the correct direction. I am happy to provide logs and configs if needed. I would first like to confirm that this is feasible. Thank you, Jason
On May 29, 2020, at 12:11 PM, Jason Leiby <leibyj@gmail.com> wrote:
I am trying to setup my radius server to authenticate users with their AD password. I do not have access to our corporate Active Directory so I cannot use Samba and winbind, I only have access to the LDAP server that ties into AD. Each user has read only access to LDAP so they can bind with the correct credentials and verify the password.
That's fine. It still works.
I have successfully setup freeradius to connect to the LDAP server and verify credentials as long as the ‘identity’ and ‘password’ are provided in the ldap module. What I would like to do is bind as the verifying user instead of using a single account. Scouring the internet has proven fruitless, so I was hoping you can point me in the correct direction. I am happy to provide logs and configs if needed. I would first like to confirm that this is feasible.
Yes. Lots of people do it. Read sites-available/default. Look for "ldap" in the "authenticate" section. There's examples and documentation. Alan DeKok.
Check the help in the ldap module. There are update control Auth type lines inside that set the Auth type to ldap and will Auth with bind instead of reading the password from ldap V pet., 29. maj 2020 18:12 je oseba Jason Leiby <leibyj@gmail.com> napisala:
Hi Experts,
I am trying to setup my radius server to authenticate users with their AD password. I do not have access to our corporate Active Directory so I cannot use Samba and winbind, I only have access to the LDAP server that ties into AD. Each user has read only access to LDAP so they can bind with the correct credentials and verify the password.
I have successfully setup freeradius to connect to the LDAP server and verify credentials as long as the ‘identity’ and ‘password’ are provided in the ldap module. What I would like to do is bind as the verifying user instead of using a single account. Scouring the internet has proven fruitless, so I was hoping you can point me in the correct direction. I am happy to provide logs and configs if needed. I would first like to confirm that this is feasible.
Thank you,
Jason - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I placed the auth-type update control snippet in the authenticate section
and I still get the same error message of:
(1) ldap: ERROR: Failed performing search: Please set 'chase_referrals=yes'
and 'rebind=yes'. See the ldap module configuration for details.
(1) ldap: ERROR: Server said: 000004DC: LdapErr: DSID-0C0907E1, comment: In
order to perform this operation a successful bind must be completed on the
connection., data 0, v2580.
What is also strange is that the first error about chase_referrals and
rebind should be gone as I have those flags uncommented in the ldap module
Here is the full output from radiusd -X
(1) Received Access-Request Id 1 from 1.1.1.201:65511 to 1.1.1.190:1812
length 58
(1) NAS-IP-Address = 0.0.0.0
(1) User-Name = "testuser"
(1) User-Password = "testpasswd123\000]\n"
(1) NAS-Port = 0
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) policy filter_password {
(1) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) {
(1) EXPAND %{string:User-Password}
(1) --> testpasswd123
(1) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) -> TRUE
(1) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) {
(1) update request {
(1) EXPAND %{string:User-Password}
(1) --> testpasswd123
(1) &Tmp-String-0 := testpasswd123
(1) EXPAND %{string:Tmp-String-0}
(1) --> testpasswd123
(1) &User-Password := testpasswd123
(1) } # update request = noop
(1) } # if (&User-Password && (&User-Password !=
"%{string:User-Password}")) = noop
(1) } # policy filter_password = noop
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "testuser", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: No EAP-Message, not doing EAP
(1) [eap] = noop
(1) [files] = noop
(1) sql: EXPAND %{User-Name}
(1) sql: --> testuser
(1) sql: SQL-User-Name set to 'testuser'
rlm_sql (sql): Closing connection (6): Hit idle_timeout, was idle for 163
seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 163
seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 163
seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for 163
seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 163
seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (5): Hit idle_timeout, was idle for 163
seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 163
seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare"
rlm_sql (sql): Opening additional connection (7), 1 of 32 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket,
server version 5.5.65-MariaDB, protocol version 10
rlm_sql (sql): Reserved connection (7)
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql: --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'testuser' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'testuser' ORDER BY id
(1) sql: User found in radcheck table
(1) sql: Conditional check items matched, merging assignment check items
(1) sql: Auth-Type := PAP
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply
WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql: --> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'testuser' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'testuser' ORDER BY id
(1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(1) sql: --> SELECT groupname FROM radusergroup WHERE username =
'testuser' ORDER BY priority
(1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE
username = 'testuser' ORDER BY priority
(1) sql: User found in the group table
(1) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(1) sql: --> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'sonus-admin' ORDER BY id
(1) sql: Executing select query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'sonus-admin' ORDER BY id
(1) sql: Group "sonus-admin": Conditional check items matched
(1) sql: Group "sonus-admin": Merging assignment check items
(1) sql: EXPAND SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(1) sql: --> SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'sonus-admin' ORDER BY id
(1) sql: Executing select query: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = 'sonus-admin' ORDER BY id
(1) sql: Group "sonus-admin": Merging reply items
(1) sql: GroupName := "Administrator"
rlm_sql (sql): Released connection (7)
Need 2 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (8), 1 of 31 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket,
server version 5.5.65-MariaDB, protocol version 10
(1) [sql] = ok
rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 184
seconds
rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 183
seconds
rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 183
seconds
rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 183
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for 163
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (5): Hit idle_timeout, was idle for 163
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase
"spare"
rlm_ldap (ldap): Opening additional connection (6), 1 of 32 pending slots
used
rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389
TLSMC: MozNSS compatibility interception begins.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is
present.
tlsmc_intercept_initialization: INFO: successfully intercepted TLS
initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Reserved connection (6)
(1) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
(1) ldap: --> (samaccountname=testuser)
(1) ldap: Performing search in "OU=Employees,OU=Domain
Users,DC=example,DC=com" with filter "(samaccountname=testuser)", scope
"sub"
(1) ldap: Waiting for search result...
(1) ldap: ERROR: Failed performing search: Please set 'chase_referrals=yes'
and 'rebind=yes'. See the ldap module configuration for details.
(1) ldap: ERROR: Server said: 000004DC: LdapErr: DSID-0C0907E1, comment: In
order to perform this operation a successful bind must be completed on the
connection., data 0, v2580.
rlm_ldap (ldap): Released connection (6)
Need 2 more connections to reach min connections (3)
rlm_ldap (ldap): Opening additional connection (7), 1 of 31 pending slots
used
rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389
TLSMC: MozNSS compatibility interception begins.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is
present.
tlsmc_intercept_initialization: INFO: successfully intercepted TLS
initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(1) [ldap] = fail
(1) } # authorize = fail
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Post-Auth-Type REJECT {
(1) sql: EXPAND .query
(1) sql: --> .query
(1) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (7)
(1) sql: EXPAND %{User-Name}
(1) sql: --> testuser
(1) sql: SQL-User-Name set to 'testuser'
(1) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')
(1) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( 'testuser', 'testpasswd123', 'Access-Reject', '2020-05-29
13:57:40.965576')
(1) sql: Executing query: INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( 'testuser', 'testpasswd123', 'Access-Reject',
'2020-05-29 13:57:40.965576')
(1) sql: SQL query returned: success
(1) sql: 1 record(s) updated
rlm_sql (sql): Released connection (7)
Need 1 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (9), 1 of 30 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket,
server version 5.5.65-MariaDB, protocol version 10
(1) [sql] = ok
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject: --> testuser
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1) [attr_filter.access_reject] = updated
(1) [eap] = noop
(1) policy remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else {
(1) [noop] = noop
(1) } # else = noop
(1) } # policy remove_reply_message_if_eap = noop
(1) } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.9 seconds.
(1) (1) Discarding duplicate request from client 1.1.1.201 port 65511 - ID:
1 due to delayed response
Waking up in 0.3 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 1 from 1.1.1.190:1812 to 1.1.1.201:65511 length 20
Waking up in 3.9 seconds.
(1) Cleaning up request packet ID 1 with timestamp +183
Ready to process requests
On Fri, May 29, 2020 at 10:42 AM Klemen forneci <forneci@gmail.com> wrote:
> Check the help in the ldap module. There are update control Auth type lines
> inside that set the Auth type to ldap and will Auth with bind instead of
> reading the password from ldap
>
> V pet., 29. maj 2020 18:12 je oseba Jason Leiby <leibyj@gmail.com>
> napisala:
>
> > Hi Experts,
> >
> > I am trying to setup my radius server to authenticate users with their AD
> > password. I do not have access to our corporate Active Directory so I
> > cannot use Samba and winbind, I only have access to the LDAP server that
> > ties into AD. Each user has read only access to LDAP so they can bind
> with
> > the correct credentials and verify the password.
> >
> >
> >
> > I have successfully setup freeradius to connect to the LDAP server and
> > verify credentials as long as the ‘identity’ and ‘password’ are provided
> in
> > the ldap module. What I would like to do is bind as the verifying user
> > instead of using a single account. Scouring the internet has proven
> > fruitless, so I was hoping you can point me in the correct direction. I
> am
> > happy to provide logs and configs if needed. I would first like to
> confirm
> > that this is feasible.
> >
> >
> >
> > Thank you,
> >
> > Jason
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
Correction to previous post. The snippet is in the authorize section of
the sites-enabled/default file. Also, when i perform a packet capture, i
see the radius request, a bind request of "<ROOT> simple". I would assume
that this needs to be the username and password. Is this set in ldap
module under the sasl section?
On Fri, May 29, 2020 at 1:06 PM Jason Leiby <leibyj@gmail.com> wrote:
> I placed the auth-type update control snippet in the authenticate section
> and I still get the same error message of:
>
> (1) ldap: ERROR: Failed performing search: Please set
> 'chase_referrals=yes' and 'rebind=yes'. See the ldap module configuration
> for details.
> (1) ldap: ERROR: Server said: 000004DC: LdapErr: DSID-0C0907E1, comment:
> In order to perform this operation a successful bind must be completed on
> the connection., data 0, v2580.
>
> What is also strange is that the first error about chase_referrals and
> rebind should be gone as I have those flags uncommented in the ldap module
>
> Here is the full output from radiusd -X
>
> (1) Received Access-Request Id 1 from 1.1.1.201:65511 to 1.1.1.190:1812
> length 58
> (1) NAS-IP-Address = 0.0.0.0
> (1) User-Name = "testuser"
> (1) User-Password = "testpasswd123\000]\n"
> (1) NAS-Port = 0
> (1) # Executing section authorize from file
> /etc/raddb/sites-enabled/default
> (1) authorize {
> (1) policy filter_username {
> (1) if (&User-Name) {
> (1) if (&User-Name) -> TRUE
> (1) if (&User-Name) {
> (1) if (&User-Name =~ / /) {
> (1) if (&User-Name =~ / /) -> FALSE
> (1) if (&User-Name =~ /@[^@]*@/ ) {
> (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (1) if (&User-Name =~ /\.\./ ) {
> (1) if (&User-Name =~ /\.\./ ) -> FALSE
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (1) if (&User-Name =~ /\.$/) {
> (1) if (&User-Name =~ /\.$/) -> FALSE
> (1) if (&User-Name =~ /@\./) {
> (1) if (&User-Name =~ /@\./) -> FALSE
> (1) } # if (&User-Name) = notfound
> (1) } # policy filter_username = notfound
> (1) policy filter_password {
> (1) if (&User-Password && (&User-Password !=
> "%{string:User-Password}")) {
> (1) EXPAND %{string:User-Password}
> (1) --> testpasswd123
> (1) if (&User-Password && (&User-Password !=
> "%{string:User-Password}")) -> TRUE
> (1) if (&User-Password && (&User-Password !=
> "%{string:User-Password}")) {
> (1) update request {
> (1) EXPAND %{string:User-Password}
> (1) --> testpasswd123
> (1) &Tmp-String-0 := testpasswd123
> (1) EXPAND %{string:Tmp-String-0}
> (1) --> testpasswd123
> (1) &User-Password := testpasswd123
> (1) } # update request = noop
> (1) } # if (&User-Password && (&User-Password !=
> "%{string:User-Password}")) = noop
> (1) } # policy filter_password = noop
> (1) [preprocess] = ok
> (1) [chap] = noop
> (1) [mschap] = noop
> (1) [digest] = noop
> (1) suffix: Checking for suffix after "@"
> (1) suffix: No '@' in User-Name = "testuser", looking up realm NULL
> (1) suffix: No such realm "NULL"
> (1) [suffix] = noop
> (1) eap: No EAP-Message, not doing EAP
> (1) [eap] = noop
> (1) [files] = noop
> (1) sql: EXPAND %{User-Name}
> (1) sql: --> testuser
> (1) sql: SQL-User-Name set to 'testuser'
> rlm_sql (sql): Closing connection (6): Hit idle_timeout, was idle for 163
> seconds
> rlm_sql_mysql: Socket destructor called, closing socket
> rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 163
> seconds
> rlm_sql_mysql: Socket destructor called, closing socket
> rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 163
> seconds
> rlm_sql_mysql: Socket destructor called, closing socket
> rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for 163
> seconds
> rlm_sql_mysql: Socket destructor called, closing socket
> rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 163
> seconds
> rlm_sql (sql): You probably need to lower "min"
> rlm_sql_mysql: Socket destructor called, closing socket
> rlm_sql (sql): Closing connection (5): Hit idle_timeout, was idle for 163
> seconds
> rlm_sql (sql): You probably need to lower "min"
> rlm_sql_mysql: Socket destructor called, closing socket
> rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 163
> seconds
> rlm_sql (sql): You probably need to lower "min"
> rlm_sql_mysql: Socket destructor called, closing socket
> rlm_sql (sql): 0 of 0 connections in use. You may need to increase
> "spare"
> rlm_sql (sql): Opening additional connection (7), 1 of 32 pending slots
> used
> rlm_sql_mysql: Starting connect to MySQL server
> rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX
> socket, server version 5.5.65-MariaDB, protocol version 10
> rlm_sql (sql): Reserved connection (7)
> (1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
> WHERE username = '%{SQL-User-Name}' ORDER BY id
> (1) sql: --> SELECT id, username, attribute, value, op FROM radcheck
> WHERE username = 'testuser' ORDER BY id
> (1) sql: Executing select query: SELECT id, username, attribute, value, op
> FROM radcheck WHERE username = 'testuser' ORDER BY id
> (1) sql: User found in radcheck table
> (1) sql: Conditional check items matched, merging assignment check items
> (1) sql: Auth-Type := PAP
> (1) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply
> WHERE username = '%{SQL-User-Name}' ORDER BY id
> (1) sql: --> SELECT id, username, attribute, value, op FROM radreply
> WHERE username = 'testuser' ORDER BY id
> (1) sql: Executing select query: SELECT id, username, attribute, value, op
> FROM radreply WHERE username = 'testuser' ORDER BY id
> (1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
> '%{SQL-User-Name}' ORDER BY priority
> (1) sql: --> SELECT groupname FROM radusergroup WHERE username =
> 'testuser' ORDER BY priority
> (1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE
> username = 'testuser' ORDER BY priority
> (1) sql: User found in the group table
> (1) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM
> radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
> (1) sql: --> SELECT id, groupname, attribute, Value, op FROM
> radgroupcheck WHERE groupname = 'sonus-admin' ORDER BY id
> (1) sql: Executing select query: SELECT id, groupname, attribute, Value,
> op FROM radgroupcheck WHERE groupname = 'sonus-admin' ORDER BY id
> (1) sql: Group "sonus-admin": Conditional check items matched
> (1) sql: Group "sonus-admin": Merging assignment check items
> (1) sql: EXPAND SELECT id, groupname, attribute, value, op FROM
> radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
> (1) sql: --> SELECT id, groupname, attribute, value, op FROM
> radgroupreply WHERE groupname = 'sonus-admin' ORDER BY id
> (1) sql: Executing select query: SELECT id, groupname, attribute, value,
> op FROM radgroupreply WHERE groupname = 'sonus-admin' ORDER BY id
> (1) sql: Group "sonus-admin": Merging reply items
> (1) sql: GroupName := "Administrator"
> rlm_sql (sql): Released connection (7)
> Need 2 more connections to reach min connections (3)
> rlm_sql (sql): Opening additional connection (8), 1 of 31 pending slots
> used
> rlm_sql_mysql: Starting connect to MySQL server
> rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX
> socket, server version 5.5.65-MariaDB, protocol version 10
> (1) [sql] = ok
> rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for
> 184 seconds
> rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for
> 183 seconds
> rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for
> 183 seconds
> rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for
> 183 seconds
> rlm_ldap (ldap): You probably need to lower "min"
> rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for
> 163 seconds
> rlm_ldap (ldap): You probably need to lower "min"
> rlm_ldap (ldap): Closing connection (5): Hit idle_timeout, was idle for
> 163 seconds
> rlm_ldap (ldap): You probably need to lower "min"
> rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase
> "spare"
> rlm_ldap (ldap): Opening additional connection (6), 1 of 32 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389
> TLSMC: MozNSS compatibility interception begins.
> tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration
> is present.
> tlsmc_intercept_initialization: INFO: successfully intercepted TLS
> initialization. Continuing with OpenSSL only.
> TLSMC: MozNSS compatibility interception ends.
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Reserved connection (6)
> (1) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
> (1) ldap: --> (samaccountname=testuser)
> (1) ldap: Performing search in "OU=Employees,OU=Domain
> Users,DC=example,DC=com" with filter "(samaccountname=testuser)", scope
> "sub"
> (1) ldap: Waiting for search result...
> (1) ldap: ERROR: Failed performing search: Please set
> 'chase_referrals=yes' and 'rebind=yes'. See the ldap module configuration
> for details.
> (1) ldap: ERROR: Server said: 000004DC: LdapErr: DSID-0C0907E1, comment:
> In order to perform this operation a successful bind must be completed on
> the connection., data 0, v2580.
> rlm_ldap (ldap): Released connection (6)
> Need 2 more connections to reach min connections (3)
> rlm_ldap (ldap): Opening additional connection (7), 1 of 31 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389
> TLSMC: MozNSS compatibility interception begins.
> tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration
> is present.
> tlsmc_intercept_initialization: INFO: successfully intercepted TLS
> initialization. Continuing with OpenSSL only.
> TLSMC: MozNSS compatibility interception ends.
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> (1) [ldap] = fail
> (1) } # authorize = fail
> (1) Using Post-Auth-Type Reject
> (1) # Executing group from file /etc/raddb/sites-enabled/default
> (1) Post-Auth-Type REJECT {
> (1) sql: EXPAND .query
> (1) sql: --> .query
> (1) sql: Using query template 'query'
> rlm_sql (sql): Reserved connection (7)
> (1) sql: EXPAND %{User-Name}
> (1) sql: --> testuser
> (1) sql: SQL-User-Name set to 'testuser'
> (1) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate)
> VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
> '%{reply:Packet-Type}', '%S')
> (1) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate)
> VALUES ( 'testuser', 'testpasswd123', 'Access-Reject', '2020-05-29
> 13:57:40.965576')
> (1) sql: Executing query: INSERT INTO radpostauth (username, pass, reply,
> authdate) VALUES ( 'testuser', 'testpasswd123', 'Access-Reject',
> '2020-05-29 13:57:40.965576')
> (1) sql: SQL query returned: success
> (1) sql: 1 record(s) updated
> rlm_sql (sql): Released connection (7)
> Need 1 more connections to reach min connections (3)
> rlm_sql (sql): Opening additional connection (9), 1 of 30 pending slots
> used
> rlm_sql_mysql: Starting connect to MySQL server
> rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX
> socket, server version 5.5.65-MariaDB, protocol version 10
> (1) [sql] = ok
> (1) attr_filter.access_reject: EXPAND %{User-Name}
> (1) attr_filter.access_reject: --> testuser
> (1) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (1) [attr_filter.access_reject] = updated
> (1) [eap] = noop
> (1) policy remove_reply_message_if_eap {
> (1) if (&reply:EAP-Message && &reply:Reply-Message) {
> (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (1) else {
> (1) [noop] = noop
> (1) } # else = noop
> (1) } # policy remove_reply_message_if_eap = noop
> (1) } # Post-Auth-Type REJECT = updated
> (1) Delaying response for 1.000000 seconds
> Waking up in 0.9 seconds.
> (1) (1) Discarding duplicate request from client 1.1.1.201 port 65511 -
> ID: 1 due to delayed response
> Waking up in 0.3 seconds.
> (1) Sending delayed response
> (1) Sent Access-Reject Id 1 from 1.1.1.190:1812 to 1.1.1.201:65511 length
> 20
> Waking up in 3.9 seconds.
> (1) Cleaning up request packet ID 1 with timestamp +183
> Ready to process requests
>
> On Fri, May 29, 2020 at 10:42 AM Klemen forneci <forneci@gmail.com> wrote:
>
>> Check the help in the ldap module. There are update control Auth type
>> lines
>> inside that set the Auth type to ldap and will Auth with bind instead of
>> reading the password from ldap
>>
>> V pet., 29. maj 2020 18:12 je oseba Jason Leiby <leibyj@gmail.com>
>> napisala:
>>
>> > Hi Experts,
>> >
>> > I am trying to setup my radius server to authenticate users with their
>> AD
>> > password. I do not have access to our corporate Active Directory so I
>> > cannot use Samba and winbind, I only have access to the LDAP server that
>> > ties into AD. Each user has read only access to LDAP so they can bind
>> with
>> > the correct credentials and verify the password.
>> >
>> >
>> >
>> > I have successfully setup freeradius to connect to the LDAP server and
>> > verify credentials as long as the ‘identity’ and ‘password’ are
>> provided in
>> > the ldap module. What I would like to do is bind as the verifying user
>> > instead of using a single account. Scouring the internet has proven
>> > fruitless, so I was hoping you can point me in the correct direction.
>> I am
>> > happy to provide logs and configs if needed. I would first like to
>> confirm
>> > that this is feasible.
>> >
>> >
>> >
>> > Thank you,
>> >
>> > Jason
>> > -
>> > List info/subscribe/unsubscribe? See
>> > http://www.freeradius.org/list/users.html
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>
On May 29, 2020, at 3:06 PM, Jason Leiby <leibyj@gmail.com> wrote:
I placed the auth-type update control snippet in the authenticate section
No... you have to update Auth-Type *before* the authenticate section, in the authorize section. When you set Auth-Type, you're telling the server which "authenticate" sub-section to use. So putting an "update control" in the authenticate section does nothing.
and I still get the same error message of:
(1) ldap: ERROR: Failed performing search: Please set 'chase_referrals=yes' and 'rebind=yes'. See the ldap module configuration for details. (1) ldap: ERROR: Server said: 000004DC: LdapErr: DSID-0C0907E1, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580.
What is also strange is that the first error about chase_referrals and rebind should be gone as I have those flags uncommented in the ldap module
Those settings are still commented out. If "chase_referrals" was set, the error would be: Operations error with LDAP database. Please see the LDAP server configuration / documentation for more information.
Here is the full output from radiusd -X
If you read the *rest* of the debug output, you will see it printing out the configuration for the LDAP module. And "chase_referrals" won't be set.
... rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389 TLSMC: MozNSS compatibility interception begins. tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present. tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
Arg. You're using RedHat, which (in there infinite wisdom) decided to switch libldap to something which isn't compatible with OpenSSL. FreeRADIUS uses OpenSSL. I suspect this incompatibility will cause issues. For more details, see http://packages.networkradius.com We provide *working* packages, and documentation on how to fix issues created by OS vendors.
TLSMC: MozNSS compatibility interception ends. rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (6) (1) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) (1) ldap: --> (samaccountname=testuser) (1) ldap: Performing search in "OU=Employees,OU=Domain Users,DC=example,DC=com" with filter "(samaccountname=testuser)", scope "sub" (1) ldap: Waiting for search result... (1) ldap: ERROR: Failed performing search: Please set 'chase_referrals=yes' and 'rebind=yes'. See the ldap module configuration for details.
You don't have "chase_referrals = yes". Fix that first, Then try switching to a different FreeRADIUS package. Alan DeKok.
Hi Alan, Thank you for the link to Network Radius. I was unaware that there was an issue with redhat and the standard freeradius packages. I have upgraded to 3.0.21 after adding the repositories in your link. This has fixed the chase_referrals issue, but I am still not binding as the user to LDAP. When performing a wireshark capture, the bind user shows as "<ROOT> simple". Do I need to set the ldap attributes to provide the user and password to the far end? Here is the latest output after upgrade and repository addtiion: (3) Received Access-Request Id 1 from 1.1.1.201:65445 to 1.1.1.190:1812 length 58 (3) NAS-IP-Address = 0.0.0.0 (3) User-Name = "testuser" (3) User-Password = "testpasswd123\000]\n" (3) NAS-Port = 0 (3) # Executing section authorize from file /etc/raddb/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) policy filter_password { (3) if (&User-Password && (&User-Password != "%{string:User-Password}")) { (3) EXPAND %{string:User-Password} (3) --> testpasswd123 (3) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> TRUE (3) if (&User-Password && (&User-Password != "%{string:User-Password}")) { (3) update request { (3) EXPAND %{string:User-Password} (3) --> testpasswd123 (3) &Tmp-String-0 := testpasswd123 (3) EXPAND %{string:Tmp-String-0} (3) --> testpasswd123 (3) &User-Password := testpasswd123 (3) } # update request = noop (3) } # if (&User-Password && (&User-Password != "%{string:User-Password}")) = noop (3) } # policy filter_password = noop (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "testuser", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: No EAP-Message, not doing EAP (3) [eap] = noop (3) [files] = noop (3) sql: EXPAND %{User-Name} (3) sql: --> testuser (3) sql: SQL-User-Name set to 'testuser' rlm_sql (sql): Closing connection (11): Hit idle_timeout, was idle for 96 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (12): Hit idle_timeout, was idle for 96 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (10): Hit idle_timeout, was idle for 95 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (13): Hit idle_timeout, was idle for 95 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare" rlm_sql (sql): Opening additional connection (14), 1 of 32 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.65-MariaDB, protocol version 10 rlm_sql (sql): Reserved connection (14) (3) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (3) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser' ORDER BY id (3) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser' ORDER BY id (3) sql: User found in radcheck table (3) sql: Conditional check items matched, merging assignment check items (3) sql: Auth-Type := PAP (3) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (3) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testuser' ORDER BY id (3) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testuser' ORDER BY id rlm_sql (sql): 1 of 1 connections in use. You may need to increase "spare" rlm_sql (sql): Opening additional connection (15), 1 of 31 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.65-MariaDB, protocol version 10 rlm_sql (sql): Reserved connection (15) rlm_sql (sql): Released connection (15) Need 1 more connections to reach min connections (3) rlm_sql (sql): Opening additional connection (16), 1 of 30 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.65-MariaDB, protocol version 10 (3) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (3) sql: --> SELECT groupname FROM radusergroup WHERE username = 'testuser' ORDER BY priority (3) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'testuser' ORDER BY priority (3) sql: User found in the group table (3) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (3) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'sonus-admin' ORDER BY id (3) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'sonus-admin' ORDER BY id (3) sql: Group "sonus-admin": Conditional check items matched (3) sql: Group "sonus-admin": Merging assignment check items (3) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id (3) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'sonus-admin' ORDER BY id (3) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'sonus-admin' ORDER BY id (3) sql: Group "sonus-admin": Merging reply items (3) sql: GroupName := "Administrator" rlm_sql (sql): Released connection (14) (3) [sql] = ok rlm_ldap (ldap): Closing connection (8): Hit idle_timeout, was idle for 95 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (9): Hit idle_timeout, was idle for 95 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (10), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (10) (3) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) (3) ldap: --> (samaccountname=testuser) (3) ldap: Performing search in "OU=Employees,OU=Domain Users,DC=example,DC=com" with filter "(samaccountname=testuser)", scope "sub" (3) ldap: Waiting for search result... (3) ldap: ERROR: Failed performing search: Operations error with LDAP database. Please see the LDAP server configuration / documentation for more information. (3) ldap: ERROR: Server said: 000004DC: LdapErr: DSID-0C0907E1, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580. rlm_ldap (ldap): Released connection (10) Need 2 more connections to reach min connections (3) rlm_ldap (ldap): Opening additional connection (11), 1 of 31 pending slots used rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (3) [ldap] = fail (3) } # authorize = fail (3) Invalid user (ldap: Failed performing search: Operations error with LDAP database. Please see the LDAP server configuration / documentation for more information.): [testuser] (from client 1.1.1.201 port 0) (3) Using Post-Auth-Type Reject (3) # Executing group from file /etc/raddb/sites-enabled/default (3) Post-Auth-Type REJECT { (3) sql: EXPAND .query (3) sql: --> .query (3) sql: Using query template 'query' rlm_sql (sql): Reserved connection (14) (3) sql: EXPAND %{User-Name} (3) sql: --> testuser (3) sql: SQL-User-Name set to 'testuser' (3) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S.%M') (3) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testuser', 'testpasswd123', 'Access-Reject', '2020-06-01 08:48:57.890570') (3) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testuser', 'testpasswd123', 'Access-Reject', '2020-06-01 08:48:57.890570') (3) sql: SQL query returned: success (3) sql: 1 record(s) updated rlm_sql (sql): Released connection (14) Need 7 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (17), 1 of 29 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.65-MariaDB, protocol version 10 (3) [sql] = ok (3) attr_filter.access_reject: EXPAND %{User-Name} (3) attr_filter.access_reject: --> testuser (3) attr_filter.access_reject: Matched entry DEFAULT at line 11 (3) [attr_filter.access_reject] = updated (3) [eap] = noop (3) policy remove_reply_message_if_eap { (3) if (&reply:EAP-Message && &reply:Reply-Message) { (3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (3) else { (3) [noop] = noop (3) } # else = noop (3) } # policy remove_reply_message_if_eap = noop (3) } # Post-Auth-Type REJECT = updated (3) Delaying response for 1.000000 seconds Waking up in 0.9 seconds. (3) (3) Discarding duplicate request from client 1.1.1.201 port 65445 - ID: 1 due to delayed response Waking up in 0.3 seconds. (3) Sending delayed response (3) Sent Access-Reject Id 1 from 1.1.1.190:1812 to 1.1.1.201:65445 length 20 Waking up in 3.9 seconds. (3) Cleaning up request packet ID 1 with timestamp +1251 Ready to process requests On Fri, May 29, 2020 at 3:19 PM Alan DeKok <aland@deployingradius.com> wrote:
On May 29, 2020, at 3:06 PM, Jason Leiby <leibyj@gmail.com> wrote:
I placed the auth-type update control snippet in the authenticate section
No... you have to update Auth-Type *before* the authenticate section, in the authorize section.
When you set Auth-Type, you're telling the server which "authenticate" sub-section to use. So putting an "update control" in the authenticate section does nothing.
and I still get the same error message of:
(1) ldap: ERROR: Failed performing search: Please set 'chase_referrals=yes' and 'rebind=yes'. See the ldap module configuration for details. (1) ldap: ERROR: Server said: 000004DC: LdapErr: DSID-0C0907E1, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580.
What is also strange is that the first error about chase_referrals and rebind should be gone as I have those flags uncommented in the ldap module
Those settings are still commented out. If "chase_referrals" was set, the error would be:
Operations error with LDAP database. Please see the LDAP server configuration / documentation for more information.
Here is the full output from radiusd -X
If you read the *rest* of the debug output, you will see it printing out the configuration for the LDAP module. And "chase_referrals" won't be set.
... rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389 TLSMC: MozNSS compatibility interception begins. tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present. tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
Arg. You're using RedHat, which (in there infinite wisdom) decided to switch libldap to something which isn't compatible with OpenSSL.
FreeRADIUS uses OpenSSL. I suspect this incompatibility will cause issues. For more details, see http://packages.networkradius.com
We provide *working* packages, and documentation on how to fix issues created by OS vendors.
TLSMC: MozNSS compatibility interception ends. rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (6) (1) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) (1) ldap: --> (samaccountname=testuser) (1) ldap: Performing search in "OU=Employees,OU=Domain Users,DC=example,DC=com" with filter "(samaccountname=testuser)", scope "sub" (1) ldap: Waiting for search result... (1) ldap: ERROR: Failed performing search: Please set 'chase_referrals=yes' and 'rebind=yes'. See the ldap module configuration for details.
You don't have "chase_referrals = yes".
Fix that first, Then try switching to a different FreeRADIUS package.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jun 1, 2020, at 10:23 AM, Jason Leiby <leibyj@gmail.com> wrote:
Thank you for the link to Network Radius. I was unaware that there was an issue with redhat and the standard freeradius packages. I have upgraded to 3.0.21 after adding the repositories in your link. This has fixed the chase_referrals issue, but I am still not binding as the user to LDAP.
OK.
When performing a wireshark capture, the bind user shows as "<ROOT> simple". Do I need to set the ldap attributes to provide the user and password to the far end?
The LDAP module does "bind as user" when it's run from the "authenticate" section. Otherwise, it binds as the admin.
(3) ldap: Performing search in "OU=Employees,OU=Domain Users,DC=example,DC=com" with filter "(samaccountname=testuser)", scope "sub"
This search is with the admin credentials you supplied in the mods-enabled/ldap
(3) ldap: Waiting for search result... (3) ldap: ERROR: Failed performing search: Operations error with LDAP database. Please see the LDAP server configuration / documentation for more information. (3) ldap: ERROR: Server said: 000004DC: LdapErr: DSID-0C0907E1, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580.
That seems pretty clear. It looks like either you didn't set "rebind=true" also, *or* the admin user doesn't have permissions to query the LDAP database. The default configuration has both "chase_referrals = yes", and "rebind = yes". Along with comments explaining what they do, and why they need to be set for AD. The ldap module should *not* "bind as user" when it's run from the "authorize" section. Instead, the ldap module should just use the admin name / password. This is because it's querying group information, and "known good" passwords for the user. There is just no need to do "bind as user" there. If you do want to authenticate users, run ldap in the "authenticate" section. As I already said. Again, there is documentation for this in the default configuration. Which I suggest reading. Reading the documentation and following the examples *will* make this work. That's why I suggest reading them. Alan DeKok.
participants (3)
-
Alan DeKok -
Jason Leiby -
Klemen forneci