Help with ldap integration into Active directory
From: Josh McMillan Sent: Monday, 5 August 2019 5:12 PM To: 'freeradius-users@lists.freeradius.org' <freeradius-users@lists.freeradius.org> Subject: Help ldap integration into Active directory From: Josh McMillan Sent: Monday, 5 August 2019 5:10 PM To: 'freeradius-users@list.freeradius.org' <freeradius-users@list.freeradius.org<mailto:freeradius-users@list.freeradius.org>> Subject: Help ldap integration into Active directory I’m new to free radius so forgive the ignorance as I try and articulate the set up im trying to achieve here. Currently I have a free radius server running off a centos server: · Running Freeradius FreeRADIUS Version 3.0.13 · Centos version CentOS Linux release 7.6.1810 (Core) The overall design idea at the moment is clients will connect via l2tp vpn with a preshared key against a vyos then get challenged for AD credentials which are then passed to the Freeradius server. -The goal is then to use ldap to query active directory – locked down to a specific security group - Then use samba / ntlm_auth to handle the actual username/ password authentication. - Most of this has been up until I started trying to refine the ldap search and move the authentication part away from ldap which when I ran radiusd –X I could see in the output that ldap was still being used past the query stage. - Since modifying those folders im for ever chasing loops in the /etc/raddb/mods-enabled/ldap file for things 'rlm_group': /usr/lib64/freeradius/rlm_group.so: cannot open shared object file: No such file or directory’ - Unfortunately I don’t have a complete grasp oh how all these protocols interact / leverage off each other to do specific jobs and im at the point now that if I continue I will bugger up the config and have to start again. Any assistance with this would be fantastic. - Can provide configs if need be. Summary: - L2tp vpn auth works fine - Radius / samba / ntlm_auth originally worked well – issue was any users in AD would authenticate rather then the specific group im targeting - Tried modifying the Ldap file in /etc/raddb/mods-enabled/ldap and feel like im digging my own grave by this point as error after error appears -regards, Josh McMillan Systems & Network Administrator [cid:image001.png@01D3016E.7BC03220] 6/11 Evans Street, Burwood, Vic 3125 Tel: 03 9029 0431 Fax: 03 9888 7176 [cid:image002.png@01D3016E.7BC03220]<https://www.linkedin.com/company/mikeit-pty-ltd?trk=company_name> This email and any attachments may contain personal information or information that is otherwise confidential or the subject of copyright. OpusV does not warrant that this email or any attachments are free from viruses or defects. If this e-mail is received in error please delete it and notify us by return e-mail.
On Aug 5, 2019, at 3:16 AM, Josh McMillan <joshm@opusv.com.au> wrote:
I’m new to free radius so forgive the ignorance as I try and articulate the set up im trying to achieve here.
Currently I have a free radius server running off a centos server: · Running Freeradius FreeRADIUS Version 3.0.13 · Centos version CentOS Linux release 7.6.1810 (Core)
OK.
The overall design idea at the moment is clients will connect via l2tp vpn with a preshared key against a vyos then get challenged for AD credentials which are then passed to the Freeradius server. -The goal is then to use ldap to query active directory – locked down to a specific security group - Then use samba / ntlm_auth to handle the actual username/ password authentication.
Detailed instructions are on my web site: http://deployingradius.com
- Most of this has been up until I started trying to refine the ldap search and move the authentication part away from ldap which when I ran radiusd –X I could see in the output that ldap was still being used past the query stage.
What does that mean? FreeRADIUS doesn't magically "use" a module. It calls a module when the configuration tells it to.
- Since modifying those folders im for ever chasing loops in the /etc/raddb/mods-enabled/ldap file for things 'rlm_group': /usr/lib64/freeradius/rlm_group.so: cannot open shared object file: No such file or directory’ - Unfortunately I don’t have a complete grasp oh how all these protocols interact / leverage off each other to do specific jobs and im at the point now that if I continue I will bugger up the config and have to start again.
You edited the configuration, and broke it. Don't do that. The debug out says: /etc/raddb/mods-enabled/ldap[238] ... So... what's on line 238? The server prints filenames and line numbers for a reason. What's happening is that you added some text like: group { ... } to the "ldap" module configuration. This is wrong. You can't just add random text to the configuration files and expect that it does what you want. The configuration files explain very clearly what is allowed, and how it works. For background to RADIUS and FreeRADIUS, see: https://networkradius.com/doc/FreeRADIUS-Technical-Guide.pdf Alan DeKok.
participants (2)
-
Alan DeKok -
Josh McMillan