FreeRadius 3 OpenLDAP and MAC based Auth
Hello !
You send an Access-Request with User-Name and User-Password (0) Received Access-Request Id 165 from 192.168.0.7:3437 to
192.168.0.215:1812 length 241 (0) User-Name = "106530670342" (0) User-Password = "106530670342" You check the user but there's no password (0) redundant redundant_ldap { rlm_ldap (ldap1): Reserved connection (0) (0) ldap1: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap1: --> (cn=106530670342) (0) ldap1: Performing search in "dc=firma,dc=de" with filter "(cn=106530670342)", scope "sub" (0) ldap1: Waiting for search result... (0) ldap1: User object found at DN "cn=NBBZ1807-134,cn=4.notebooks,cn=172.17.0.0,cn=SUBNET,cn=DHCP Config,dc=firma,dc=de" (0) ldap1: Processing user attributes (0) ldap1: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (0) ldap1: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
So Access-Reject is sent
Yes, the Access-request from the switch contains User-Name and User-Password, both attributes contain the mac address without hyphen. If there is a match in LDAP the user is authorized and therefor accepted. The Access-reply should contain the the attributes like VLAN ID. I can see that the user is found in the directory... (0) ldap1: Performing search in "dc=firma,dc=de" with filter "(cn=106530670342)", scope "sub" (0) ldap1: Waiting for search result... (0) ldap1: User object found at DN "cn=NBBZ1807-134,cn=4.notebooks,cn=172.17.0.0,cn=SUBNET,cn=DHCP Config,dc=firma,dc=de" (0) ldap1: Processing user attributes ... (0) } # authorize = ok Am I wrong to say the authorization was successful? In FR2 I had a schema for the freeradius loaded in OpenLDAP. I did not found any related informations for a FR3 schema for OpenLDAP but also tried to use the scheme which I used in FR2 without any other results. Thank you!
On Jan 10, 2019, at 3:53 PM, Jürgen Northe <jn@northe-online.de> wrote:
Yes, the Access-request from the switch contains User-Name and User-Password, both attributes contain the mac address without hyphen. If there is a match in LDAP the user is authorized and therefor accepted. The Access-reply should contain the the attributes like VLAN ID.
That should work.
I can see that the user is found in the directory...
(0) ldap1: Performing search in "dc=firma,dc=de" with filter "(cn=106530670342)", scope "sub" (0) ldap1: Waiting for search result... (0) ldap1: User object found at DN "cn=NBBZ1807-134,cn=4.notebooks,cn=172.17.0.0,cn=SUBNET,cn=DHCP Config,dc=firma,dc=de" (0) ldap1: Processing user attributes ... (0) } # authorize = ok
Am I wrong to say the authorization was successful?
Maybe. "authorized" is not always the same as "authorized with all of the configuration you want it to have". If you grab the latest version from GitHub: https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x The file raddb/mods-available/ldap contains updated comments that tell you how to run "ldapsearch". You can run that using the configuration from the LDAP module (copy it manually to the command line). And then fight with LDAP / ldapsearch to get it to return the correct data. Once that's done, convert the ldapsearch parameters back to the FR config, and it should work.
In FR2 I had a schema for the freeradius loaded in OpenLDAP. I did not found any related informations for a FR3 schema for OpenLDAP but also tried to use the scheme which I used in FR2 without any other results.
The server comes with schemas: doc/schemas/ldap/openldap/freeradius.ldif At least, that's in the git repo and the release "tar" files. Who knows where the various package maintainers put them. Alan DeKok.
participants (2)
-
Alan DeKok -
Jürgen Northe