Hello, I am setting up freeradius with Microsoft Active Directory. So far, I am able to connect to the server but not to authenticate a user. Can you please give me a hint of how the configuration files need to be set in order to authenticate the user. Also, what is "3D" used for? (Example: server =3D your.ad.server.org ...) Thank you in advance, Nataly
"Natalia Escalera" <nescalera@gmail.com> wrote:
I am setting up freeradius with Microsoft Active Directory. So far, I am able to connect to the server but not to authenticate a user. Can you please give me a hint of how the configuration files need to be set in order to authenticate the user.
If the RADIUS packets have clear-text passwords, then the normal LDAP module should work. If you're using PEAP or MS-CHAP, read "radiusd.conf",m and use "ntlm_auth".
Also, what is "3D" used for? (Example: server =3D your.ad.server.org ...)
Nothing. It's an artifact of stupid mailers. 3D is ASCII for '='. Alan DeKok.
Hello Mr. DeKok Thank you for the fast response. The password is clear-text. We are using ethereal to debug why we are getting "Operations Error" on the Search Result. The Operation Errors comment is the following: "In order to perform this operation a successful bind must be completed." The search request on ethereal from Freeradius to the active directory gives the following: Message Type: Search Request Message Length: 96 Response In: 469 Base DN: dc=test, dc=prt Scope: subtree (0x02) Derefence: Never (0x00) Size Limit: 0 Time Limit: 4 Attributes only: False Filter: (&(objectclass=person)(sAMAccountName=%u)) Attribute: uid ????we are not sending this attribute and we do not know where it is specified on Freeradius Here are the settings given for LDAP module on radius.conf and user file: #radius.conf ldap { server="xxx.xx.xxx.xxx" identity ="" # If this is suppose to be the bind dn??? password = "mypassword" basedn ="dc=test,dc=prt" #filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" filter ="(&(objectclass=person) (sAMAccountName=%u))" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout =5 timelimit =4 net_timeout =2 compare_check_items = yes } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } eap } #users file DEFAULT Auth-Type := LDAP Fall-Through = 1 Can you please tell us if there is something wrong or if we are missing something on the configuration files? Thanks in advance, Nataly On 2/25/06, Alan DeKok <aland@ox.org> wrote:
"Natalia Escalera" <nescalera@gmail.com> wrote:
I am setting up freeradius with Microsoft Active Directory. So far, I am able to connect to the server but not to authenticate a user. Can you please give me a hint of how the configuration files need to be set in order to authenticate the user.
If the RADIUS packets have clear-text passwords, then the normal LDAP module should work. If you're using PEAP or MS-CHAP, read "radiusd.conf",m and use "ntlm_auth".
Also, what is "3D" used for? (Example: server =3D your.ad.server.org ...)
Nothing. It's an artifact of stupid mailers. 3D is ASCII for '='.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Natalia Escalera" <nescalera@gmail.com> wrote:
Thank you for the fast response. The password is clear-text. We are using ethereal to debug why we are getting "Operations Error" on the Search Result.
See the list archives. You have to qualify the LDAP search. http://www.nabble.com/FreeRadius-cannot-Authenticate-to-Windows-AD-t752989.h... Alan DeKok.
Hello, What do you mean with qualify the LDAP search? Thanks. Nataly On 2/25/06, Alan DeKok <aland@ox.org> wrote:
"Natalia Escalera" <nescalera@gmail.com> wrote:
Thank you for the fast response. The password is clear-text. We are using ethereal to debug why we are getting "Operations Error" on the Search Result.
See the list archives. You have to qualify the LDAP search.
http://www.nabble.com/FreeRadius-cannot-Authenticate-to-Windows-AD-t752989.h...
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello, How can we specify the bindn on radius.conf so we do not search as an anonymous user? Thank you, Nataly On 2/25/06, Natalia Escalera <nescalera@gmail.com> wrote:
Hello, What do you mean with qualify the LDAP search?
Thanks. Nataly
On 2/25/06, Alan DeKok <aland@ox.org> wrote:
"Natalia Escalera" <nescalera@gmail.com> wrote:
Thank you for the fast response. The password is clear-text. We are using ethereal to debug why we are getting "Operations Error" on the Search Result.
See the list archives. You have to qualify the LDAP search.
http://www.nabble.com/FreeRadius-cannot-Authenticate-to-Windows-AD-t752989.h...
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I mean binddn... On 2/25/06, Natalia Escalera <nescalera@gmail.com> wrote:
Hello,
How can we specify the bindn on radius.conf so we do not search as an anonymous user?
Thank you, Nataly
On 2/25/06, Natalia Escalera <nescalera@gmail.com> wrote:
Hello, What do you mean with qualify the LDAP search?
Thanks. Nataly
On 2/25/06, Alan DeKok <aland@ox.org> wrote:
"Natalia Escalera" <nescalera@gmail.com> wrote:
Thank you for the fast response. The password is clear-text. We are using ethereal to debug why we are getting "Operations Error" on the Search Result.
See the list archives. You have to qualify the LDAP search.
http://www.nabble.com/FreeRadius-cannot-Authenticate-to-Windows-AD-t752989.h...
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I have another question, how can we avoid referrals coming from AD Ldap server? How can we specify those settings? Thanks, Nataly On 2/25/06, Natalia Escalera <nescalera@gmail.com> wrote:
I mean binddn...
On 2/25/06, Natalia Escalera <nescalera@gmail.com> wrote:
Hello,
How can we specify the bindn on radius.conf so we do not search as an anonymous user?
Thank you, Nataly
On 2/25/06, Natalia Escalera <nescalera@gmail.com> wrote:
Hello, What do you mean with qualify the LDAP search?
Thanks. Nataly
On 2/25/06, Alan DeKok <aland@ox.org> wrote:
"Natalia Escalera" <nescalera@gmail.com> wrote:
Thank you for the fast response. The password is clear-text. We are using ethereal to debug why we are getting "Operations Error" on the Search Result.
See the list archives. You have to qualify the LDAP search.
http://www.nabble.com/FreeRadius-cannot-Authenticate-to-Windows-AD-t752989.h...
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Natalia Escalera