Freeradius/Radtest fails to authenticate against Google LDAP
Hi all. I try hard to get Freeradius working with Google LDAP, but I feel totally stuck and desperate. My starting point was following the Google documentation ( https://support.google.com/a/answer/9089736?hl=en#zippy=%2Cfreeradius <https://support.google.com/a/answer/9089736?hl=en#zippy=,freeradius> ), which some people pointed to being not really accurate. After some adjustments I find myself stuck in the wood. Admittingly I have just very basic knowledge of Linux (I use Ubuntu 20). When I run radtest I get this result: root@freeradius1:/home/serveradmin# radtest it-test2@lanes-planes.com <mailto:it-test2@lanes-planes.com> PASSWORD 127.0.0.1 1 testing123 Sent Access-Request Id 50 from 0.0.0.0:39324 to 127.0.0.1:1812 length 95 User-Name = "it-test2@lanes-planes.com <mailto:it-test2@lanes-planes.com>" User-Password = „PASSWORD" NAS-IP-Address = 127.0.1.1 NAS-Port = 1 Message-Authenticator = 0x00 Cleartext-Password = „PASSWORD" Received Access-Reject Id 50 from 127.0.0.1:1812 to 127.0.0.1:39324 length 20 (0) -: Expected Access-Accept got Access-Reject Here is the debug output of freeradius -X: (0) Received Access-Request Id 50 from 127.0.0.1:39324 to 127.0.0.1:1812 length 95 (0) User-Name = "it-test2@lanes-planes.com" (0) User-Password = „PASSWORD" (0) NAS-IP-Address = 127.0.1.1 (0) NAS-Port = 1 (0) Message-Authenticator = 0xf9bad2a09e9c1eb0e3c9317b52b40faf (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "lanes-planes.com" for User-Name = "it-test2@lanes-planes.com" (0) suffix: Found realm "lanes-planes.com" (0) suffix: Adding Stripped-User-Name = "it-test2" (0) suffix: Adding Realm = "lanes-planes.com" (0) suffix: Authentication realm is LOCAL (0) [suffix] = ok (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop rlm_ldap (ldap): Reserved connection (0) (0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap: --> (uid=it-test2) (0) ldap: Performing search in "dc=lanes-planes,dc=com" with filter "(uid=it-test2)", scope "sub" (0) ldap: Waiting for search result... (0) ldap: Search returned no results rlm_ldap (ldap): Released connection (0) Need 5 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636 rlm_ldap (ldap): Waiting for bind result... ber_get_next failed. rlm_ldap (ldap): Bind successful (0) [ldap] = notfound (0) [expiration] = noop (0) [logintime] = noop (0) if (User-Password) { (0) if (User-Password) -> TRUE (0) if (User-Password) { (0) update control { (0) Auth-Type := ldap (0) } # update control = noop (0) } # if (User-Password) = noop Not doing PAP as Auth-Type is already set. (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = ldap (0) Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> it-test2@lanes-planes.com (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.9 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 50 from 127.0.0.1:1812 to 127.0.0.1:39324 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 50 with timestamp +39 Ready to process requests If anyone of you could point me to the right direction what would be need to be corrected to get this work that would be just awesome. If it helps, I would also be willing to share other config files, like sites-enabled/defaults. Thanks. Best regards Christian
On Feb 8, 2021, at 12:26 PM, Christian Bednarz <christian.bednarz@lanes-planes.com> wrote:
I try hard to get Freeradius working with Google LDAP, but I feel totally stuck and desperate.
My starting point was following the Google documentation ( https://support.google.com/a/answer/9089736?hl=en#zippy=%2Cfreeradius <https://support.google.com/a/answer/9089736?hl=en#zippy=,freeradius> ), which some people pointed to being not really accurate. After some adjustments I find myself stuck in the wood. Admittingly I have just very basic knowledge of Linux (I use Ubuntu 20).
If Linux is new, configuring RADIUS can be complex. :(
(0) Received Access-Request Id 50 from 127.0.0.1:39324 to 127.0.0.1:1812 length 95 (0) User-Name = "it-test2@lanes-planes.com" (0) User-Password = „PASSWORD" (0) NAS-IP-Address = 127.0.1.1 (0) NAS-Port = 1 ... rlm_ldap (ldap): Reserved connection (0) (0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap: --> (uid=it-test2) (0) ldap: Performing search in "dc=lanes-planes,dc=com" with filter "(uid=it-test2)", scope "sub" (0) ldap: Waiting for search result... (0) ldap: Search returned no results rlm_ldap (ldap): Released connection (0) Need 5 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636 rlm_ldap (ldap): Waiting for bind result... ber_get_next failed. rlm_ldap (ldap): Bind successful (0) [ldap] = notfound
So the user wasn't found in LDAP. What happens when you run "ldapsearch" manually? The most recent versions of the server have full documentation on how to use the LDAP module configuration with the ldapsearch tool: https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-avail...
(0) [expiration] = noop (0) [logintime] = noop (0) if (User-Password) { (0) if (User-Password) -> TRUE (0) if (User-Password) { (0) update control { (0) Auth-Type := ldap (0) } # update control = noop (0) } # if (User-Password) = noop Not doing PAP as Auth-Type is already set. (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = ldap (0) Auth-Type sub-section not found. Ignoring.
Well, I don't suggest setting "Auth-type = LDAP" unless you actually have "ldap" configured in the "authenticate" section. But you shouldn't need that. Delete the "update control" section which sets "Auth-Type = LDAP". And then make sure that the LDAP module configuration works. i.e. that when FreeRADIUS looks for a user in LDAP, the ldap module finds that user, and returns the password to FreeRADIUS. Alan DeKok.
participants (2)
-
Alan DeKok -
Christian Bednarz