RE: FreeRadius cannot Authenticate to Windows AD
Michael, Try querying Active Directory with the "ldapsearch" utility. Here is an example. ldapsearch -LLL -h 1.2.3.4 -x -b 'dc=domain,dc=com' '(samaccountname=backops)' -D backops -w passofbackops This will make sure that the credentials are correct or not. Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817
-----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of Phil Mayers Sent: December 16, 2005 1:55 AM To: FreeRadius users mailing list Subject: Re: FreeRadius cannot Authenticate to Windows AD
Michael Calizo wrote:
Hi,
Same thing has happened, I still can not authenticate to WindowsAD. Same Error is displayed when i debug radiusd....
I put quotes arround password..
radtest user 'mypass' 192.168.1.1:1812 <http://192.168.1.1:1812> 1812 testing123 or radtest user 'mypass' 192.168.1.1:1812 <http://192.168.1.1:1812> 1812 testing123
What do you think is the problem? rlm_ldap: bind as cn=backops,cn=Admin,dc=domain,dc=com/passofbackops to 192.168.1.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf
...that's pretty clear. The "identity"/"password" combo you have is wrong. Or AD thinks it's wrong. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request.
Hi Alhagie, Below is my ldap search result which i found it that it can connect to MSAD. But when i configure my radiusd.conf Ldap part as shown below. ldap { server = "192.168.1.1" #identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = "CN=Person,DC=chikka,DC=ph" filter = "(SamAccountName=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)" start_tls = no } I STILL GET THIS ERROR BELOW WHEN I TRY TO USE RADTEST AS SHOWN BELOW: radtest mike mike123 192.168.1.13:1812 1812 testing1234 Sending Access-Request of id 185 to 192.168.1.13:1812 User-Name = "mike" User-Password = "mike123" NAS-IP-Address = repository.domain.com NAS-Port = 1812 rad_recv: Access-Reject packet from host 192.168.1.13:1812, id=185, length=20 RADIUSD LOG: rlm_ldap: login attempt by "mike" with password "mike123" radius_xlat: '(SamAccountName=mike)' radius_xlat: 'CN=Person,DC=chikka,DC=ph' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.1.1:389, authentication 0 rlm_ldap: bind as / to 192.168.1.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in CN=Person,DC=chikka,DC=ph, with filter (SamAccountName=mike) rlm_ldap: ldap_search() failed: Operations error rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authenticate]: module "ldap" returns fail for request 0 modcall: group Auth-Type returns fail for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 185 to 192.168.1.13:37977 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 185 with timestamp 43a61b6c Nothing to do. Sleeping until we see a request. LDAPSEARCH RESULT [root@repository ~]# ldapsearch -LLL -h 192.168.1.1 -x -b 'dc=domain,dc=com' '(samaccountname=mike)' -D mike -w mike123 dn: CN=mike,CN=Users,DC=domain,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: mike givenName: mike distinguishedName: CN=mike,CN=Users,DC=domain,DC=com instanceType: 4 whenCreated: 20050616031658.0Z whenChanged: 20051201135642.0Z displayName: mike uSNCreated: 11557650 memberOf: CN=svnusers,CN=Users,DC=domain,DC=com memberOf: CN=noc,CN=Users,DC=domain,DC=com memberOf: CN=QA,CN=Users,DC=domain,DC=com uSNChanged: 12322817 name: mike objectGUID:: vSHdzG0AG02jW9AZzurvqQ== userAccountControl: 66048 badPwdCount: 2 codePage: 0 countryCode: 0 badPasswordTime: 127792025390218068 lastLogoff: 0 lastLogon: 127758129860897359 pwdLastSet: 127779190022698471 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAc+SiCBWZJKtAqKm9ZQUAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: mike sAMAccountType: 805306368 userPrincipalName: mike@domain.com lockoutTime: 0 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com # refldap://ForestDnsZones.domain.com/DC=ForestDnsZones,DC=domain,DC=com # refldap://DomainDnsZones.domain/DC=DomainDnsZones,DC=doamin,DC=com # refldap://chikka.ph/CN=Configuration,DC=doamin,DC=com Thnx in advance, -- Mike Calizo Registered Linux User # 365113 _________________________________________________ Even the longest journey has to start with a small first-step
rlm_ldap: login attempt by "mike" with password "mike123" radius_xlat: '(SamAccountName=mike)' radius_xlat: 'CN=Person,DC=chikka,DC=ph' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.1.1:389, authentication 0 rlm_ldap: bind as / to 192.168.1.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in CN=Person,DC=chikka,DC=ph, with filter (SamAccountName=mike)
-----
LDAPSEARCH RESULT
[root@repository ~]# ldapsearch -LLL -h 192.168.1.1 -x -b 'dc=domain,dc=com' '(samaccountname=mike)' -D mike -w mike123 dn: CN=mike,CN=Users,DC=domain,DC=com
There are two major differences in what you have freeradius configured to do and what your commandline search shows. Is this intended?? Freeradius -bind anonymously -search in CN=Person,DC=chikka,DC=ph Commandline -bind as mike -search in dc=domain,dc=com Unless I missed something and I'm just not getting it, I would give freeradius an identity and password of a user that has read access to the part of the directory your users are in. Then I would change the basedn in freeradius to actually match the basedn of your directory.
In addition to Dusty's comments: Michael Calizo <mike.calizo@gmail.com> wrote:
rlm_ldap: ldap_search() failed: Operations error
http://bugs.freeradius.org/show_bug.cgi?id=183 You're running into two issues: - the OpenLDAP client libraries don't use the authentication credentials they're given when following references. - Active Directory is following references because your domain controller has two domains, and the user isn't found in one, so it's being referred to the other domain. The patch might help, but your LDAP queries should be made more specific. Alan DeKok.
A little modification of that patch seems to be neccessary, as the patch applies, but compiling fails: Compiling this patch gives: rlm_ldap.c: In function `ldap_groupcmp': rlm_ldap.c:879: warning: initialization discards qualifiers from pointer target type rlm_ldap.c:1010: warning: comparison between signed and unsigned rlm_ldap.c: In function `ldap_xlat': rlm_ldap.c:1135: warning: comparison between signed and unsigned rlm_ldap.c: In function `ldap_authenticate': rlm_ldap.c:1625: warning: initialization discards qualifiers from pointer target type rlm_ldap.c: In function `ldap_rebind': rlm_ldap.c:1924: error: `dn' undeclared (first use in this function) rlm_ldap.c:1924: error: (Each undeclared identifier is reported only once rlm_ldap.c:1924: error: for each function it appears in.) rlm_ldap.c:1924: error: `passwd' undeclared (first use in this function) rlm_ldap.c: In function `ldap_connect': rlm_ldap.c:2009: warning: implicit declaration of function `ldap_int_tls_config' rlm_ldap.c: In function `ldap_rebind': rlm_ldap.c:1920: warning: unused parameter `request' rlm_ldap.c:1920: warning: unused parameter `msgid' rlm_ldap.c:1920: warning: unused parameter `params' rlm_ldap.c: In function `ldap_groupcmp': rlm_ldap.c:870: warning: unused parameter `request' rlm_ldap.c:871: warning: unused parameter `check_pairs' rlm_ldap.c:871: warning: unused parameter `reply_pairs' gmake[6]: *** [rlm_ldap.o] Error 1 gmake[6]: Leaving directory `/home/radius/freeradius-1.0.5/src/modules/rlm_ldap' gmake[5]: *** [common] Error 2 gmake[5]: Leaving directory `/home/radius/freeradius-1.0.5/src/modules' gmake[4]: *** [all] Error 2 gmake[4]: Leaving directory `/home/radius/freeradius-1.0.5/src/modules' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/home/radius/freeradius-1.0.5/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/home/radius/freeradius-1.0.5/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/home/radius/freeradius-1.0.5' make: *** [all] Error 2 diff -Nru rlm_ldap.patch.org rlm_ldap.patch --- rlm_ldap.patch.org 2005-12-19 13:45:03.000000000 +0100 +++ rlm_ldap.patch 2005-12-19 13:18:21.000000000 +0100 @@ -34,7 +34,7 @@ +{ + if (DN != NULL && PASSWD != NULL){ + DEBUG("rlm_ldap: rebind to URL: %s",url); -+ return ldap_bind_s( ld, dn, passwd, LDAP_AUTH_SIMPLE); ++ return ldap_bind_s( ld, DN, PASSWD, LDAP_AUTH_SIMPLE); + } +} + With the above changes rlm_ldap.c compiles and runs (at least for me). Will the patch mentioned at http://bugs.freeradius.org/show_bug.cgi?id=183 become part of the next official release? Norbert Wegener Alan DeKok wrote:
In addition to Dusty's comments:
Michael Calizo <mike.calizo@gmail.com> wrote:
rlm_ldap: ldap_search() failed: Operations error
http://bugs.freeradius.org/show_bug.cgi?id=183
You're running into two issues:
- the OpenLDAP client libraries don't use the authentication credentials they're given when following references.
- Active Directory is following references because your domain controller has two domains, and the user isn't found in one, so it's being referred to the other domain.
The patch might help, but your LDAP queries should be made more specific.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Norbert Wegener <nw@sbs.de> wrote:
With the above changes rlm_ldap.c compiles and runs (at least for me). Will the patch mentioned at http://bugs.freeradius.org/show_bug.cgi?id=183 become part of the next official release?
Something like it, perhaps. The patch as-is isn't thread-safe. Alan DeKok.
Alhagie, Hey, i made it work now.. I can now authenticate to my MSAD... Tnx for the hints.: My radius.conf looks like this now... I can now even make my CISCO 1700 dial-in server to authenticate to my MSAD. ldap { server = "192.168.1.1" #identity = "cn=admin,o=My Org,c=UA" identity = "mike@domain.com password = mike123 # password = mypass basedn = "CN=Users,DC=domain,DC=com" filter = "(SamAccountName=%{Stripped-User-Name:-%{User-Name}})" Tnx for your help... On 12/19/05, Michael Calizo <mike.calizo@gmail.com> wrote:
Hi Alhagie,
Below is my ldap search result which i found it that it can connect to MSAD. But when i configure my radiusd.conf Ldap part as shown below.
ldap { server = "192.168.1.1" #identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = "CN=Person,DC=chikka,DC=ph" filter = "(SamAccountName=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)"
start_tls = no }
I STILL GET THIS ERROR BELOW WHEN I TRY TO USE RADTEST AS SHOWN BELOW:
radtest mike mike123 192.168.1.13:1812 1812 testing1234 Sending Access-Request of id 185 to 192.168.1.13:1812 User-Name = "mike" User-Password = "mike123" NAS-IP-Address = repository.domain.com NAS-Port = 1812 rad_recv: Access-Reject packet from host 192.168.1.13:1812, id=185, length=20
RADIUSD LOG:
rlm_ldap: login attempt by "mike" with password "mike123" radius_xlat: '(SamAccountName=mike)' radius_xlat: 'CN=Person,DC=chikka,DC=ph' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.1.1:389, authentication 0 rlm_ldap: bind as / to 192.168.1.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in CN=Person,DC=chikka,DC=ph, with filter (SamAccountName=mike) rlm_ldap: ldap_search() failed: Operations error rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authenticate]: module "ldap" returns fail for request 0 modcall: group Auth-Type returns fail for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 185 to 192.168.1.13:37977 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 185 with timestamp 43a61b6c Nothing to do. Sleeping until we see a request.
LDAPSEARCH RESULT
[root@repository ~]# ldapsearch -LLL -h 192.168.1.1 -x -b 'dc=domain,dc=com' '(samaccountname=mike)' -D mike -w mike123 dn: CN=mike,CN=Users,DC=domain,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: mike givenName: mike distinguishedName: CN=mike,CN=Users,DC=domain,DC=com instanceType: 4 whenCreated: 20050616031658.0Z whenChanged: 20051201135642.0Z displayName: mike uSNCreated: 11557650 memberOf: CN=svnusers,CN=Users,DC=domain,DC=com memberOf: CN=noc,CN=Users,DC=domain,DC=com memberOf: CN=QA,CN=Users,DC=domain,DC=com uSNChanged: 12322817 name: mike objectGUID:: vSHdzG0AG02jW9AZzurvqQ== userAccountControl: 66048 badPwdCount: 2 codePage: 0 countryCode: 0 badPasswordTime: 127792025390218068 lastLogoff: 0 lastLogon: 127758129860897359 pwdLastSet: 127779190022698471 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAc+SiCBWZJKtAqKm9ZQUAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: mike sAMAccountType: 805306368 userPrincipalName: mike@domain.com lockoutTime: 0 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com
# refldap://ForestDnsZones.domain.com/DC=ForestDnsZones,DC=domain,DC=com
# refldap://DomainDnsZones.domain/DC=DomainDnsZones,DC=doamin,DC=com
# refldap://chikka.ph/CN=Configuration,DC=doamin,DC=com
Thnx in advance,
-- Mike Calizo Registered Linux User # 365113
_________________________________________________ Even the longest journey has to start with a small first-step
-- Mike Calizo Registered Linux User # 365113 _________________________________________________ Even the longest journey has to start with a small first-step
participants (5)
-
Alan DeKok -
Alhagie Puye -
Dusty Doris -
Michael Calizo -
Norbert Wegener