guide on configuring freeradius 3 LDAP
Hello, I just joined the list recently, in hopes to get some help in configuring LDAP on my FreeRADIUS server. I have found a lot of documentation for FreeRADIUS v2, dating from 2011 and 2014, etc. But no clear step-by-step to enable LDAP for v3. My server is version 3.0.15. I have worked through the initial setup on the http://wiki.freeradius.org/guide/Getting-Started <http://wiki.freeradius.org/guide/Getting-Started> and was able to connect with “Access-Accept”. But now I want to connect an LDAP server (specifically, a VLDAP server from OneLogin). I have all their docs, and have all the base DN and Bind DN info. But the documentation at http://wiki.freeradius.org/modules/Rlm_ldap <http://wiki.freeradius.org/modules/Rlm_ldap> seem to “start in the middle” for me. It says you "can"… "To enable LDAP in your FreeRADIUS server, you can: • instantiate an ldap module - which sets up the server name, the base DN, etc • authenticate using an ldap module instance - which makes the FreeRADIUS server verify the user's identity in the LDAP directory, usually involving some form of checking the validity of the password • authorize using an ldap module instance - which makes the FreeRADIUS server verify the user's level of authorization in the LDAP directory, usually involving verifying group membership or similar" … but I don’t have enough experience to evaluate those options, or know how to do any of them. So I am looking for a simple “how to enable LDAP on FreeRADIUS 3” that I can follow to get things working, and learn from there. Thank you. —Douglas
On Jan 18, 2018, at 1:18 PM, Douglas C Ward <douglas@ugutech.com> wrote:
I just joined the list recently, in hopes to get some help in configuring LDAP on my FreeRADIUS server. I have found a lot of documentation for FreeRADIUS v2, dating from 2011 and 2014, etc. But no clear step-by-step to enable LDAP for v3. My server is version 3.0.15. I have worked through the initial setup on the http://wiki.freeradius.org/guide/Getting-Started <http://wiki.freeradius.org/guide/Getting-Started> and was able to connect with “Access-Accept”. But now I want to connect an LDAP server (specifically, a VLDAP server from OneLogin). I have all their docs, and have all the base DN and Bind DN info. But the documentation at http://wiki.freeradius.org/modules/Rlm_ldap <http://wiki.freeradius.org/modules/Rlm_ldap> seem to “start in the middle” for me. It says you "can"…
"To enable LDAP in your FreeRADIUS server, you can:
• instantiate an ldap module - which sets up the server name, the base DN, etc • authenticate using an ldap module instance - which makes the FreeRADIUS server verify the user's identity in the LDAP directory, usually involving some form of checking the validity of the password • authorize using an ldap module instance - which makes the FreeRADIUS server verify the user's level of authorization in the LDAP directory, usually involving verifying group membership or similar"
… but I don’t have enough experience to evaluate those options, or know how to do any of them. So I am looking for a simple “how to enable LDAP on FreeRADIUS 3” that I can follow to get things working, and learn from there. Thank you.
Edit raddb/mods-available/ldap. Configure it. i.e. *read* the comments. They tell you what the options do, and how they work. Fill in the configuration as necessary. Start the server in debug mode. Send it a test packet using "radtest". Use a name/password that's in LDAP. If it gets Access-Accept, you're good! If not, *read* the debug output to see what it's doing. If you don't understand it, post it here. It really is that simple. The "radtest" example *should* work if the LDAP module (a) talks to the LDAP server, and (b) is configured to search the right part of the LDAP tree. The default configuration is designed to work with minimal edits. So do minimal edits, and it will work. Alan DeKok.
Thanks Alan, I’ll give that a go. I had gotten the impression that there were additional files to configure beyond the mods-available/ldap . Ill report back. -- Douglas
On Jan 18, 2018, at 1:29 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Jan 18, 2018, at 1:18 PM, Douglas C Ward <douglas@ugutech.com> wrote: I just joined the list recently, in hopes to get some help in configuring LDAP on my FreeRADIUS server. I have found a lot of documentation for FreeRADIUS v2, dating from 2011 and 2014, etc. But no clear step-by-step to enable LDAP for v3. My server is version 3.0.15. I have worked through the initial setup on the http://wiki.freeradius.org/guide/Getting-Started <http://wiki.freeradius.org/guide/Getting-Started> and was able to connect with “Access-Accept”. But now I want to connect an LDAP server (specifically, a VLDAP server from OneLogin). I have all their docs, and have all the base DN and Bind DN info. But the documentation at http://wiki.freeradius.org/modules/Rlm_ldap <http://wiki.freeradius.org/modules/Rlm_ldap> seem to “start in the middle” for me. It says you "can"…
"To enable LDAP in your FreeRADIUS server, you can:
• instantiate an ldap module - which sets up the server name, the base DN, etc • authenticate using an ldap module instance - which makes the FreeRADIUS server verify the user's identity in the LDAP directory, usually involving some form of checking the validity of the password • authorize using an ldap module instance - which makes the FreeRADIUS server verify the user's level of authorization in the LDAP directory, usually involving verifying group membership or similar"
… but I don’t have enough experience to evaluate those options, or know how to do any of them. So I am looking for a simple “how to enable LDAP on FreeRADIUS 3” that I can follow to get things working, and learn from there. Thank you.
Edit raddb/mods-available/ldap. Configure it.
i.e. *read* the comments. They tell you what the options do, and how they work. Fill in the configuration as necessary.
Start the server in debug mode. Send it a test packet using "radtest". Use a name/password that's in LDAP.
If it gets Access-Accept, you're good!
If not, *read* the debug output to see what it's doing. If you don't understand it, post it here.
It really is that simple. The "radtest" example *should* work if the LDAP module (a) talks to the LDAP server, and (b) is configured to search the right part of the LDAP tree.
The default configuration is designed to work with minimal edits. So do minimal edits, and it will work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
In V3 the are far less things to do to get LDAP integration working. As Alan days, read the LDAP module, configure it. That's the basics and main stuff done. You may need, depending on purpose/use to edit the default and/or inner-tunnel files (you'll see the places noting LDAP). alan On 18 Jan 2018 8:10 pm, "Douglas Ward" <douglas@ugutech.com> wrote: > Thanks Alan, I’ll give that a go. I had gotten the impression that there > were additional files to configure beyond the mods-available/ldap . Ill > report back. > > -- Douglas > > > > On Jan 18, 2018, at 1:29 PM, Alan DeKok <aland@deployingradius.com> > wrote: > > > >> On Jan 18, 2018, at 1:18 PM, Douglas C Ward <douglas@ugutech.com> > wrote: > >> I just joined the list recently, in hopes to get some help in > configuring LDAP on my FreeRADIUS server. I have found a lot of > documentation for FreeRADIUS v2, dating from 2011 and 2014, etc. But no > clear step-by-step to enable LDAP for v3. My server is version 3.0.15. I > have worked through the initial setup on the http://wiki.freeradius.org/ > guide/Getting-Started <http://wiki.freeradius.org/guide/Getting-Started> > and was able to connect with “Access-Accept”. But now I want to connect an > LDAP server (specifically, a VLDAP server from OneLogin). I have all their > docs, and have all the base DN and Bind DN info. But the documentation at > http://wiki.freeradius.org/modules/Rlm_ldap <http://wiki.freeradius.org/ > modules/Rlm_ldap> seem to “start in the middle” for me. It says you "can"… > >> > >> "To enable LDAP in your FreeRADIUS server, you can: > >> > >> • instantiate an ldap module - which sets up the server name, the base > DN, etc > >> • authenticate using an ldap module instance - which makes the > FreeRADIUS server verify the user's identity in the LDAP directory, usually > involving some form of checking the validity of the password > >> • authorize using an ldap module instance - which makes the FreeRADIUS > server verify the user's level of authorization in the LDAP directory, > usually involving verifying group membership or similar" > >> > >> … but I don’t have enough experience to evaluate those options, or know > how to do any of them. So I am looking for a simple “how to enable LDAP on > FreeRADIUS 3” that I can follow to get things working, and learn from > there. Thank you. > > > > Edit raddb/mods-available/ldap. Configure it. > > > > i.e. *read* the comments. They tell you what the options do, and how > they work. Fill in the configuration as necessary. > > > > Start the server in debug mode. Send it a test packet using > "radtest". Use a name/password that's in LDAP. > > > > If it gets Access-Accept, you're good! > > > > If not, *read* the debug output to see what it's doing. If you don't > understand it, post it here. > > > > It really is that simple. The "radtest" example *should* work if the > LDAP module (a) talks to the LDAP server, and (b) is configured to search > the right part of the LDAP tree. > > > > The default configuration is designed to work with minimal edits. So > do minimal edits, and it will work. > > > > Alan DeKok. > > > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/ > list/users.html > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/ > list/users.html
I just tried things, and ran into…
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> dward@iacollaborative.com
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
… so I assumed there was something in the default file. I saw in there…
# Auth-Type LDAP {
# ldap
# }
so I uncommented that, restarted the server in debug, and got this error…
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/radiusd.conf
} # server
server default { # from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/default
# Loading authenticate {...}
/usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/default[513]: Failed to find "pam" as a module or policy.
/usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/default[513]: Please verify that the configuration exists in /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/pam.
/usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/default[476]: Errors parsing authenticate section.
… so I assume there’s some further config I’m missing.
—Douglas
> On Jan 18, 2018, at 2:10 PM, Douglas Ward <douglas@ugutech.com> wrote:
>
> Thanks Alan, I’ll give that a go. I had gotten the impression that there were additional files to configure beyond the mods-available/ldap . Ill report back.
>
> -- Douglas
>
>
>> On Jan 18, 2018, at 1:29 PM, Alan DeKok <aland@deployingradius.com> wrote:
>>
>>> On Jan 18, 2018, at 1:18 PM, Douglas C Ward <douglas@ugutech.com> wrote:
>>> I just joined the list recently, in hopes to get some help in configuring LDAP on my FreeRADIUS server. I have found a lot of documentation for FreeRADIUS v2, dating from 2011 and 2014, etc. But no clear step-by-step to enable LDAP for v3. My server is version 3.0.15. I have worked through the initial setup on the http://wiki.freeradius.org/guide/Getting-Started <http://wiki.freeradius.org/guide/Getting-Started> and was able to connect with “Access-Accept”. But now I want to connect an LDAP server (specifically, a VLDAP server from OneLogin). I have all their docs, and have all the base DN and Bind DN info. But the documentation at http://wiki.freeradius.org/modules/Rlm_ldap <http://wiki.freeradius.org/modules/Rlm_ldap> seem to “start in the middle” for me. It says you "can"…
>>>
>>> "To enable LDAP in your FreeRADIUS server, you can:
>>>
>>> • instantiate an ldap module - which sets up the server name, the base DN, etc
>>> • authenticate using an ldap module instance - which makes the FreeRADIUS server verify the user's identity in the LDAP directory, usually involving some form of checking the validity of the password
>>> • authorize using an ldap module instance - which makes the FreeRADIUS server verify the user's level of authorization in the LDAP directory, usually involving verifying group membership or similar"
>>>
>>> … but I don’t have enough experience to evaluate those options, or know how to do any of them. So I am looking for a simple “how to enable LDAP on FreeRADIUS 3” that I can follow to get things working, and learn from there. Thank you.
>>
>> Edit raddb/mods-available/ldap. Configure it.
>>
>> i.e. *read* the comments. They tell you what the options do, and how they work. Fill in the configuration as necessary.
>>
>> Start the server in debug mode. Send it a test packet using "radtest". Use a name/password that's in LDAP.
>>
>> If it gets Access-Accept, you're good!
>>
>> If not, *read* the debug output to see what it's doing. If you don't understand it, post it here.
>>
>> It really is that simple. The "radtest" example *should* work if the LDAP module (a) talks to the LDAP server, and (b) is configured to search the right part of the LDAP tree.
>>
>> The default configuration is designed to work with minimal edits. So do minimal edits, and it will work.
>>
>> Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
in the mods-available/ldap file, there is this section…
# Note: set_auth_type was removed in v3.x.x
# Equivalent functionality can be achieved by adding the following
# stanza to the authorize {} section of your virtual server.
#
# ldap
# if ((ok || updated) && User-Password) {
# update {
# control:Auth-Type := ldap
# }
# }
… where is the “authorize {}” section of my virtual server?
—Douglas
> On Jan 18, 2018, at 2:41 PM, Douglas C Ward <douglas@ugutech.com> wrote:
>
> I just tried things, and ran into…
>
> (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
> (0) Failed to authenticate the user
> (0) Using Post-Auth-Type Reject
> (0) # Executing group from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/default
> (0) Post-Auth-Type REJECT {
> (0) attr_filter.access_reject: EXPAND %{User-Name}
> (0) attr_filter.access_reject: --> dward@iacollaborative.com
> (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (0) [attr_filter.access_reject] = updated
> (0) [eap] = noop
> (0) policy remove_reply_message_if_eap {
> (0) if (&reply:EAP-Message && &reply:Reply-Message) {
> (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (0) else {
> (0) [noop] = noop
> (0) } # else = noop
> (0) } # policy remove_reply_message_if_eap = noop
> (0) } # Post-Auth-Type REJECT = updated
>
> … so I assumed there was something in the default file. I saw in there…
>
> # Auth-Type LDAP {
> # ldap
> # }
>
> so I uncommented that, restarted the server in debug, and got this error…
>
> radiusd: #### Loading Virtual Servers ####
> server { # from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/radiusd.conf
> } # server
> server default { # from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/default
> # Loading authenticate {...}
> /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/default[513]: Failed to find "pam" as a module or policy.
> /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/default[513]: Please verify that the configuration exists in /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/pam.
> /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/default[476]: Errors parsing authenticate section.
>
> … so I assume there’s some further config I’m missing.
>
> —Douglas
>
>> On Jan 18, 2018, at 2:10 PM, Douglas Ward <douglas@ugutech.com> wrote:
>>
>> Thanks Alan, I’ll give that a go. I had gotten the impression that there were additional files to configure beyond the mods-available/ldap . Ill report back.
>>
>> -- Douglas
>>
>>
>>> On Jan 18, 2018, at 1:29 PM, Alan DeKok <aland@deployingradius.com> wrote:
>>>
>>>> On Jan 18, 2018, at 1:18 PM, Douglas C Ward <douglas@ugutech.com> wrote:
>>>> I just joined the list recently, in hopes to get some help in configuring LDAP on my FreeRADIUS server. I have found a lot of documentation for FreeRADIUS v2, dating from 2011 and 2014, etc. But no clear step-by-step to enable LDAP for v3. My server is version 3.0.15. I have worked through the initial setup on the http://wiki.freeradius.org/guide/Getting-Started <http://wiki.freeradius.org/guide/Getting-Started> and was able to connect with “Access-Accept”. But now I want to connect an LDAP server (specifically, a VLDAP server from OneLogin). I have all their docs, and have all the base DN and Bind DN info. But the documentation at http://wiki.freeradius.org/modules/Rlm_ldap <http://wiki.freeradius.org/modules/Rlm_ldap> seem to “start in the middle” for me. It says you "can"…
>>>>
>>>> "To enable LDAP in your FreeRADIUS server, you can:
>>>>
>>>> • instantiate an ldap module - which sets up the server name, the base DN, etc
>>>> • authenticate using an ldap module instance - which makes the FreeRADIUS server verify the user's identity in the LDAP directory, usually involving some form of checking the validity of the password
>>>> • authorize using an ldap module instance - which makes the FreeRADIUS server verify the user's level of authorization in the LDAP directory, usually involving verifying group membership or similar"
>>>>
>>>> … but I don’t have enough experience to evaluate those options, or know how to do any of them. So I am looking for a simple “how to enable LDAP on FreeRADIUS 3” that I can follow to get things working, and learn from there. Thank you.
>>>
>>> Edit raddb/mods-available/ldap. Configure it.
>>>
>>> i.e. *read* the comments. They tell you what the options do, and how they work. Fill in the configuration as necessary.
>>>
>>> Start the server in debug mode. Send it a test packet using "radtest". Use a name/password that's in LDAP.
>>>
>>> If it gets Access-Accept, you're good!
>>>
>>> If not, *read* the debug output to see what it's doing. If you don't understand it, post it here.
>>>
>>> It really is that simple. The "radtest" example *should* work if the LDAP module (a) talks to the LDAP server, and (b) is configured to search the right part of the LDAP tree.
>>>
>>> The default configuration is designed to work with minimal edits. So do minimal edits, and it will work.
>>>
>>> Alan DeKok.
>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
provide full debug not the bits that interest you (as noted, you are new to this and so without understanding all the minutae of details only providing minimal (and wrong bits) of output we end up playing a guessing game) note that some of the stuff in the virtual servers is older - and in fact, pre-fixed with a warning. if you read the ldap module you will find further instruction eg # Note: set_auth_type was removed in v3.x.x # Equivalent functionality can be achieved by adding the following # stanza to the authorize {} section of your virtual server. # # ldap # if ((ok || updated) && User-Password) { # update { # control:Auth-Type := ldap # } # } alan
I appreciate the help. I am new to this, and sorry if by newbie requests are annoying. I’m just hoping to get to a basic functionality, and then will keep learning on my own. I have done my homework in trying to search the list archives and other sources, and am not trying to be a “solve it for me” kind of guy. Here’s the full output of the debug log from the initial “Ready to process requests” through my radtest request. I this enough to see what’s going on? ########################################### (0) Received Access-Request Id 35 from 127.0.0.1:62745 to 127.0.0.1:1812 length 95 (0) User-Name = "dward@iacollaborative.com" (0) User-Password = "//55/Red/Turtle" (0) NAS-IP-Address = 172.16.172.19 (0) NAS-Port = 0 (0) Message-Authenticator = 0xc3b3015c813572dcd8f1de884017f5a8 (0) # Executing section authorize from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "iacollaborative.com" for User-Name = "dward@iacollaborative.com" (0) suffix: No such realm "iacollaborative.com" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> dward@iacollaborative.com (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 35 from 127.0.0.1:1812 to 127.0.0.1:62745 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 35 with timestamp +13 Ready to process requests ########################################### —Douglas
On Jan 18, 2018, at 2:57 PM, Alan Buxey <alan.buxey@gmail.com> wrote:
provide full debug not the bits that interest you (as noted, you are new to this and so without understanding all the minutae of details only providing minimal (and wrong bits) of output we end up playing a guessing game)
note that some of the stuff in the virtual servers is older - and in fact, pre-fixed with a warning. if you read the ldap module you will find further instruction eg
# Note: set_auth_type was removed in v3.x.x # Equivalent functionality can be achieved by adding the following # stanza to the authorize {} section of your virtual server. # # ldap # if ((ok || updated) && User-Password) { # update { # control:Auth-Type := ldap # } # }
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(and I am changing that testuser’s pw, fyi) —Douglas
On Jan 18, 2018, at 3:13 PM, Douglas C Ward <douglas@ugutech.com> wrote:
I appreciate the help. I am new to this, and sorry if by newbie requests are annoying. I’m just hoping to get to a basic functionality, and then will keep learning on my own. I have done my homework in trying to search the list archives and other sources, and am not trying to be a “solve it for me” kind of guy.
Here’s the full output of the debug log from the initial “Ready to process requests” through my radtest request. I this enough to see what’s going on?
###########################################
(0) Received Access-Request Id 35 from 127.0.0.1:62745 to 127.0.0.1:1812 length 95 (0) User-Name = "dward@iacollaborative.com <mailto:dward@iacollaborative.com>" (0) User-Password = "//55/Red/Turtle" (0) NAS-IP-Address = 172.16.172.19 (0) NAS-Port = 0 (0) Message-Authenticator = 0xc3b3015c813572dcd8f1de884017f5a8 (0) # Executing section authorize from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "iacollaborative.com <http://iacollaborative.com/>" for User-Name = "dward@iacollaborative.com <mailto:dward@iacollaborative.com>" (0) suffix: No such realm "iacollaborative.com <http://iacollaborative.com/>" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> dward@iacollaborative.com <mailto:dward@iacollaborative.com> (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 35 from 127.0.0.1:1812 to 127.0.0.1:62745 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 35 with timestamp +13 Ready to process requests
###########################################
—Douglas
On Jan 18, 2018, at 2:57 PM, Alan Buxey <alan.buxey@gmail.com <mailto:alan.buxey@gmail.com>> wrote:
provide full debug not the bits that interest you (as noted, you are new to this and so without understanding all the minutae of details only providing minimal (and wrong bits) of output we end up playing a guessing game)
note that some of the stuff in the virtual servers is older - and in fact, pre-fixed with a warning. if you read the ldap module you will find further instruction eg
# Note: set_auth_type was removed in v3.x.x # Equivalent functionality can be achieved by adding the following # stanza to the authorize {} section of your virtual server. # # ldap # if ((ok || updated) && User-Password) { # update { # control:Auth-Type := ldap # } # }
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
and that “authorize” section is in my ‘default’ file I believe. And that I haven’t made any changes to. And the “ldap” section has the “-“ in front of it, as the radiusd.conf file recommends... # # The ldap module reads passwords from the LDAP database. -ldap … —Douglas
On Jan 18, 2018, at 3:21 PM, Alan Buxey <alan.buxey@gmail.com> wrote:
not seeing any ldap action in your authorize section yet...
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I’m still having issues. I went ahead and completely blew away my whole FreeRADIUS install, and re-installed it. I went through the whole “Getting Started” successfully again, connected successfully using RADIUS from an iOS device using the testing / password user in the local database, per the getting started example. Then I went and edited the ‘ldap’ module, adding only the following: server = (my LDAP server hostname) base_dn = (my server’s base DN) identity = (using my version of the example 'cn=admin,dc=example,dc=org’) password = (mypass) after successfully restarting the debug server with no errors, I did a radtest for a known good user, and got… ########################################## Ready to process requests (0) Received Access-Request Id 153 from 127.0.0.1:62899 to 127.0.0.1:1812 length 111 (0) User-Name = "dward@iacollaborative.com" (0) User-Password = "[EDITED OUT]" (0) NAS-IP-Address = 172.16.172.19 (0) NAS-Port = 0 (0) Message-Authenticator = 0x826d986e5c3996e96136f858b88b42e6 (0) # Executing section authorize from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "iacollaborative.com" for User-Name = "dward@iacollaborative.com" (0) suffix: No such realm "iacollaborative.com" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> dward@iacollaborative.com (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 153 from 127.0.0.1:1812 to 127.0.0.1:62899 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 153 with timestamp +10 Ready to process requests ########################################## So I’m not sure what else I should be doing. —Douglas
On Jan 18, 2018, at 3:31 PM, Douglas C Ward <douglas@ugutech.com> wrote:
and that “authorize” section is in my ‘default’ file I believe. And that I haven’t made any changes to. And the “ldap” section has the “-“ in front of it, as the radiusd.conf file recommends...
# # The ldap module reads passwords from the LDAP database. -ldap
…
—Douglas
On Jan 18, 2018, at 3:21 PM, Alan Buxey <alan.buxey@gmail.com> wrote:
not seeing any ldap action in your authorize section yet...
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Thu, 2018-01-18 at 16:25 -0600, Douglas C Ward wrote:
So I’m not sure what else I should be doing.
Have you created a symlink in raddb/mods-enabled/ldap -> ../mods- available/ldap ? Doesn't look like ldap is being called, though without full debug output it's hard to tell what's happening. (The full debug output starts from the top, not from where a packet arrives.) Recommend you put your config in git or some other VCS. It'll make it much easier tracking what you have/haven't changed, and able to roll back without doing a complete reinstall. -- Matthew
Hi Matthew, there was no such symlink, so I created it. That seemed to get me further… now I am getting… (1) ldap: ERROR: Failed performing search: Please set 'chase_referrals=yes' and 'rebind=yes'. See the ldap module configuration for details. … but both the errors suggestion were already set. But at least it talked to my LDAP server, and I’m seeing… rlm_ldap (ldap): Bind successful … so I feel Im close. Thanks for the help so far. —Douglas
On Jan 18, 2018, at 4:29 PM, Matthew Newton <mcn@freeradius.org> wrote:
On Thu, 2018-01-18 at 16:25 -0600, Douglas C Ward wrote:
So I’m not sure what else I should be doing.
Have you created a symlink in raddb/mods-enabled/ldap -> ../mods- available/ldap ?
Doesn't look like ldap is being called, though without full debug output it's hard to tell what's happening. (The full debug output starts from the top, not from where a packet arrives.)
Recommend you put your config in git or some other VCS. It'll make it much easier tracking what you have/haven't changed, and able to roll back without doing a complete reinstall.
-- Matthew
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
here’s the full debug, along with the results of my radtest (passwords removed to protect the innocent)… ##################################################################################### testserver:Cellar testadmin$ sudo radiusd -X FreeRADIUS Version 3.0.15 Copyright (C) 1999-2017 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/local/Cellar/freeradius-server/3.0.15/share/freeradius/dictionary including dictionary file /usr/local/Cellar/freeradius-server/3.0.15/share/freeradius/dictionary.dhcp including dictionary file /usr/local/Cellar/freeradius-server/3.0.15/share/freeradius/dictionary.vqp including dictionary file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/dictionary including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/radiusd.conf including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/proxy.conf including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/clients.conf including files in directory /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/ including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/detail.log including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/eap including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/echo including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/utf8 including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/ldap including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/always including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/digest including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/date including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/preprocess including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/pap including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/expr including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/radutmp including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/linelog including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/unix including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/detail including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/attr_filter including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/dhcp including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/ntlm_auth including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/exec including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/files including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/replicate including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/chap including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/unpack including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/logintime including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/expiration including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/cache_eap including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/soh including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/sradutmp including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/mschap including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/dynamic_clients including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/passwd including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/realm including files in directory /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/policy.d/ including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/policy.d/accounting including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/policy.d/eap including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/policy.d/canonicalization including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/policy.d/abfab-tr including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/policy.d/dhcp including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/policy.d/cui including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/policy.d/filter including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/policy.d/moonshot-targeted-ids including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/policy.d/operator-name including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/policy.d/control including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/policy.d/debug including files in directory /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/ including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/default including configuration file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/inner-tunnel main { security { allow_core_dumps = no } name = "radiusd" prefix = "/usr/local/Cellar/freeradius-server/3.0.15" localstatedir = "/usr/local/var" logdir = "/usr/local/var/log/radius" run_dir = "/usr/local/var/run/radiusd" } main { name = "radiusd" prefix = "/usr/local/Cellar/freeradius-server/3.0.15" localstatedir = "/usr/local/var" sbindir = "/usr/local/Cellar/freeradius-server/3.0.15/bin" logdir = "/usr/local/var/log/radius" run_dir = "/usr/local/var/run/radiusd" libdir = "/usr/local/Cellar/freeradius-server/3.0.15/lib" radacctdir = "/usr/local/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/usr/local/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/Cellar/freeradius-server/3.0.15/bin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes allow_vulnerable_openssl = "no" } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client new { ipaddr = 172.16.172.102 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached # Creating Auth-Type = mschap # Creating Auth-Type = digest # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP radiusd: #### Instantiating modules #### modules { # Loaded module rlm_detail # Loading module "auth_log" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_eap # Loading module "eap" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_exec # Loading module "echo" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loaded module rlm_utf8 # Loading module "utf8" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/utf8 # Loaded module rlm_ldap # Loading module "ldap" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/ldap ldap { server = "ldap.us.onelogin.com" identity = "cn=admin@iacollaborative.com,dc=iacollaborative,dc=onelogin,dc=com" password = <<< secret >>> sasl { } user { scope = "sub" access_positive = yes sasl { } } group { filter = "(objectClass=posixGroup)" scope = "sub" name_attribute = "cn" membership_attribute = "memberOf" cacheable_name = no cacheable_dn = no } client { filter = "(objectClass=radiusClient)" scope = "sub" base_dn = "dc=iacollaborative,dc=onelogin,dc=com" } profile { } options { ldap_debug = 40 chase_referrals = yes rebind = yes net_timeout = 1 res_timeout = 10 srv_timelimit = 3 idle = 60 probes = 3 interval = 3 } tls { start_tls = no } } Creating attribute LDAP-Group # Loaded module rlm_always # Loading module "reject" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_digest # Loading module "digest" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/digest # Loaded module rlm_date # Loading module "date" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/date date { format = "%b %e %Y %H:%M:%S %Z" utc = no } # Loaded module rlm_preprocess # Loading module "preprocess" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-config/preprocess/huntgroups" hints = "/usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_pap # Loading module "pap" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_expr # Loading module "expr" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_radutmp # Loading module "radutmp" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/radutmp radutmp { filename = "/usr/local/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_linelog # Loading module "linelog" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/linelog linelog { filename = "/usr/local/var/log/radius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/linelog linelog log_accounting { filename = "/usr/local/var/log/radius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_unix # Loading module "unix" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/unix unix { radwtmp = "/usr/local/var/log/radius/radwtmp" } Creating attribute Unix-Group # Loading module "detail" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/detail detail { filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_dhcp # Loading module "dhcp" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/dhcp # Loading module "ntlm_auth" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loading module "exec" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_files # Loading module "files" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/files files { filename = "/usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-config/files/authorize" acctusersfile = "/usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-config/files/pre-proxy" } # Loaded module rlm_replicate # Loading module "replicate" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/replicate # Loaded module rlm_chap # Loading module "chap" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/chap # Loaded module rlm_unpack # Loading module "unpack" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/unpack # Loaded module rlm_logintime # Loading module "logintime" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_expiration # Loading module "expiration" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/expiration # Loaded module rlm_cache # Loading module "cache_eap" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_soh # Loading module "soh" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/soh soh { dhcp = yes } # Loading module "sradutmp" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/usr/local/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_mschap # Loading module "mschap" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no use_open_directory = yes } # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/dynamic_clients # Loaded module rlm_passwd # Loading module "etc_passwd" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_realm # Loading module "IPASS" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } instantiate { } # Instantiating module "auth_log" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/detail.log # Instantiating module "eap" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/certs" pem_file_type = yes private_key_file = "/usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/certs/server.pem" certificate_file = "/usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/certs/server.pem" ca_file = "/usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/certs/ca.pem" private_key_password = <<< secret >>> dh_file = "/usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/certs/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "ldap" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/ldap rlm_ldap: libldap vendor: OpenLDAP, version: 20428 accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" } post-auth { reference = "." } rlm_ldap (ldap): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 spread = no } rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://ldap.us.onelogin.com:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots used rlm_ldap (ldap): Connecting to ldap://ldap.us.onelogin.com:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots used rlm_ldap (ldap): Connecting to ldap://ldap.us.onelogin.com:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots used rlm_ldap (ldap): Connecting to ldap://ldap.us.onelogin.com:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots used rlm_ldap (ldap): Connecting to ldap://ldap.us.onelogin.com:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful # Instantiating module "reject" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/always # Instantiating module "fail" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/always # Instantiating module "ok" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/always # Instantiating module "handled" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/always # Instantiating module "invalid" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/always # Instantiating module "userlock" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/always # Instantiating module "notfound" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/always # Instantiating module "noop" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/always # Instantiating module "updated" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/always # Instantiating module "preprocess" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/preprocess reading pairlist file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-config/preprocess/hints # Instantiating module "pap" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/pap # Instantiating module "linelog" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/linelog # Instantiating module "log_accounting" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/linelog # Instantiating module "detail" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/detail # Instantiating module "attr_filter.post-proxy" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-config/attr_filter/access_reject [/usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". # Instantiating module "attr_filter.access_challenge" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-config/attr_filter/accounting_response # Instantiating module "files" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/files reading pairlist file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-config/files/authorize reading pairlist file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-config/files/accounting reading pairlist file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-config/files/pre-proxy # Instantiating module "logintime" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/logintime # Instantiating module "expiration" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/expiration # Instantiating module "cache_eap" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "mschap" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "etc_passwd" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "IPASS" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/realm # Instantiating module "suffix" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/realm # Instantiating module "realmpercent" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/realm # Instantiating module "ntdomain" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/realm } # modules radiusd: #### Loading Virtual Servers #### server { # from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/radiusd.conf } # server server default { # from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} Ignoring "sql" (see raddb/mods-available/README.rst) # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default server inner-tunnel { # from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/inner-tunnel:331 } # server inner-tunnel radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on proxy address * port 64774 Listening on proxy address :: port 64775 Ready to process requests (0) Received Access-Request Id 151 from 127.0.0.1:56756 to 127.0.0.1:1812 length 111 (0) User-Name = "dward@iacollaborative.com" (0) User-Password = "(EDITED-FOR-SECURITY)" (0) NAS-IP-Address = 172.16.172.19 (0) NAS-Port = 0 (0) Message-Authenticator = 0x3166971ce9bb0ba6d8b7d5cf4d82cef8 (0) # Executing section authorize from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "iacollaborative.com" for User-Name = "dward@iacollaborative.com" (0) suffix: No such realm "iacollaborative.com" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop rlm_ldap (ldap): Reserved connection (0) (0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap: --> (uid=dward@iacollaborative.com) (0) ldap: Performing search in "dc=iacollaborative,dc=onelogin,dc=com" with filter "(uid=dward@iacollaborative.com)", scope "sub" (0) ldap: Waiting for search result... (0) ldap: ERROR: Failed performing search: Please set 'chase_referrals=yes' and 'rebind=yes'. See the ldap module configuration for details. rlm_ldap (ldap): Released connection (0) Need 5 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldap://ldap.us.onelogin.com:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (0) [ldap] = fail (0) } # authorize = fail (0) Using Post-Auth-Type Reject (0) # Executing group from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> dward@iacollaborative.com (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.9 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 151 from 127.0.0.1:1812 to 127.0.0.1:56756 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 151 with timestamp +13 Ready to process requests ##################################################################################### —Douglas
On Jan 18, 2018, at 4:43 PM, Douglas C Ward <douglas@ugutech.com> wrote:
Hi Matthew,
there was no such symlink, so I created it. That seemed to get me further… now I am getting…
(1) ldap: ERROR: Failed performing search: Please set 'chase_referrals=yes' and 'rebind=yes'. See the ldap module configuration for details.
… but both the errors suggestion were already set. But at least it talked to my LDAP server, and I’m seeing…
rlm_ldap (ldap): Bind successful
… so I feel Im close. Thanks for the help so far.
—Douglas
On Jan 18, 2018, at 4:29 PM, Matthew Newton <mcn@freeradius.org> wrote:
On Thu, 2018-01-18 at 16:25 -0600, Douglas C Ward wrote:
So I’m not sure what else I should be doing.
Have you created a symlink in raddb/mods-enabled/ldap -> ../mods- available/ldap ?
Doesn't look like ldap is being called, though without full debug output it's hard to tell what's happening. (The full debug output starts from the top, not from where a packet arrives.)
Recommend you put your config in git or some other VCS. It'll make it much easier tracking what you have/haven't changed, and able to roll back without doing a complete reinstall.
-- Matthew
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jan 18, 2018, at 5:57 PM, Douglas C Ward <douglas@ugutech.com> wrote:
here’s the full debug, along with the results of my radtest (passwords removed to protect the innocent)…
...
# Loaded module rlm_ldap # Loading module "ldap" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/ldap ldap { server = "ldap.us.onelogin.com" identity = "cn=admin@iacollaborative.com,dc=iacollaborative,dc=onelogin,dc=com" password = <<< secret >>>
Does that account have permission to read the user entries in LDAP?
... (0) ldap: Performing search in "dc=iacollaborative,dc=onelogin,dc=com" with filter "(uid=dward@iacollaborative.com)", scope "sub" (0) ldap: Waiting for search result... (0) ldap: ERROR: Failed performing search: Please set 'chase_referrals=yes' and 'rebind=yes'. See the ldap module configuration for details.
That message has been cleaned up in 3.0.16. It only applies to Active Directory. So if you're not running Active Directory, the message indicates an error, but the wrong solution. What it really means is that FreeRADIUS queried LDAP for the user, and got a weird "operations error" in response. This has one meaning in Active Directory. It has a different meaning for other LDAP servers. So... the solution is to ensure that you're (a) using the right identity to query LDAP, and (b) you're querying the right part of the LDAP tree. While the error *is* being shown to you by FreeRADIUS, it's the LDAP server that is choosing to deny FreeRADIUS access. So you somehow have to convince FreeRADIUS to send LDAP the right magic so that LDAP lets you in. Alan DeKok.
Thanks Alan, good stuff. That user is the main admin user for the whole OneLogin account, so I assume that it has the authority to query the LDAP. I’m following the instructions at https://support.onelogin.com/hc/en-us/articles/206444116-Using-the-OneLogin-... <https://support.onelogin.com/hc/en-us/articles/206444116-Using-the-OneLogin-Virtual-LDAP-Service#virtualdn> where it specifies… Host name ldap.us.onelogin.com Port 389: Use for ldap://. For example, if you are not using SSL, use this port number. This port is primarily provided for your convenience for testing and debugging purposes. 636: Use for ldaps://. For example, if you are using SSL, use this port number. We recommend that you use this port for your production implementation. Base DN dc=<subdomain>,dc=onelogin,dc=com User's Virtual DN cn=<email>,ou=users,dc=<subdomain>,dc=onelogin,dc=com User's Password Password value. And I’ve been very careful to put those in correctly. I’ve also used the admin credentials with ldapsoft.com <http://ldapsoft.com/> ’s LDAP Admin Tool, and my credentials test correctly, and I get a full list of users in the table view. I’m not sure what else to try here. Just curious, what would the error message say if I was on 3.0.16? —Douglas
On Jan 18, 2018, at 7:11 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Jan 18, 2018, at 5:57 PM, Douglas C Ward <douglas@ugutech.com> wrote:
here’s the full debug, along with the results of my radtest (passwords removed to protect the innocent)…
...
# Loaded module rlm_ldap # Loading module "ldap" from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/ldap ldap { server = "ldap.us.onelogin.com" identity = "cn=admin@iacollaborative.com,dc=iacollaborative,dc=onelogin,dc=com" password = <<< secret >>>
Does that account have permission to read the user entries in LDAP?
... (0) ldap: Performing search in "dc=iacollaborative,dc=onelogin,dc=com" with filter "(uid=dward@iacollaborative.com)", scope "sub" (0) ldap: Waiting for search result... (0) ldap: ERROR: Failed performing search: Please set 'chase_referrals=yes' and 'rebind=yes'. See the ldap module configuration for details.
That message has been cleaned up in 3.0.16. It only applies to Active Directory. So if you're not running Active Directory, the message indicates an error, but the wrong solution.
What it really means is that FreeRADIUS queried LDAP for the user, and got a weird "operations error" in response. This has one meaning in Active Directory. It has a different meaning for other LDAP servers.
So... the solution is to ensure that you're (a) using the right identity to query LDAP, and (b) you're querying the right part of the LDAP tree.
While the error *is* being shown to you by FreeRADIUS, it's the LDAP server that is choosing to deny FreeRADIUS access. So you somehow have to convince FreeRADIUS to send LDAP the right magic so that LDAP lets you in.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 19/01/2018, at 3:37 PM, Douglas C Ward <douglas@ugutech.com> wrote:
Thanks Alan, good stuff. That user is the main admin user for the whole OneLogin account, so I assume that it has the authority to query the LDAP. I’m following the instructions at
https://support.onelogin.com/hc/en-us/articles/206444116-Using-the-OneLogin-... <https://support.onelogin.com/hc/en-us/articles/206444116-Using-the-OneLogin-Virtual-LDAP-Service#virtualdn>
where it specifies… Host name ldap.us.onelogin.com Port 389: Use for ldap://. For example, if you are not using SSL, use this port number. This port is primarily provided for your convenience for testing and debugging purposes. 636: Use for ldaps://. For example, if you are using SSL, use this port number. We recommend that you use this port for your production implementation. Base DN dc=<subdomain>,dc=onelogin,dc=com User's Virtual DN cn=<email>,ou=users,dc=<subdomain>,dc=onelogin,dc=com User's Password Password value.
I notice that you’re using 389 which is non-encrypted - once you get that working, probably a good idea to try ldaps if it’s over the Internet - first though, get 389 working before adding in that complexity..
And I’ve been very careful to put those in correctly. I’ve also used the admin credentials with ldapsoft.com <http://ldapsoft.com/> ’s LDAP Admin Tool, and my credentials test correctly, and I get a full list of users in the table view. I’m not sure what else to try here.
Can you try your manual client with the same filter? (uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com>)? They seem to want to use cn=username@domain rather than uid=username@domain. The uid attribute appears to be the same as uidNumber when I had a look at the OneLogin docs. I don’t know that that’s causing your problem - but it probably doesn’t help. If you can get the search to work with cn=, and uid= doesn’t work in your client, you want to update the “filter” parameter under “user” in mods-available/ldap. It’s kinda odd to use cn there, but, whatever!
Just curious, what would the error message say if I was on 3.0.16?
If chase_referrals is on, the error is "Operations error with LDAP database. Please see the LDAP server configuration / documentation for more information.” -- Nathan Ward
Answers below...
On Jan 18, 2018, at 9:20 PM, Nathan Ward <lists+freeradius@daork.net> wrote:
On 19/01/2018, at 3:37 PM, Douglas C Ward <douglas@ugutech.com> wrote:
Thanks Alan, good stuff. That user is the main admin user for the whole OneLogin account, so I assume that it has the authority to query the LDAP. I’m following the instructions at
https://support.onelogin.com/hc/en-us/articles/206444116-Using-the-OneLogin-... <https://support.onelogin.com/hc/en-us/articles/206444116-Using-the-OneLogin-Virtual-LDAP-Service#virtualdn>
where it specifies… Host name ldap.us.onelogin.com Port 389: Use for ldap://. For example, if you are not using SSL, use this port number. This port is primarily provided for your convenience for testing and debugging purposes. 636: Use for ldaps://. For example, if you are using SSL, use this port number. We recommend that you use this port for your production implementation. Base DN dc=<subdomain>,dc=onelogin,dc=com User's Virtual DN cn=<email>,ou=users,dc=<subdomain>,dc=onelogin,dc=com User's Password Password value.
I notice that you’re using 389 which is non-encrypted - once you get that working, probably a good idea to try ldaps if it’s over the Internet - first though, get 389 working before adding in that complexity..
With the LDAP Admin Tool, it works with port 636 doing SSL/TLS too. I will be making the production connection use that, as soon as I get the non SSL/TLS 389 to work.
And I’ve been very careful to put those in correctly. I’ve also used the admin credentials with ldapsoft.com <http://ldapsoft.com/> <http://ldapsoft.com/ <http://ldapsoft.com/>> ’s LDAP Admin Tool, and my credentials test correctly, and I get a full list of users in the table view. I’m not sure what else to try here.
Can you try your manual client with the same filter? (uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com><mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com>>)?
They seem to want to use cn=username@domain rather than uid=username@domain. The uid attribute appears to be the same as uidNumber when I had a look at the OneLogin docs. I don’t know that that’s causing your problem - but it probably doesn’t help.
I tried with substituting uid= for cn= in LDAP Admin Tool, and it doesn’t like like it, saying the credentials are invalid.
If you can get the search to work with cn=, and uid= doesn’t work in your client, you want to update the “filter” parameter under “user” in mods-available/ldap.
and I tried changing the uid= for cn= in the filter section of the mods-available/ldap file, no dice. On the OneLogin server, it shows a successful VLDAP login for the admin user admin@iacollaborative.com <mailto:admin@iacollaborative.com> every attempt, but nothing for the dward@ user.
It’s kinda odd to use cn there, but, whatever!
Just curious, what would the error message say if I was on 3.0.16?
If chase_referrals is on, the error is "Operations error with LDAP database. Please see the LDAP server configuration / documentation for more information.”
Thank you, good to know. —Douglas
-- Nathan Ward
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
Talking to an engineer at OneLogin, their VLDAP server only supports TLS1.1, what TLS version does FreeRADIUS 3.0.15 use by default, and can I force it to use 1.1? —Douglas
On Jan 18, 2018, at 11:33 PM, Douglas C Ward <douglas@ugutech.com> wrote:
Answers below...
On Jan 18, 2018, at 9:20 PM, Nathan Ward <lists+freeradius@daork.net> wrote:
On 19/01/2018, at 3:37 PM, Douglas C Ward <douglas@ugutech.com> wrote:
Thanks Alan, good stuff. That user is the main admin user for the whole OneLogin account, so I assume that it has the authority to query the LDAP. I’m following the instructions at
https://support.onelogin.com/hc/en-us/articles/206444116-Using-the-OneLogin-... <https://support.onelogin.com/hc/en-us/articles/206444116-Using-the-OneLogin-Virtual-LDAP-Service#virtualdn>
where it specifies… Host name ldap.us.onelogin.com Port 389: Use for ldap://. For example, if you are not using SSL, use this port number. This port is primarily provided for your convenience for testing and debugging purposes. 636: Use for ldaps://. For example, if you are using SSL, use this port number. We recommend that you use this port for your production implementation. Base DN dc=<subdomain>,dc=onelogin,dc=com User's Virtual DN cn=<email>,ou=users,dc=<subdomain>,dc=onelogin,dc=com User's Password Password value.
I notice that you’re using 389 which is non-encrypted - once you get that working, probably a good idea to try ldaps if it’s over the Internet - first though, get 389 working before adding in that complexity..
With the LDAP Admin Tool, it works with port 636 doing SSL/TLS too. I will be making the production connection use that, as soon as I get the non SSL/TLS 389 to work.
And I’ve been very careful to put those in correctly. I’ve also used the admin credentials with ldapsoft.com <http://ldapsoft.com/> <http://ldapsoft.com/ <http://ldapsoft.com/>> <http://ldapsoft.com/ <http://ldapsoft.com/> <http://ldapsoft.com/ <http://ldapsoft.com/>>> ’s LDAP Admin Tool, and my credentials test correctly, and I get a full list of users in the table view. I’m not sure what else to try here.
Can you try your manual client with the same filter? (uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com><mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com>><mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com><mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com>>>)?
They seem to want to use cn=username@domain rather than uid=username@domain. The uid attribute appears to be the same as uidNumber when I had a look at the OneLogin docs. I don’t know that that’s causing your problem - but it probably doesn’t help.
I tried with substituting uid= for cn= in LDAP Admin Tool, and it doesn’t like like it, saying the credentials are invalid.
If you can get the search to work with cn=, and uid= doesn’t work in your client, you want to update the “filter” parameter under “user” in mods-available/ldap.
and I tried changing the uid= for cn= in the filter section of the mods-available/ldap file, no dice.
On the OneLogin server, it shows a successful VLDAP login for the admin user admin@iacollaborative.com <mailto:admin@iacollaborative.com> <mailto:admin@iacollaborative.com <mailto:admin@iacollaborative.com>> every attempt, but nothing for the dward@ user.
It’s kinda odd to use cn there, but, whatever!
Just curious, what would the error message say if I was on 3.0.16?
If chase_referrals is on, the error is "Operations error with LDAP database. Please see the LDAP server configuration / documentation for more information.”
Thank you, good to know.
—Douglas
-- Nathan Ward
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html><http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
I should clarify, the LDAP request doesn’t relate directly to the type of TLS, just asking. They can see the call on their system, and see that it gives a non-informative error. > On Jan 19, 2018, at 9:55 AM, Douglas C Ward <douglas@ugutech.com> wrote: > > Talking to an engineer at OneLogin, their VLDAP server only supports TLS1.1, what TLS version does FreeRADIUS 3.0.15 use by default, and can I force it to use 1.1? > > —Douglas > >> On Jan 18, 2018, at 11:33 PM, Douglas C Ward <douglas@ugutech.com <mailto:douglas@ugutech.com>> wrote: >> >> Answers below... >> >>> On Jan 18, 2018, at 9:20 PM, Nathan Ward <lists+freeradius@daork.net> wrote: >>> >>>> >>>> On 19/01/2018, at 3:37 PM, Douglas C Ward <douglas@ugutech.com> wrote: >>>> >>>> Thanks Alan, good stuff. That user is the main admin user for the whole OneLogin account, so I assume that it has the authority to query the LDAP. I’m following the instructions at >>>> >>>> https://support.onelogin.com/hc/en-us/articles/206444116-Using-the-OneLogin-Virtual-LDAP-Service#virtualdn <https://support.onelogin.com/hc/en-us/articles/206444116-Using-the-OneLogin-Virtual-LDAP-Service#virtualdn> >>>> >>>> where it specifies… >>>> Host name ldap.us.onelogin.com >>>> Port >>>> 389: Use for ldap://. For example, if you are not using SSL, use this port number. This port is primarily provided for your convenience for testing and debugging purposes. >>>> 636: Use for ldaps://. For example, if you are using SSL, use this port number. We recommend that you use this port for your production implementation. >>>> Base DN dc=<subdomain>,dc=onelogin,dc=com >>>> User's Virtual DN cn=<email>,ou=users,dc=<subdomain>,dc=onelogin,dc=com >>>> User's Password >>>> Password value. >>> >>> I notice that you’re using 389 which is non-encrypted - once you get that working, probably a good idea to try ldaps if it’s over the Internet - first though, get 389 working before adding in that complexity.. >> >> With the LDAP Admin Tool, it works with port 636 doing SSL/TLS too. I will be making the production connection use that, as soon as I get the non SSL/TLS 389 to work. >>> >>>> And I’ve been very careful to put those in correctly. I’ve also used the admin credentials with ldapsoft.com <http://ldapsoft.com/> <http://ldapsoft.com/ <http://ldapsoft.com/>> <http://ldapsoft.com/ <http://ldapsoft.com/><http://ldapsoft.com/ <http://ldapsoft.com/>>> <http://ldapsoft.com/ <http://ldapsoft.com/> <http://ldapsoft.com/ <http://ldapsoft.com/>> <http://ldapsoft.com/ <http://ldapsoft.com/> <http://ldapsoft.com/ <http://ldapsoft.com/>>>> ’s LDAP Admin Tool, and my credentials test correctly, and I get a full list of users in the table view. I’m not sure what else to try here. >>> >>> Can you try your manual client with the same filter? (uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com><mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com>><mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com><mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com>>><mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com><mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com>><mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com><mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com>>>>)? >>> >>> They seem to want to use cn=username@domain rather than uid=username@domain. The uid attribute appears to be the same as uidNumber when I had a look at the OneLogin docs. I don’t know that that’s causing your problem - but it probably doesn’t help. >> >> I tried with substituting uid= for cn= in LDAP Admin Tool, and it doesn’t like like it, saying the credentials are invalid. >>> >>> If you can get the search to work with cn=, and uid= doesn’t work in your client, you want to update the “filter” parameter under “user” in mods-available/ldap. >> >> and I tried changing the uid= for cn= in the filter section of the mods-available/ldap file, no dice. >> >> On the OneLogin server, it shows a successful VLDAP login for the admin user admin@iacollaborative.com <mailto:admin@iacollaborative.com> <mailto:admin@iacollaborative.com <mailto:admin@iacollaborative.com>> <mailto:admin@iacollaborative.com <mailto:admin@iacollaborative.com> <mailto:admin@iacollaborative.com <mailto:admin@iacollaborative.com>>> every attempt, but nothing for the dward@ user. >> >>> It’s kinda odd to use cn there, but, whatever! >>> >>>> Just curious, what would the error message say if I was on 3.0.16? >>> >>> >>> If chase_referrals is on, the error is "Operations error with LDAP database. Please see the LDAP server configuration / documentation for more information.” >> >> Thank you, good to know. >> >> —Douglas >>> >>> -- >>> Nathan Ward >>> >>> - >>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html><http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>><http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html><http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >> - >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html><http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>> > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
Not that you’re sitting on the edge of your seats, but with OneLogin’s techs, we confirmed that everything is 100% correct in my FreeRADIUS setup, but that there’s some error on their end. They’re digging into it. I’ll post the exciting conclusion so that other people in my situation will know what the fix is. Thanks, —Douglas > On Jan 19, 2018, at 9:55 AM, Douglas C Ward <douglas@ugutech.com> wrote: > > Talking to an engineer at OneLogin, their VLDAP server only supports TLS1.1, what TLS version does FreeRADIUS 3.0.15 use by default, and can I force it to use 1.1? > > —Douglas > >> On Jan 18, 2018, at 11:33 PM, Douglas C Ward <douglas@ugutech.com <mailto:douglas@ugutech.com>> wrote: >> >> Answers below... >> >>> On Jan 18, 2018, at 9:20 PM, Nathan Ward <lists+freeradius@daork.net> wrote: >>> >>>> >>>> On 19/01/2018, at 3:37 PM, Douglas C Ward <douglas@ugutech.com> wrote: >>>> >>>> Thanks Alan, good stuff. That user is the main admin user for the whole OneLogin account, so I assume that it has the authority to query the LDAP. I’m following the instructions at >>>> >>>> https://support.onelogin.com/hc/en-us/articles/206444116-Using-the-OneLogin-Virtual-LDAP-Service#virtualdn <https://support.onelogin.com/hc/en-us/articles/206444116-Using-the-OneLogin-Virtual-LDAP-Service#virtualdn> >>>> >>>> where it specifies… >>>> Host name ldap.us.onelogin.com >>>> Port >>>> 389: Use for ldap://. For example, if you are not using SSL, use this port number. This port is primarily provided for your convenience for testing and debugging purposes. >>>> 636: Use for ldaps://. For example, if you are using SSL, use this port number. We recommend that you use this port for your production implementation. >>>> Base DN dc=<subdomain>,dc=onelogin,dc=com >>>> User's Virtual DN cn=<email>,ou=users,dc=<subdomain>,dc=onelogin,dc=com >>>> User's Password >>>> Password value. >>> >>> I notice that you’re using 389 which is non-encrypted - once you get that working, probably a good idea to try ldaps if it’s over the Internet - first though, get 389 working before adding in that complexity.. >> >> With the LDAP Admin Tool, it works with port 636 doing SSL/TLS too. I will be making the production connection use that, as soon as I get the non SSL/TLS 389 to work. >>> >>>> And I’ve been very careful to put those in correctly. I’ve also used the admin credentials with ldapsoft.com <http://ldapsoft.com/> <http://ldapsoft.com/ <http://ldapsoft.com/>> <http://ldapsoft.com/ <http://ldapsoft.com/><http://ldapsoft.com/ <http://ldapsoft.com/>>> <http://ldapsoft.com/ <http://ldapsoft.com/> <http://ldapsoft.com/ <http://ldapsoft.com/>> <http://ldapsoft.com/ <http://ldapsoft.com/> <http://ldapsoft.com/ <http://ldapsoft.com/>>>> ’s LDAP Admin Tool, and my credentials test correctly, and I get a full list of users in the table view. I’m not sure what else to try here. >>> >>> Can you try your manual client with the same filter? (uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com><mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com>><mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com><mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com>>><mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com><mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com>><mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com><mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com>>>>)? >>> >>> They seem to want to use cn=username@domain rather than uid=username@domain. The uid attribute appears to be the same as uidNumber when I had a look at the OneLogin docs. I don’t know that that’s causing your problem - but it probably doesn’t help. >> >> I tried with substituting uid= for cn= in LDAP Admin Tool, and it doesn’t like like it, saying the credentials are invalid. >>> >>> If you can get the search to work with cn=, and uid= doesn’t work in your client, you want to update the “filter” parameter under “user” in mods-available/ldap. >> >> and I tried changing the uid= for cn= in the filter section of the mods-available/ldap file, no dice. >> >> On the OneLogin server, it shows a successful VLDAP login for the admin user admin@iacollaborative.com <mailto:admin@iacollaborative.com> <mailto:admin@iacollaborative.com <mailto:admin@iacollaborative.com>> <mailto:admin@iacollaborative.com <mailto:admin@iacollaborative.com> <mailto:admin@iacollaborative.com <mailto:admin@iacollaborative.com>>> every attempt, but nothing for the dward@ user. >> >>> It’s kinda odd to use cn there, but, whatever! >>> >>>> Just curious, what would the error message say if I was on 3.0.16? >>> >>> >>> If chase_referrals is on, the error is "Operations error with LDAP database. Please see the LDAP server configuration / documentation for more information.” >> >> Thank you, good to know. >> >> —Douglas >>> >>> -- >>> Nathan Ward >>> >>> - >>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html><http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>><http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html><http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >> - >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html><http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>> > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
On Jan 19, 2018, at 10:55 AM, Douglas C Ward <douglas@ugutech.com> wrote:
Talking to an engineer at OneLogin, their VLDAP server only supports TLS1.1, what TLS version does FreeRADIUS 3.0.15 use by default, and can I force it to use 1.1?
FreeRADIUS uses whatever is implemented by OpenSSL on your system. Unless you're running something 10 years old, it *should* support TLS 1.1, and it *should* auto-negotiate. Alan DeKok.
hi, if a command line tool such as ldapsearch works, you just need to implement the correct filter arguments into your ldap config - ie get ldapsearch wokring with the connection and user and then configure freeradius ldap the same. alan
On 19/01/2018, at 6:33 PM, Douglas C Ward <douglas@ugutech.com> wrote:
Answers below...
On Jan 18, 2018, at 9:20 PM, Nathan Ward <lists+freeradius@daork.net> wrote:
On 19/01/2018, at 3:37 PM, Douglas C Ward <douglas@ugutech.com> wrote:
Thanks Alan, good stuff. That user is the main admin user for the whole OneLogin account, so I assume that it has the authority to query the LDAP. I’m following the instructions at
https://support.onelogin.com/hc/en-us/articles/206444116-Using-the-OneLogin-... <https://support.onelogin.com/hc/en-us/articles/206444116-Using-the-OneLogin-Virtual-LDAP-Service#virtualdn>
where it specifies… Host name ldap.us.onelogin.com Port 389: Use for ldap://. For example, if you are not using SSL, use this port number. This port is primarily provided for your convenience for testing and debugging purposes. 636: Use for ldaps://. For example, if you are using SSL, use this port number. We recommend that you use this port for your production implementation. Base DN dc=<subdomain>,dc=onelogin,dc=com User's Virtual DN cn=<email>,ou=users,dc=<subdomain>,dc=onelogin,dc=com User's Password Password value.
I notice that you’re using 389 which is non-encrypted - once you get that working, probably a good idea to try ldaps if it’s over the Internet - first though, get 389 working before adding in that complexity..
With the LDAP Admin Tool, it works with port 636 doing SSL/TLS too. I will be making the production connection use that, as soon as I get the non SSL/TLS 389 to work.
Great.
And I’ve been very careful to put those in correctly. I’ve also used the admin credentials with ldapsoft.com <http://ldapsoft.com/> <http://ldapsoft.com/ <http://ldapsoft.com/>> <http://ldapsoft.com/ <http://ldapsoft.com/> <http://ldapsoft.com/ <http://ldapsoft.com/>>> ’s LDAP Admin Tool, and my credentials test correctly, and I get a full list of users in the table view. I’m not sure what else to try here.
Can you try your manual client with the same filter? (uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com> <mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com>><mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com> <mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com>>>)?
They seem to want to use cn=username@domain rather than uid=username@domain. The uid attribute appears to be the same as uidNumber when I had a look at the OneLogin docs. I don’t know that that’s causing your problem - but it probably doesn’t help.
I tried with substituting uid= for cn= in LDAP Admin Tool, and it doesn’t like like it, saying the credentials are invalid.
I don’t really know what you’re putting in to that "LDAP Admin Tool” so I can’t say for sure, but it sounds like you’re changing the bind credentials rather than the filter, which is not what I said to do. The admin binding is working fine - we can see this from your logs. This means that your cn=admin@whatever authentication is fine. To avoid confusion, let’s avoid that LDAP Admin Tool thing as GUIs are terrible for communicating this sort of thing. Run these commands - they will prompt for the password for your *admin* user - NOT for the dward user: $ ldapsearch -h ldap.us.onelogin.com -x -D 'cn=admin@iacollaborative.com,dc=iacollaborative,dc=onelogin,dc=com' -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' '(uid=dward@iacollaborative.com)’ $ ldapsearch -h ldap.us.onelogin.com -x -D 'cn=admin@iacollaborative.com,dc=iacollaborative,dc=onelogin,dc=com' -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' ‘(cn=dward@iacollaborative.com)' What you are looking for here is a successful response - I suspect the second will return 1 result, the first will return 0 results (but not an error). Please paste the results of BOTH of these commands here.
If you can get the search to work with cn=, and uid= doesn’t work in your client, you want to update the “filter” parameter under “user” in mods-available/ldap.
and I tried changing the uid= for cn= in the filter section of the mods-available/ldap file, no dice.
On the OneLogin server, it shows a successful VLDAP login for the admin user admin@iacollaborative.com <mailto:admin@iacollaborative.com> <mailto:admin@iacollaborative.com <mailto:admin@iacollaborative.com>> every attempt, but nothing for the dward@ user.
What *should* happen, is the admin user will perform a search using the filter to find an appropriate DN. Then, that DN is used for a new bind (LDAP login) with the supplied password. In your case, the search for that DN does not appear to be completing. With the output of the above ldap search commands, you can do subsequent binds as the DN returned by the search - but let’s get the ldapsearches working first. -- Nathan Ward
Hi Nathan, Results are posted below...
On Jan 19, 2018, at 7:16 PM, Nathan Ward <lists+freeradius@daork.net> wrote:
On 19/01/2018, at 6:33 PM, Douglas C Ward <douglas@ugutech.com> wrote:
Answers below...
On Jan 18, 2018, at 9:20 PM, Nathan Ward <lists+freeradius@daork.net> wrote:
On 19/01/2018, at 3:37 PM, Douglas C Ward <douglas@ugutech.com> wrote:
Thanks Alan, good stuff. That user is the main admin user for the whole OneLogin account, so I assume that it has the authority to query the LDAP. I’m following the instructions at
https://support.onelogin.com/hc/en-us/articles/206444116-Using-the-OneLogin-... <https://support.onelogin.com/hc/en-us/articles/206444116-Using-the-OneLogin-Virtual-LDAP-Service#virtualdn>
where it specifies… Host name ldap.us.onelogin.com Port 389: Use for ldap://. For example, if you are not using SSL, use this port number. This port is primarily provided for your convenience for testing and debugging purposes. 636: Use for ldaps://. For example, if you are using SSL, use this port number. We recommend that you use this port for your production implementation. Base DN dc=<subdomain>,dc=onelogin,dc=com User's Virtual DN cn=<email>,ou=users,dc=<subdomain>,dc=onelogin,dc=com User's Password Password value.
I notice that you’re using 389 which is non-encrypted - once you get that working, probably a good idea to try ldaps if it’s over the Internet - first though, get 389 working before adding in that complexity..
With the LDAP Admin Tool, it works with port 636 doing SSL/TLS too. I will be making the production connection use that, as soon as I get the non SSL/TLS 389 to work.
Great.
And I’ve been very careful to put those in correctly. I’ve also used the admin credentials with ldapsoft.com <http://ldapsoft.com/> <http://ldapsoft.com/ <http://ldapsoft.com/>> <http://ldapsoft.com/ <http://ldapsoft.com/><http://ldapsoft.com/ <http://ldapsoft.com/>>> <http://ldapsoft.com/ <http://ldapsoft.com/> <http://ldapsoft.com/ <http://ldapsoft.com/>> <http://ldapsoft.com/ <http://ldapsoft.com/> <http://ldapsoft.com/ <http://ldapsoft.com/>>>> ’s LDAP Admin Tool, and my credentials test correctly, and I get a full list of users in the table view. I’m not sure what else to try here.
Can you try your manual client with the same filter? (uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com><mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com>> <mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com><mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com>>><mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com><mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com>> <mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com><mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com>>>>)?
They seem to want to use cn=username@domain rather than uid=username@domain. The uid attribute appears to be the same as uidNumber when I had a look at the OneLogin docs. I don’t know that that’s causing your problem - but it probably doesn’t help.
I tried with substituting uid= for cn= in LDAP Admin Tool, and it doesn’t like like it, saying the credentials are invalid.
I don’t really know what you’re putting in to that "LDAP Admin Tool” so I can’t say for sure, but it sounds like you’re changing the bind credentials rather than the filter, which is not what I said to do.
The admin binding is working fine - we can see this from your logs. This means that your cn=admin@whatever authentication is fine.
To avoid confusion, let’s avoid that LDAP Admin Tool thing as GUIs are terrible for communicating this sort of thing. Run these commands - they will prompt for the password for your *admin* user - NOT for the dward user:
$ ldapsearch -h ldap.us.onelogin.com <http://ldap.us.onelogin.com/> -x -D 'cn=admin@iacollaborative.com <mailto:cn=admin@iacollaborative.com>,dc=iacollaborative,dc=onelogin,dc=com' -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' '(uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com>)’
testserver:~ testadmin$ ldapsearch -h ldap.us.onelogin.com -x -D 'cn=admin@iacollaborative.com,dc=iacollaborative,dc=onelogin,dc=com' -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' '(uid=dward@iacollaborative.com)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=iacollaborative,dc=onelogin,dc=com> with scope subtree # filter: (uid=dward@iacollaborative.com) # requesting: ALL # # search result search: 2 result: 1 Operations error matchedDN: DC=OneLogin # numResponses: 1
$ ldapsearch -h ldap.us.onelogin.com <http://ldap.us.onelogin.com/> -x -D 'cn=admin@iacollaborative.com <mailto:cn=admin@iacollaborative.com>,dc=iacollaborative,dc=onelogin,dc=com' -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' ‘(cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>)’
testserver:~ testadmin$ ldapsearch -h ldap.us.onelogin.com -x -D 'cn=admin@iacollaborative.com,dc=iacollaborative,dc=onelogin,dc=com' -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' '(cn=dward@iacollaborative.com)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=iacollaborative,dc=onelogin,dc=com> with scope subtree # filter: (cn=dward@iacollaborative.com) # requesting: ALL # # dward@iacollaborative.com, users, iacollaborative.onelogin.com dn: cn=dward@iacollaborative.com, ou=users, dc=iacollaborative, dc=onelogin, d c=com gidNumber: 113412 cn: dward@iacollaborative.com mail: dward@iacollaborative.com loginShell: /bin/bash homeDirectory: /Users/dward@iacollaborative.com givenName: Douglas uid: 35638419 surname: Ward username: dward@iacollaborative.com name: Douglas Ward objectClass: top objectClass: inetOrgPerson objectClass: ldapsubentry objectClass: subentry uidNumber: 35638419 memberOf: cn=staff,cn=groups,dc=iacollaborative,dc=onelogin,dc=com memberOf: cn=All Staff,cn=roles,dc=iacollaborative,dc=onelogin,dc=com memberOf: cn=IA Employees,cn=roles,dc=iacollaborative,dc=onelogin,dc=com samaccountname: # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
What you are looking for here is a successful response - I suspect the second will return 1 result, the first will return 0 results (but not an error). Please paste the results of BOTH of these commands here.
If you can get the search to work with cn=, and uid= doesn’t work in your client, you want to update the “filter” parameter under “user” in mods-available/ldap.
and I tried changing the uid= for cn= in the filter section of the mods-available/ldap file, no dice.
On the OneLogin server, it shows a successful VLDAP login for the admin user admin@iacollaborative.com <mailto:admin@iacollaborative.com> <mailto:admin@iacollaborative.com <mailto:admin@iacollaborative.com>> <mailto:admin@iacollaborative.com <mailto:admin@iacollaborative.com> <mailto:admin@iacollaborative.com <mailto:admin@iacollaborative.com>>> every attempt, but nothing for the dward@ user.
What *should* happen, is the admin user will perform a search using the filter to find an appropriate DN. Then, that DN is used for a new bind (LDAP login) with the supplied password. In your case, the search for that DN does not appear to be completing.
With the output of the above ldap search commands, you can do subsequent binds as the DN returned by the search - but let’s get the ldapsearches working first.
-- Nathan Ward
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
On 22/01/2018, at 7:30 AM, Douglas C Ward <douglas@ugutech.com> wrote:
Hi Nathan,
Results are posted below…
<blah>
testserver:~ testadmin$ ldapsearch -h ldap.us.onelogin.com <http://ldap.us.onelogin.com/> -x -D 'cn=admin@iacollaborative.com <mailto:cn=admin@iacollaborative.com>,dc=iacollaborative,dc=onelogin,dc=com' -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' '(uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com>)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=iacollaborative,dc=onelogin,dc=com> with scope subtree # filter: (uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com>) # requesting: ALL #
# search result search: 2 result: 1 Operations error matchedDN: DC=OneLogin
# numResponses: 1
$ ldapsearch -h ldap.us.onelogin.com <http://ldap.us.onelogin.com/> <http://ldap.us.onelogin.com/ <http://ldap.us.onelogin.com/>> -x -D 'cn=admin@iacollaborative.com <mailto:cn=admin@iacollaborative.com><mailto:cn=admin@iacollaborative.com <mailto:cn=admin@iacollaborative.com>>,dc=iacollaborative,dc=onelogin,dc=com' -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' ‘(cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com> <mailto:cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>>)’
testserver:~ testadmin$ ldapsearch -h ldap.us.onelogin.com <http://ldap.us.onelogin.com/> -x -D 'cn=admin@iacollaborative.com <mailto:cn=admin@iacollaborative.com>,dc=iacollaborative,dc=onelogin,dc=com' -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' '(cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=iacollaborative,dc=onelogin,dc=com> with scope subtree # filter: (cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>) # requesting: ALL #
# dward@iacollaborative.com <mailto:dward@iacollaborative.com>, users, iacollaborative.onelogin.com <http://iacollaborative.onelogin.com/> dn: cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>, ou=users, dc=iacollaborative, dc=onelogin, d c=com gidNumber: 113412 cn: dward@iacollaborative.com <mailto:dward@iacollaborative.com> mail: dward@iacollaborative.com <mailto:dward@iacollaborative.com> loginShell: /bin/bash homeDirectory: /Users/dward@iacollaborative.com <mailto:Users/dward@iacollaborative.com> givenName: Douglas uid: 35638419 surname: Ward username: dward@iacollaborative.com <mailto:dward@iacollaborative.com> name: Douglas Ward objectClass: top objectClass: inetOrgPerson objectClass: ldapsubentry objectClass: subentry uidNumber: 35638419 memberOf: cn=staff,cn=groups,dc=iacollaborative,dc=onelogin,dc=com memberOf: cn=All Staff,cn=roles,dc=iacollaborative,dc=onelogin,dc=com memberOf: cn=IA Employees,cn=roles,dc=iacollaborative,dc=onelogin,dc=com samaccountname:
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
OK, thanks for that. So this tells us several things. 1) Your admin credentials are correct (though we can actually improve this, more later) 2) You need to use “cn=“ and not “uid=“ in the filter. 3) You must do user binds, rather than pull a userPassword attribute from LDAP, as the userPassword attribute is not visible even to the admin. This means that you can only use RADIUS for auth when you have a User-Password attribute - i.e. CHAP etc. will not work. 4) The OneLogin LDAP seems to work OK.. but one more test. This time, type your “dward” password, *not* the admin password. $ ldapsearch -h ldap.us.onelogin.com -x -D 'cn=dward@iacollaborative.com,ou=users,dc=iacollaborative,dc=onelogin,dc=com' -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' '(cn=dward@iacollaborative.com)’ dn The result should have a success in there, and should say somewhere: dn: cn=dward@iacollaborative.com,ou=users,dc=iacollaborative,dc=onelogin,dc=com If so, we have done a successful "User Bind” - these are almost exactly the same protocol steps as FreeRADIUS will do (actually slightly more), which means OneLogin is working great. If not, post the command and response as you did above, and don’t do anything else. If it’s all OK.. In mods-enabled/ldap: identity = 'cn=admin@iacollaborative.com <mailto:cn=admin@iacollaborative.com>,dc=iacollaborative,dc=onelogin,dc=com' password = <cn=admin pass> base_dn = 'dc=iacollaborative,dc=onelogin,dc=com’ user { filter = “(cn=%{%{Stripped-User-Name}:-%{User-Name}})” scope = sub } In your “authorize” section, probably at the end: authorize { <blah blah> if (User-Password) { update control { Auth-Type := ldap } } } Then every request, FreeRADIUS will: 1) As the cn=admin LDAP user do a search with the filter to find a DN matching the user, and return whatever attributes you configure LDAP to search for (i.e. radiusReplyItem etc.). It will not set control:Password-With-Header as there is no userPassword attribute returned from LDAP. 2) If there is a User-Password attribute set (i.e. in the Access-Request), then set Auth-Type to ldap. This will cause FreeRADIUS to do a new auth (bind) to the LDAP server, as the DN found in the above search, using the password that FreeRADIUS has in User-Password. 3) Return accept if the bind is successful. Again - there are 2 LDAP binds here. One as admin & searching for the DN to bind as, another binding as that DN to test the password. Have a crack at that, and if that doesn’t work still, give us a *full* radiusd -X again so we can see the config etc. - don’t just say “no dice” :-) Further things - perhaps when you have the above working: It’s probably not a good idea to use cn=admin. The “bind_dn” only really needs to be an LDAP user who can see the attributes you want to return from LDAP - it does not need to see passwords (and in OneLogin cn=admin can’t, anyway). If you don’t want any attributes, you only need an LDAP user which can search for DNs in the tree. I presume that cn=admin can modify users which is not a great thing to spread around. It’d be ideal if you could create a new “radius” user which can search LDAP but *not* see attributes it shouldn’t need to, and then configure that in place of cn=admin. -- Nathan Ward
On Jan 21, 2018, at 10:41 PM, Nathan Ward <lists+freeradius@daork.net> wrote:
On 22/01/2018, at 7:30 AM, Douglas C Ward <douglas@ugutech.com> wrote:
Hi Nathan,
Results are posted below…
<blah>
testserver:~ testadmin$ ldapsearch -h ldap.us.onelogin.com <http://ldap.us.onelogin.com/> -x -D 'cn=admin@iacollaborative.com <mailto:cn=admin@iacollaborative.com>,dc=iacollaborative,dc=onelogin,dc=com' -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' '(uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com>)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=iacollaborative,dc=onelogin,dc=com> with scope subtree # filter: (uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com>) # requesting: ALL #
# search result search: 2 result: 1 Operations error matchedDN: DC=OneLogin
# numResponses: 1
$ ldapsearch -h ldap.us.onelogin.com <http://ldap.us.onelogin.com/> <http://ldap.us.onelogin.com/ <http://ldap.us.onelogin.com/>> -x -D 'cn=admin@iacollaborative.com <mailto:cn=admin@iacollaborative.com><mailto:cn=admin@iacollaborative.com <mailto:cn=admin@iacollaborative.com>>,dc=iacollaborative,dc=onelogin,dc=com' -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' ‘(cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com> <mailto:cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>>)’
testserver:~ testadmin$ ldapsearch -h ldap.us.onelogin.com <http://ldap.us.onelogin.com/> -x -D 'cn=admin@iacollaborative.com <mailto:cn=admin@iacollaborative.com>,dc=iacollaborative,dc=onelogin,dc=com' -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' '(cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=iacollaborative,dc=onelogin,dc=com> with scope subtree # filter: (cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>) # requesting: ALL #
# dward@iacollaborative.com <mailto:dward@iacollaborative.com>, users, iacollaborative.onelogin.com <http://iacollaborative.onelogin.com/> dn: cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>, ou=users, dc=iacollaborative, dc=onelogin, d c=com gidNumber: 113412 cn: dward@iacollaborative.com <mailto:dward@iacollaborative.com> mail: dward@iacollaborative.com <mailto:dward@iacollaborative.com> loginShell: /bin/bash homeDirectory: /Users/dward@iacollaborative.com <mailto:Users/dward@iacollaborative.com> givenName: Douglas uid: 35638419 surname: Ward username: dward@iacollaborative.com <mailto:dward@iacollaborative.com> name: Douglas Ward objectClass: top objectClass: inetOrgPerson objectClass: ldapsubentry objectClass: subentry uidNumber: 35638419 memberOf: cn=staff,cn=groups,dc=iacollaborative,dc=onelogin,dc=com memberOf: cn=All Staff,cn=roles,dc=iacollaborative,dc=onelogin,dc=com memberOf: cn=IA Employees,cn=roles,dc=iacollaborative,dc=onelogin,dc=com samaccountname:
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
OK, thanks for that.
So this tells us several things. 1) Your admin credentials are correct (though we can actually improve this, more later) 2) You need to use “cn=“ and not “uid=“ in the filter. 3) You must do user binds, rather than pull a userPassword attribute from LDAP, as the userPassword attribute is not visible even to the admin. This means that you can only use RADIUS for auth when you have a User-Password attribute - i.e. CHAP etc. will not work. 4) The OneLogin LDAP seems to work OK.. but one more test.
This time, type your “dward” password, *not* the admin password. $ ldapsearch -h ldap.us.onelogin.com -x -D 'cn=dward@iacollaborative.com,ou=users,dc=iacollaborative,dc=onelogin,dc=com' -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' '(cn=dward@iacollaborative.com)’ dn
The result should have a success in there, and should say somewhere: dn: cn=dward@iacollaborative.com,ou=users,dc=iacollaborative,dc=onelogin,dc=com
If so, we have done a successful "User Bind” - these are almost exactly the same protocol steps as FreeRADIUS will do (actually slightly more), which means OneLogin is working great. If not, post the command and response as you did above, and don’t do anything else.
testserver:~ testadmin$ ldapsearch -h ldap.us.onelogin.com -x -D 'cn=dward@iacollaborative.com,ou=users,dc=iacollaborative,dc=onelogin,dc=com' -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' '(cn=dward@iacollaborative.com)’ dn
<blah blah blah> ldapsearch -h ldap.us.onelogin.com -x -D 'cn=dward@iacollaborative.com,ou=users,dc=iacollaborative,dc=onelogin,dc=com' -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' '(cn=dward@iacollaborative.com)’ dn -bash: syntax error near unexpected token `(' testserver:~ testadmin$ ldapsearch -h ldap.us.onelogin.com -x -D 'cn=dward@iacollaborative.com,ou=users,dc=iacollaborative,dc=onelogin,dc=com' -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' '(cn=dward@iacollaborative.com)' dn Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=iacollaborative,dc=onelogin,dc=com> with scope subtree # filter: (cn=dward@iacollaborative.com) # requesting: dn #
# dward@iacollaborative.com, users, iacollaborative.onelogin.com dn: cn=dward@iacollaborative.com, ou=users, dc=iacollaborative, dc=onelogin, d c=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 ————— So I see that the dn= result you anticipated is there, but the result still says “result: 0 success” . Let me know if I should try it with the ldap config edit. —Douglas
If it’s all OK..
In mods-enabled/ldap:
identity = 'cn=admin@iacollaborative.com <mailto:cn=admin@iacollaborative.com>,dc=iacollaborative,dc=onelogin,dc=com' password = <cn=admin pass> base_dn = 'dc=iacollaborative,dc=onelogin,dc=com’
user { filter = “(cn=%{%{Stripped-User-Name}:-%{User-Name}})” scope = sub }
In your “authorize” section, probably at the end: authorize { <blah blah> if (User-Password) { update control { Auth-Type := ldap } } }
Then every request, FreeRADIUS will: 1) As the cn=admin LDAP user do a search with the filter to find a DN matching the user, and return whatever attributes you configure LDAP to search for (i.e. radiusReplyItem etc.). It will not set control:Password-With-Header as there is no userPassword attribute returned from LDAP. 2) If there is a User-Password attribute set (i.e. in the Access-Request), then set Auth-Type to ldap. This will cause FreeRADIUS to do a new auth (bind) to the LDAP server, as the DN found in the above search, using the password that FreeRADIUS has in User-Password. 3) Return accept if the bind is successful.
Again - there are 2 LDAP binds here. One as admin & searching for the DN to bind as, another binding as that DN to test the password.
Have a crack at that, and if that doesn’t work still, give us a *full* radiusd -X again so we can see the config etc. - don’t just say “no dice” :-)
Further things - perhaps when you have the above working:
It’s probably not a good idea to use cn=admin. The “bind_dn” only really needs to be an LDAP user who can see the attributes you want to return from LDAP - it does not need to see passwords (and in OneLogin cn=admin can’t, anyway). If you don’t want any attributes, you only need an LDAP user which can search for DNs in the tree. I presume that cn=admin can modify users which is not a great thing to spread around.
It’d be ideal if you could create a new “radius” user which can search LDAP but *not* see attributes it shouldn’t need to, and then configure that in place of cn=admin.
-- Nathan Ward
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
On 24/01/2018, at 3:35 AM, Douglas C Ward <douglas@ugutech.com> wrote:
On Jan 21, 2018, at 10:41 PM, Nathan Ward <lists+freeradius@daork.net <mailto:lists+freeradius@daork.net>> wrote:
OK, thanks for that.
So this tells us several things. 1) Your admin credentials are correct (though we can actually improve this, more later) 2) You need to use “cn=“ and not “uid=“ in the filter. 3) You must do user binds, rather than pull a userPassword attribute from LDAP, as the userPassword attribute is not visible even to the admin. This means that you can only use RADIUS for auth when you have a User-Password attribute - i.e. CHAP etc. will not work. 4) The OneLogin LDAP seems to work OK.. but one more test.
This time, type your “dward” password, *not* the admin password. $ ldapsearch -h ldap.us.onelogin.com <http://ldap.us.onelogin.com/> -x -D 'cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>,ou=users,dc=iacollaborative,dc=onelogin,dc=com' -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' '(cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>)’ dn
The result should have a success in there, and should say somewhere: dn: cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>,ou=users,dc=iacollaborative,dc=onelogin,dc=com
If so, we have done a successful "User Bind” - these are almost exactly the same protocol steps as FreeRADIUS will do (actually slightly more), which means OneLogin is working great. If not, post the command and response as you did above, and don’t do anything else.
testserver:~ testadmin$ ldapsearch -h ldap.us.onelogin.com <http://ldap.us.onelogin.com/> -x -D 'cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>,ou=users,dc=iacollaborative,dc=onelogin,dc=com' -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' '(cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>)’ dn
<blah blah blah> ldapsearch -h ldap.us.onelogin.com <http://ldap.us.onelogin.com/> -x -D 'cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>,ou=users,dc=iacollaborative,dc=onelogin,dc=com' -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' '(cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>)’ dn -bash: syntax error near unexpected token `(' testserver:~ testadmin$ ldapsearch -h ldap.us.onelogin.com <http://ldap.us.onelogin.com/> -x -D 'cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>,ou=users,dc=iacollaborative,dc=onelogin,dc=com' -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' '(cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>)' dn Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=iacollaborative,dc=onelogin,dc=com> with scope subtree # filter: (cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>) # requesting: dn #
# dward@iacollaborative.com <mailto:dward@iacollaborative.com>, users, iacollaborative.onelogin.com <http://iacollaborative.onelogin.com/> dn: cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>, ou=users, dc=iacollaborative, dc=onelogin, d c=com
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
—————
So I see that the dn= result you anticipated is there, but the result still says “result: 0 success” . Let me know if I should try it with the ldap config edit.
Yeah so that result: 0 Success is referring to the return code of the search function. It is 0, which in most C APIs means “success”. You should be able to make the other stuff work, per the rest of my email. Let me know how you get on :-) -- Nathan Ward
participants (6)
-
Alan Buxey -
Alan DeKok -
Douglas C Ward -
Douglas Ward -
Matthew Newton -
Nathan Ward