Freeradius - LDAP - Active Directory
hi at all my system: Debian Sarge 3.1 Kernel 2.6.8 i installed the following software with apt-get apache-ssl 1.3.34-1 php4 php4-mysql mysql 4.1.14 openssl 0.9.8a-3 openldap stable 2.3.11 2005-10-18 [compiled] freeradius 1.0.5-2 freeradius-ldap 1.0.5-2 freeradius-mysql 1.0.5-2 freeradius-krb5 1.0.5-2 ---------------------------- i have a lot of problems with freeradius... i would like to authenticate my users from AP via AD. only the user which is member of a specific group should become access. *my ldap.conf* deref never referrals no i tried to authenticate but i become following error: rad_recv: Access-Request packet from host 192.168.184.26:22381, id=13, length=57 User-Name = "wuser" User-Password = "wuser" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "my.dom" for User-Name = "wuser" rlm_realm: No such realm "my.dom" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 152 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'dc=my,dc=dom' radius_xlat: '(&(sAMAccountname=wuser)(objectClass=person))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to myserver.my.dom:389, authentication 0 rlm_ldap: bind as cn=ldapuser,cn=Users,dc=my,dc=dom/ldapuser to myserver.my.dom:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=my,dc=dom, with filter (&(sAMAccountname=wuser)(objectClass=person)) rlm_ldap: ldap_search() failed: Operations error rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for wuser radius_xlat: '(&(sAMAccountname=wuser)(objectClass=person))' radius_xlat: 'dc=my,dc=dom' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: closing existing LDAP connection rlm_ldap: (re)connect to myserver.my.dom:389, authentication 0 rlm_ldap: bind as cn=ldapuser,cn=Users,dc=my,dc=dom/ldapuser to myserver.my.dom:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=my,dc=dom, with filter (&(sAMAccountname=wuser)(objectClass=person)) rlm_ldap: ldap_search() failed: Operations error rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns fail for request 0 modcall: group authorize returns fail for request 0 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 13 with timestamp 4381a433 Nothing to do. Sleeping until we see a request. -------------------- *users* DEFAULT Auth-Type = System Fall-Through = 1, Reply-Message = "System Logon" DEFAULT Ldap-Group == "wireless", Auth-Type :=LDAP Fall-Through = Yes, Reply-Message = "LDAP Logon" DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes -------------------- *radiusd.conf* prefix = /usr exec_prefix = /usr sysconfdir = /etc domstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${domstatedir}/run/freeradius log_file = ${logdir}/radius.log libdir = /usr/lib/freeradius user = freerad group = freerad max_requests = 1024 hostname_lookups = no # Core dumps are a bad thing. This should only be set to 'yes' # if you're debugging a problem with the server. # # allowed values: {no, yes} # allow_core_dumps = no log_stripped_names = no log_auth = yes log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf modules { pap { encryption_scheme = md5 } chap { authtype = CHAP } unix { cache = no cache_reload = 600 passwd = /etc/passwd # shadow = /etc/shadow # group = /etc/group radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP } ldap { server = "myserver.my.dom" identity = "cn=ldapuser,cn=Users,dc=my,dc=dom" password = ldapuser basedn = "dc=my,dc=dom" #filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)" filter = "(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))" start_tls = no #access_attr = "dialupAccess" access_attr = "memberOf" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } # 'username@realm' # realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } # 'username%realm' # realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } # # 'domain\user' # realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp username = %{Stripped-User-Name:-%{User-Name}} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } authorize { preprocess chap mschap suffix eap files # sql ldap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp # sql } session { radutmp # sql } post-auth { ldap } pre-proxy { } post-proxy { eap } i would like to connect to my AD from remote w2k3 server. but i receive only following:
hi i found the problem... *before* basedn = "dc=my,dc=dom" # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 *after, now it goes* basedn = "ou=wireless,dc=my,dc=dom" groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" groupmembership_attribute = memberOf timeout = 40 timelimit = 30 net_timeout = 10 thx
participants (1)
-
Konne