Access permissions FreeRadius-Google LDAP failed
I am trying to figure out what could be causing this issue with FreeRadius and Google LDAP. I am getting a few errors when FreeRadius is trying to search for the user. I bolded the Error spots. I have tried multiple different username and password combos in the LDAP section, even tried it without. The accounts I have tested with have Super admin access and then I have triple checked the info when it's the Google LDAP credentials. (2) suffix: Checking for suffix after "@" (2) suffix: Looking up realm "foundationacademy.net" for User-Name = "benjamin.diehl@foundationacademy.net" (2) suffix: Found realm "foundationacademy.net" (2) suffix: Adding Stripped-User-Name = "benjamin.diehl" (2) suffix: Adding Realm = "foundationacademy.net" (2) suffix: Proxying request from user benjamin.diehl to realm foundationacademy.net (2) suffix: Preparing to proxy authentication request to realm "foundationacademy.net" (2) [suffix] = updated (2) eap: Request is supposed to be proxied to Realm foundationacademy.net. Not doing EAP. (2) [eap] = noop (2) [files] = noop rlm_ldap (ldap): Closing connection (6): Hit idle_timeout, was idle for 60839 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (7): Hit idle_timeout, was idle for 60839 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (8), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636 rlm_ldap (ldap): Waiting for bind result... ber_get_next failed. rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (8) (2) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (2) ldap: --> (uid=benjamin.diehl) (2) ldap: Performing search in "dn=foundationacademy,dc=net" with filter "(uid=benjamin.diehl)", scope "sub" (2) ldap: Waiting for search result... (2) ldap: ERROR: Failed performing search: Insufficient access. Check the identity and password configuration directives rlm_ldap (ldap): Released connection (8) Need 2 more connections to reach min connections (3) rlm_ldap (ldap): Opening additional connection (9), 1 of 31 pending slots used rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636 rlm_ldap (ldap): Waiting for bind result... ber_get_next failed. rlm_ldap (ldap): Bind successful (2) [ldap] = fail (2) } # authorize = fail (2) Invalid user (ldap: Failed performing search: Insufficient access. Check the identity and password configuration directives): [benjamin.diehl@foundationacademy.net] (from client localhost port 0 cli 50-E0-85-F7-E2-0C)
On 05/10/2021 13:16, Benjamin Diehl wrote:
rlm_ldap (ldap): Reserved connection (8) (2) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (2) ldap: --> (uid=benjamin.diehl) (2) ldap: Performing search in "dn=foundationacademy,dc=net" with filter "(uid=benjamin.diehl)", scope "sub" (2) ldap: Waiting for search result... (2) ldap: ERROR: Failed performing search: Insufficient access. Check the identity and password configuration directives
Seems pretty clear. Check the exact same search works with ldapsearch. When it does, take the options that work there and put them into the FR config. -- Matthew
When I do so it does not return any “dn” info. On Oct 5, 2021, 8:27 AM -0400, Matthew Newton <mcn@freeradius.org>, wrote:
On 05/10/2021 13:16, Benjamin Diehl wrote:
rlm_ldap (ldap): Reserved connection (8) (2) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (2) ldap: --> (uid=benjamin.diehl) (2) ldap: Performing search in "dn=foundationacademy,dc=net" with filter "(uid=benjamin.diehl)", scope "sub" (2) ldap: Waiting for search result... (2) ldap: ERROR: Failed performing search: Insufficient access. Check the identity and password configuration directives
Seems pretty clear.
Check the exact same search works with ldapsearch. When it does, take the options that work there and put them into the FR config.
-- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
root@FreeRadius:~# LDAPTLS_CERT=/etc/freeradius/3.0/certs/ldap-client.crt LDAPTLS_KEY=/etc/freeradius/3.0/certs/ldap-client.key \ldapsearch -H ldaps://ldap.google.com:636 \ -b dc=foundationacademy,dc=net '(mail='benjamin.diehl@foundationacademy.net')' SASL/EXTERNAL authentication started SASL username: st=California,c=US,ou=GSuite,cn=LDAP Client,l=Mountain View,o=Google Inc. SASL SSF: 0 # extended LDIF # # LDAPv3 # base <> (default) with scope subtree # filter: (objectclass=*) # requesting: -b dc=foundationacademy,dc=net (mail=benjamin.diehl@foundationacademy.net) # # dn: # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1 On Oct 5, 2021, 8:27 AM -0400, Matthew Newton <mcn@freeradius.org>, wrote:
On 05/10/2021 13:16, Benjamin Diehl wrote:
rlm_ldap (ldap): Reserved connection (8) (2) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (2) ldap: --> (uid=benjamin.diehl) (2) ldap: Performing search in "dn=foundationacademy,dc=net" with filter "(uid=benjamin.diehl)", scope "sub" (2) ldap: Waiting for search result... (2) ldap: ERROR: Failed performing search: Insufficient access. Check the identity and password configuration directives
Seems pretty clear.
Check the exact same search works with ldapsearch. When it does, take the options that work there and put them into the FR config.
-- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi All, Besides a username and password, are there other mechanisms that an authenticator can use to authenticate to FreeRADIUS ? Thanks! Randy
There appears to be numerous modules for allowing RADIUS clients to authenticate in any number of ways…but I didn’t see any modules that control how the “authenticator” authenticates to FreeRADIUS… R. From: Freeradius-Users <freeradius-users-bounces+randy.turner=landisgyr.com@lists.freeradius.org> on behalf of Turner, Randy <Randy.Turner@landisgyr.com> Date: Tuesday, October 5, 2021 at 9:21 AM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Authenticator -to- RADIUS connection Hi All, Besides a username and password, are there other mechanisms that an authenticator can use to authenticate to FreeRADIUS ? Thanks! Randy - List info/subscribe/unsubscribe? See https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=04%7C01%7Crandy.turner%40landisgyr.com%7Cfa095f6c848443158d5108d98802f538%7Cee2cd48b958f4be49852b8f104c001b9%7C0%7C0%7C637690369141650238%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=Ft%2FdqCmh3NG0HTHUXubgP3HXbDTO0gsSEICpfJCeaO8%3D&reserved=0
On Oct 5, 2021, at 9:29 AM, Turner, Randy <Randy.Turner@landisgyr.com> wrote:
There appears to be numerous modules for allowing RADIUS clients to authenticate in any number of ways…but I didn’t see any modules that control how the “authenticator” authenticates to FreeRADIUS…
For the simple reason that it's impossible. How does a web server control whether the browser does GET / POST / whatever? How does a DNS server control whether the client asks for an A / AAA / NS record? It doesn't. It's impossible. FreeRADIUS supports PAP, CHAP, MS-CHAP, HTTP Digest, EAP, etc. All of this is documented. There is simply no way (outside of very narrow situations) for the server to tell the client "use CHAP and not PAP". Alan DeKok.
I guess I was thinking about using mutual TLS for the authenticator to authenticate itself to the FreeRADIUS server…rather than a username and password.. R. From: Freeradius-Users <freeradius-users-bounces+randy.turner=landisgyr.com@lists.freeradius.org> on behalf of Alan DeKok <aland@deployingradius.com> Date: Tuesday, October 5, 2021 at 9:33 AM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Authenticator -to- RADIUS connection On Oct 5, 2021, at 9:29 AM, Turner, Randy <Randy.Turner@landisgyr.com> wrote:
There appears to be numerous modules for allowing RADIUS clients to authenticate in any number of ways…but I didn’t see any modules that control how the “authenticator” authenticates to FreeRADIUS…
For the simple reason that it's impossible. How does a web server control whether the browser does GET / POST / whatever? How does a DNS server control whether the client asks for an A / AAA / NS record? It doesn't. It's impossible. FreeRADIUS supports PAP, CHAP, MS-CHAP, HTTP Digest, EAP, etc. All of this is documented. There is simply no way (outside of very narrow situations) for the server to tell the client "use CHAP and not PAP". Alan DeKok. - List info/subscribe/unsubscribe? See https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=04%7C01%7Crandy.turner%40landisgyr.com%7C3889accc6d6b4e9ed30608d98804c89f%7Cee2cd48b958f4be49852b8f104c001b9%7C0%7C0%7C637690376396083630%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=1dDpETnEo3kFL0zjvgDPvy5ApwOoLaC2FxQv%2BPIdsXo%3D&reserved=0
On Oct 5, 2021, at 9:36 AM, Turner, Randy <Randy.Turner@landisgyr.com> wrote:
I guess I was thinking about using mutual TLS for the authenticator to authenticate itself to the FreeRADIUS server…rather than a username and password..
If you look at the examples and documentation, there's EAP-TLS. If the authenticator doesn't support EAP, then it's impossible. And PLEASE ask good questions. It's frustrating to get told on the THIRD MESSAGE "Oh, something like TLS". Playing "peek a boo" with information is not productive. Alan DeKok.
I wasn’t playing peek-a-boo and I didn’t use the phrase “like TLS’, my first question was pretty straightforward. We were just trying to understand if we could use something other than a username/password for the authenticator to authenticate to RADIUS. From: Freeradius-Users <freeradius-users-bounces+randy.turner=landisgyr.com@lists.freeradius.org> on behalf of Alan DeKok <aland@deployingradius.com> Date: Tuesday, October 5, 2021 at 9:41 AM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Authenticator -to- RADIUS connection On Oct 5, 2021, at 9:36 AM, Turner, Randy <Randy.Turner@landisgyr.com> wrote:
I guess I was thinking about using mutual TLS for the authenticator to authenticate itself to the FreeRADIUS server…rather than a username and password..
If you look at the examples and documentation, there's EAP-TLS. If the authenticator doesn't support EAP, then it's impossible. And PLEASE ask good questions. It's frustrating to get told on the THIRD MESSAGE "Oh, something like TLS". Playing "peek a boo" with information is not productive. Alan DeKok. - List info/subscribe/unsubscribe? See https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=04%7C01%7Crandy.turner%40landisgyr.com%7Cb54fed4ed8cf45277eae08d98805d52d%7Cee2cd48b958f4be49852b8f104c001b9%7C0%7C0%7C637690380897334767%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ZOw7YNQFuTNc%2FDqcDEYvedMImy2HEf5UPwwPHUVqSvU%3D&reserved=0
On 05/10/2021 14:51, Turner, Randy wrote:
I wasn’t playing peek-a-boo and I didn’t use the phrase “like TLS’, my first question was pretty straightforward. We were just trying to understand if we could use something other than a username/password for the authenticator to authenticate to RADIUS.
The problem is that is just far too vague. For example, what authenticator for a start? That has a huge implication as to what you can use. As an answer to the question, yes there are. -- Matthew
On Oct 5, 2021, at 9:51 AM, Turner, Randy <Randy.Turner@landisgyr.com> wrote:
I wasn’t playing peek-a-boo and I didn’t use the phrase “like TLS’, my first question was pretty straightforward.
It was vague, and based on a vague / incorrect understanding of how RADIUS works. i.e. " I didn’t see any modules that control how the “authenticator” authenticates to FreeRADIUS…" Because RADIUS doesn't work that way. This should be a hint... there is no way to do X, because X is impossible. When you ask questions based on wrong assumptions, it it's very difficult to answer the questions, for example: Q: How do I add pumpkins to my cars gas tank A: Huh? that makes no sense At which point people usually get angry and say "I'm just asking a simple question, why can't you answer it?"
We were just trying to understand if we could use something other than a username/password for the authenticator to authenticate to RADIUS.
The documentation has a long list of authentication methods it supports, as you found. Which answers your question. But in the end, none of this matters. "I want to use TLS" is not a useful requirement. Because what matters is what the client / end-user device supports. Can you do PAP over WiFi? No, it's impossible. Can you do EAP-TLS in some situations? No, it's not always possible. If you want to use a different authentication type, then read the documentation for the RADIUS client and/or the end user device. See what they support, and the configure them to use your favourite authentication type. Asking if "FreeRADIUS" supports it is completely backwards. FreeRADIUS doesn't control what the end user device does. In order to configure the end user device, you need to read the documentation for the end user device. It's that simple. Alan DeKok.
We are using a package called “hostapd” to talk to FreeRADIUS – in some of the hostapd documentation they refer to hostapd as an 802.1x “authenticator” This was the term I used in my original question which may have readers thinking I meant the actual device that was trying to access the network. In FreeRADIUS parlance, I think hostapd is called a NAS – it’s the NAS-to-FreeRADIUS connection I was referring to. R. From: Freeradius-Users <freeradius-users-bounces+randy.turner=landisgyr.com@lists.freeradius.org> on behalf of Alan DeKok <aland@deployingradius.com> Date: Tuesday, October 5, 2021 at 10:35 AM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Authenticator -to- RADIUS connection On Oct 5, 2021, at 9:51 AM, Turner, Randy <Randy.Turner@landisgyr.com> wrote:
I wasn’t playing peek-a-boo and I didn’t use the phrase “like TLS’, my first question was pretty straightforward.
It was vague, and based on a vague / incorrect understanding of how RADIUS works. i.e. " I didn’t see any modules that control how the “authenticator” authenticates to FreeRADIUS…" Because RADIUS doesn't work that way. This should be a hint... there is no way to do X, because X is impossible. When you ask questions based on wrong assumptions, it it's very difficult to answer the questions, for example: Q: How do I add pumpkins to my cars gas tank A: Huh? that makes no sense At which point people usually get angry and say "I'm just asking a simple question, why can't you answer it?"
We were just trying to understand if we could use something other than a username/password for the authenticator to authenticate to RADIUS.
The documentation has a long list of authentication methods it supports, as you found. Which answers your question. But in the end, none of this matters. "I want to use TLS" is not a useful requirement. Because what matters is what the client / end-user device supports. Can you do PAP over WiFi? No, it's impossible. Can you do EAP-TLS in some situations? No, it's not always possible. If you want to use a different authentication type, then read the documentation for the RADIUS client and/or the end user device. See what they support, and the configure them to use your favourite authentication type. Asking if "FreeRADIUS" supports it is completely backwards. FreeRADIUS doesn't control what the end user device does. In order to configure the end user device, you need to read the documentation for the end user device. It's that simple. Alan DeKok. - List info/subscribe/unsubscribe? See https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=04%7C01%7Crandy.turner%40landisgyr.com%7Cdc040a222380487686ac08d9880d5775%7Cee2cd48b958f4be49852b8f104c001b9%7C0%7C0%7C637690413584138323%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=6wW5VNeHU5Rq79Pvzan4v1sq1tFOx2mfjfHyFzZjpbA%3D&reserved=0
On Oct 5, 2021, at 1:00 PM, Turner, Randy <Randy.Turner@landisgyr.com> wrote:
We are using a package called “hostapd” to talk to FreeRADIUS – in some of the hostapd documentation they refer to hostapd as an 802.1x “authenticator”
Yes. 802.1X != RADIUS. They use different terminology, because they are different protocols, and do different (but related) things. And why not just say from the start that you're using hostap? It's *always* better to be precise. Especially if you're not familiar with the technology.
This was the term I used in my original question which may have readers thinking I meant the actual device that was trying to access the network.
I didn't know what you meant. Because as soon as someone uses the wrong terminology, all bets are off.
In FreeRADIUS parlance, I think hostapd is called a NAS – it’s the NAS-to-FreeRADIUS connection I was referring to.
This is not "FreeRADIUS parlance". The term "NAS" goes back to at least 1993, and the first RADIUS standards. A little bit of reading on the basic terminology would help. So you're still confused about which things are involved, and what they do. I'm still not sure what you're asking. The "NAS to FreeRADIUS" connection uses RADIUS. You can't use any other protocol there. The "end user to hostap" connection uses 802.1X, which includes EAP. The EAP packets are then placed inside of RADIUS by the NAS, sent to FreeRADIUS. EAP can carry many different kinds of authentication. EAP-TLS, EAP-TTLS, etc. All of this information is available on the net (including Wikipedia) if you go look. What is frustrating here is not just using the wrong terminology, it's also metering out of additional information all through the conversation. It would have been very simple to say "I have a computer using WiFi, I have hostap, and I want to authenticate the user device via FreeRADIUS". That would have given us *useful* information. Instead, it's a vague question using incorrect terms, followed by "Oh yeah, I'm using this, too". This is frustrating. Spend an hour or so reading the Wikipedia pages on RADIUS and EAP. That should clarify a lot of issues. And PLEASE give useful information in messages. That helps enormously. Alan DeKok.
Hi Benjamin, looks like you've messed up with the use of the backslashes (\) and unintentionally escaped some of the command switches for ldapsearch:
root@FreeRadius:~# LDAPTLS_CERT=/etc/freeradius/3.0/certs/ldap-client.crt LDAPTLS_KEY=/etc/freeradius/3.0/certs/ldap-client.key \ldapsearch -H ldaps://ldap.google.com:636 \ -b dc=foundationacademy,dc=net '(mail='benjamin.diehl@foundationacademy.net')'
You probably wanted to use "dc=foundationacademy,dc=net" as the search base (-b) '(mail='benjamin.diehl@foundationacademy.net')' as the search filter no special attritbute list What the server acutally received is: # extended LDIF # LDAPv3 # base <> (default) with scope subtree ^an empty search base (so the RootDSE is used as the default) because you've escaped the -b option # filter: (objectclass=*) ^ no specific search filter so the default of any object class is used # requesting: -b dc=foundationacademy,dc=net (mail=benjamin.diehl@foundationacademy.net) ^ a maleformed attribute list due to the messed up escapes, so the server is looking up the attributes: "-b" "dc=foundationacademy,dc=net" "(mail=benjamin.diehl@foundationacademy.net)" which do not exist and therefore the server only responds with the dn of the rootDSE node which is what your ldapsearch actually asked for: dn: (it might look a bit confusing and as if the search didn't return anything) # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1 ^actually the search for 3 attributes (search: 3) was successful (result: 0 Success) and returned 1 entry (numEntries: 1) - the rootDSE "dn: " Even LDAP is nice sometimes and may tell you what happened (not to the extend of freeradius of course ;-)), but as always it takes time to see the information is actually there and even more experience to understand it. Sorry for the lengthy explanation which might be a bit off-topic for this list. I still hope it may help you and others with similar problems. To the concrete problem: eliminate all the backslashes from your ldapsearch and try this in one line: LDAPTLS_CERT=/etc/freeradius/3.0/certs/ldap-client.crt LDAPTLS_KEY=/etc/freeradius/3.0/certs/ldap-client.key ldapsearch -H ldaps://ldap.google.com:636 -b 'dc=foundationacademy,dc=net' '(mail=benjamin.diehl@foundationacademy.net)' and you might get a step further. You will also notice the change in the commented output of the search the server will have performed.
The last error might be the clue "Insufficient access. Check the identity and password configuration directives"
On Oct 5, 2021, at 8:18 AM, Benjamin Diehl <benjamin.diehl@foundationacademy.net> wrote:
I am trying to figure out what could be causing this issue with FreeRadius and Google LDAP. I am getting a few errors when FreeRadius is trying to search for the user. I bolded the Error spots. I have tried multiple different username and password combos in the LDAP section, even tried it without. The accounts I have tested with have Super admin access and then I have triple checked the info when it's the Google LDAP credentials.
(2) suffix: Checking for suffix after "@" (2) suffix: Looking up realm "foundationacademy.net" for User-Name = "benjamin.diehl@foundationacademy.net" (2) suffix: Found realm "foundationacademy.net" (2) suffix: Adding Stripped-User-Name = "benjamin.diehl" (2) suffix: Adding Realm = "foundationacademy.net" (2) suffix: Proxying request from user benjamin.diehl to realm foundationacademy.net (2) suffix: Preparing to proxy authentication request to realm "foundationacademy.net" (2) [suffix] = updated (2) eap: Request is supposed to be proxied to Realm foundationacademy.net. Not doing EAP. (2) [eap] = noop (2) [files] = noop rlm_ldap (ldap): Closing connection (6): Hit idle_timeout, was idle for 60839 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (7): Hit idle_timeout, was idle for 60839 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (8), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636 rlm_ldap (ldap): Waiting for bind result... ber_get_next failed. rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (8) (2) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (2) ldap: --> (uid=benjamin.diehl) (2) ldap: Performing search in "dn=foundationacademy,dc=net" with filter "(uid=benjamin.diehl)", scope "sub" (2) ldap: Waiting for search result... (2) ldap: ERROR: Failed performing search: Insufficient access. Check the identity and password configuration directives rlm_ldap (ldap): Released connection (8) Need 2 more connections to reach min connections (3) rlm_ldap (ldap): Opening additional connection (9), 1 of 31 pending slots used rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636 rlm_ldap (ldap): Waiting for bind result... ber_get_next failed. rlm_ldap (ldap): Bind successful (2) [ldap] = fail (2) } # authorize = fail (2) Invalid user (ldap: Failed performing search: Insufficient access. Check the identity and password configuration directives): [benjamin.diehl@foundationacademy.net] (from client localhost port 0 cli 50-E0-85-F7-E2-0C)
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Would there be anything in Google Admin stopping it from communicating with FreeRadius? All the accounts and creds that I have tried are all correct and would have the correct access. On Oct 5, 2021, 8:30 AM -0400, Jonathan Davis <jonathan@prioritycolo.com>, wrote:
The last error might be the clue "Insufficient access. Check the identity and password configuration directives"
On Oct 5, 2021, at 8:18 AM, Benjamin Diehl <benjamin.diehl@foundationacademy.net> wrote:
I am trying to figure out what could be causing this issue with FreeRadius and Google LDAP. I am getting a few errors when FreeRadius is trying to search for the user. I bolded the Error spots. I have tried multiple different username and password combos in the LDAP section, even tried it without. The accounts I have tested with have Super admin access and then I have triple checked the info when it's the Google LDAP credentials.
(2) suffix: Checking for suffix after "@" (2) suffix: Looking up realm "foundationacademy.net" for User-Name = "benjamin.diehl@foundationacademy.net" (2) suffix: Found realm "foundationacademy.net" (2) suffix: Adding Stripped-User-Name = "benjamin.diehl" (2) suffix: Adding Realm = "foundationacademy.net" (2) suffix: Proxying request from user benjamin.diehl to realm foundationacademy.net (2) suffix: Preparing to proxy authentication request to realm "foundationacademy.net" (2) [suffix] = updated (2) eap: Request is supposed to be proxied to Realm foundationacademy.net. Not doing EAP. (2) [eap] = noop (2) [files] = noop rlm_ldap (ldap): Closing connection (6): Hit idle_timeout, was idle for 60839 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (7): Hit idle_timeout, was idle for 60839 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (8), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636 rlm_ldap (ldap): Waiting for bind result... ber_get_next failed. rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (8) (2) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (2) ldap: --> (uid=benjamin.diehl) (2) ldap: Performing search in "dn=foundationacademy,dc=net" with filter "(uid=benjamin.diehl)", scope "sub" (2) ldap: Waiting for search result... (2) ldap: ERROR: Failed performing search: Insufficient access. Check the identity and password configuration directives rlm_ldap (ldap): Released connection (8) Need 2 more connections to reach min connections (3) rlm_ldap (ldap): Opening additional connection (9), 1 of 31 pending slots used rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636 rlm_ldap (ldap): Waiting for bind result... ber_get_next failed. rlm_ldap (ldap): Bind successful (2) [ldap] = fail (2) } # authorize = fail (2) Invalid user (ldap: Failed performing search: Insufficient access. Check the identity and password configuration directives): [benjamin.diehl@foundationacademy.net] (from client localhost port 0 cli 50-E0-85-F7-E2-0C)
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (6)
-
Alan DeKok -
Benjamin Diehl -
Jan Sellmann -
Jonathan Davis -
Matthew Newton -
Turner, Randy