FreeRadius LDAP group verification not working for me
Hi all, i'm really brand new on freeradius. i'm using freeradius 3.0.4 with ldap, ldap autethication work for me fine with "o=organitation" but not with group = cn, maybe the ldap configuration is not the standart I'm following these thread: lists.freeradius.org/pipermail/freeradius-users/2016-December/085971.html For me: in /mods-available/ldap ldap { server = "x.x.x.x" base_dn = "o=organization,cn=telecom"} user { base_dn = "o=organization,cn=telecom" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"} group { base_dn = "o=organization,cn=telecom" filter = '(cn=telecom)' name_attribute = cn membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" membership_attribute = 'memberUid' } on radius -X : Received Access-Request Id 125 from y.y.y.y:42420 to x.x.x.x:1812 length 78 User-Name = 'usertest' User-Password = '*****' NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x075a82e674d1e57b22856618bd3adc87(2) Received Access-Request packet from host y.y.y.y port 42420, id=125, length=78(2) User-Name = 'usertest'(2) User-Password = '*****'(2) NAS-IP-Address = 127.0.1.1(2) NAS-Port = 0(2) Message-Authenticator = 0x075a82e674d1e57b22856618bd3adc87(2) # Executing section authorize from file /etc/raddb/sites-enabled/default(2) authorize {(2) eap : No EAP-Message, not doing EAP(2) [eap] = nooprlm_ldap (ldap): Reserved connection (4)(2) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})(2) ldap : --> (uid=usertest)(2) ldap : EXPAND o=organitation,cn=telecom(2) ldap : --> o=organitation,cn=telecom(2) ldap : Performing search in 'o=organitation,cn=telecom' with filter '(uid=usertest)', scope 'sub'(2) ldap : Waiting for search result...(2) ERROR: ldap : Failed performing search: The specified DN wasn't found, check base_dn and identityrlm_ldap (ldap): Released connection (4)(2) [ldap] = fail(2) } # authorize = fail(2) Invalid user (ldap: Failed performing search: The specified DN wasn't found, check base_dn and identity): [usertest/******] (from client Renaju port 0)(2) Using Post-Auth-Type Reject(2) # Executing group from file /etc/raddb/sites-enabled/default(2) Post-Auth-Type REJECT {(2) attr_filter.access_reject : EXPAND %{User-Name}(2) attr_filter.access_reject : --> usertest(2) attr_filter.access_reject : Matched entry DEFAULT at line 11(2) [attr_filter.access_reject] = updated(2) } # Post-Auth-Type REJECT = updated(2) Delaying response for 1 seconds ------- # in the "default" server authorize { ... eap { ok = return updated = return } ldap group_authorization # In the "inner-tunnel" server: authorize { ... eap { ok = return } ldap group_authorization I create "policy.d/group_authorization" the file not exist # in policy.d/group_authorization: group_authorization { if (&Huntgroup-Name == "telecom") { if (&LDAP-Group[*] == "o=organization,cn=telecom") { ok } else { update reply { &Reply-Message := "Not authorized for telecom" } reject } } elsif (&Huntgroup-Name == "telecom") { reject }} Thanks!
On Dec 13, 2019, at 8:57 AM, Condor via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Hi all, i'm really brand new on freeradius. i'm using freeradius 3.0.4
Upgrade to 3.0.20. There are a lot of fixes.
with ldap, ldap autethication work for me fine with "o=organitation" but not with group = cn, maybe the ldap configuration is not the standart I'm following these thread: lists.freeradius.org/pipermail/freeradius-users/2016-December/085971.html
Why? The comments in the default configuration are pretty darned clear.
For me: in /mods-available/ldap
Please read the documentation: http://wiki.freeradius.org/list-help We don't need to see the configuration files.
on radius -X : Received Access-Request Id 125 from y.y.y.y:42420 to x.x.x.x:1812 length 78 User-Name = 'usertest' User-Password = '*****' NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x075a82e674d1e57b22856618bd3adc87(2) Received Access-Request packet from host y.y.y.y port 42420, id=125, length=78(2) User-Name = 'usertest'(2) User-Password = '*****'(2) NAS-IP-Address = 127.0.1.1(2) NAS-Port = 0(2) Message-Authenticator = 0x075a82e674d1e57b22856618bd3adc87(2)
That's pretty much destroyed. Please POST TEXT. And NOT REFORMATTED TEXT. You should be able to see this in your mailer before you send the message.
... EXPAND o=organitation,cn=telecom(2) ldap : --> o=organitation,cn=telecom(2) ldap : Performing search in 'o=organitation,cn=telecom' with filter '(uid=usertest)', scope 'sub'(2) ldap : Waiting for search result...(2) ERROR: ldap : Failed performing search: The specified DN wasn't found, check base_dn and identity
That seems to be pretty clear. The DN isn't found. Or, the admin user doesn't have permission to read the DN. Upgrade to 3.0.20. One of the things you'll find in the default config for the "ldap" module is more documentation. Including explicit instructions for testing the LDAP parameters using the "ldapsearch" command.
# in the "default" server
We don't need to see the configuration files. Alan DeKok.
participants (2)
-
Alan DeKok -
Condor