Hey! I'm having troubles setting authentication over LDAP in 'bind as user' mode. I only want to authenticate user against LDAP(ldap bind with user/pass provided by the user) and if login is successful, then radius returns Access-Accept. I'm using radius 2.1.12. In modules/ldap I have the following: server = "ldaps.example.com" port = "636" basedn = "dc=example,dc=com" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 password_attribute = userPassword set_auth_type = yes In sites-available/defaults I have: authorize { preprocess } authenticate { Auth-Type LDAP { ldap } } The rest of the modules are empty. In hints file I have: DEFAULT Ldap-UserDN := "uid=%{User-Name},ou=test,dc=example,dc=com", Auth-Type := LDAP When I try to login, the login fails... In debug log I see the following: # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} [preprocess] hints: Matched DEFAULT at 36 ++[preprocess] returns ok ++[files] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject I guess it matches the hint, but it doesn't try to bind to ldap. If I put DEFAULT Ldap-UserDN := "uid=testuser,ou=test,dc=example,dc=com", Auth-Type := LDAP in users file and uncomment files in authorize section, login is successfu. How do I make radius use template provided in hints file and pass it on to authenticate modul, so it tries to login to ldap? Is this even the right way of doing it? I didn't find many posts, that tried to do that. Everybody usually search ldap for USERDN attribute in authorize section with ldap module. Thanks, Matej -- --- Matej Zerovnik
Matej Žerovnik wrote:
In hints file I have: DEFAULT Ldap-UserDN := "uid=%{User-Name},ou=test,dc=example,dc=com", Auth-Type := LDAP
Don't use the "hints" file. Use the "users" file. The two files are for very different things.
If I put DEFAULT Ldap-UserDN := "uid=testuser,ou=test,dc=example,dc=com", Auth-Type := LDAP in users file and uncomment files in authorize section, login is successfu.
Then do that.
How do I make radius use template provided in hints file and pass it on to authenticate modul, so it tries to login to ldap?
I have no idea why you're set on using the hints file.
Is this even the right way of doing it? I didn't find many posts, that tried to do that. Everybody usually search ldap for USERDN attribute in authorize section with ldap module.
Everyone uses the "users" file for simple tests. Alan DeKok.
On 16.10.2014 21:56, Alan DeKok wrote:
Matej Žerovnik wrote:
In hints file I have: DEFAULT Ldap-UserDN := "uid=%{User-Name},ou=test,dc=example,dc=com", Auth-Type := LDAP Don't use the "hints" file. Use the "users" file. The two files are for very different things. If I use users file, then %{User-Name} is not substituted with the user-name provided in the accept-request. I hope it's obvious I want to use different usernames as different users will use radius to login to the service.
Debug output says: [ldap] user DN: uid=%{User-Name},ou=sikkr,dc=izum,dc=si [ldap] (re)connect to ldaps.izum.si:636, authentication 1 [ldap] setting TLS mode to 1 [ldap] bind as uid=%{User-Name},ou=test,dc=example,dc=com/password to ldaps.example.com:636 [ldap] waiting for bind result ... [ldap] Bind failed with invalid credentials I found out I read about hints file on this url: http://www.opensource.apple.com/source/freeradius/freeradius-11/freeradius/d... Later I realized that this file is about radius 1.X version, so it's probably obsolete. Matej -- --- Matej Zerovnik
Matej Žerovnik wrote:
If I use users file, then %{User-Name} is not substituted with the user-name provided in the accept-request. I hope it's obvious I want to use different usernames as different users will use radius to login to the service.
You said other things didn't work when you used the "hints" file. Just write all of the policies in "unlang".
I found out I read about hints file on this url: http://www.opensource.apple.com/source/freeradius/freeradius-11/freeradius/d...
Later I realized that this file is about radius 1.X version, so it's probably obsolete.
And it's just a copy of the FreeRADIUS documentation. Which is included with FreeRADIUS. And which is available on wiki.freeradius.org. I don't see why people go to third-party sites, when the same (and better) documentation is available directly from us. Alan DeKok.
Matej, This was recently a topic on this list and I posted this: http://freeradius.1045715.n5.nabble.com/LDAP-bind-user-authentication-tp5729... According to the original poster, that did the trick for him and he could use bind-as-user. There was no messing with the 'users' file (or odd default User-Dn stuff), just setting up the LDAP server details, tweaking the ldap query to retrieve your user, and the few lines in both the 'authorize' and 'authenticate' sections to be able to use PAP. Granted, you're using FR 2.1.12, so mileage will vary, but if you use the FreeRADIUS repository, you can switch to v3.0.4 and enjoy the gloriousness of the rewritten LDAP module that makes things so easy :-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Janet, the UK's research and education network. Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238 ________________________________________ From: freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org [freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org] on behalf of Alan DeKok [aland@deployingradius.com] Sent: 16 October 2014 21:46 To: FreeRadius users mailing list Subject: Re: LDAP - bind as user - howto? Matej Žerovnik wrote:
If I use users file, then %{User-Name} is not substituted with the user-name provided in the accept-request. I hope it's obvious I want to use different usernames as different users will use radius to login to the service.
You said other things didn't work when you used the "hints" file. Just write all of the policies in "unlang".
I found out I read about hints file on this url: http://www.opensource.apple.com/source/freeradius/freeradius-11/freeradius/d...
Later I realized that this file is about radius 1.X version, so it's probably obsolete.
And it's just a copy of the FreeRADIUS documentation. Which is included with FreeRADIUS. And which is available on wiki.freeradius.org. I don't see why people go to third-party sites, when the same (and better) documentation is available directly from us. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
On 16. 10. 2014 23:25, Stefan Paetow wrote:
This was recently a topic on this list and I posted this:
http://freeradius.1045715.n5.nabble.com/LDAP-bind-user-authentication-tp5729...
According to the original poster, that did the trick for him and he could use bind-as-user. There was no messing with the 'users' file (or odd default User-Dn stuff), just setting up the LDAP server details, tweaking the ldap query to retrieve your user, and the few lines in both the 'authorize' and 'authenticate' sections to be able to use PAP. I saw that thread and read it, but unfortunately, I dont have/can't get credetials to search LDAP. I will try and ask them again, but I think they won't give it to me. Currently, my solution works, but 'ou' is hardcoded. This is ok for now, but in the future I would like to expand that...
Matej Žerovnik wrote:
If I use users file, then %{User-Name} is not substituted with the user-name provided in the accept-request. I hope it's obvious I want to use different usernames as different users will use radius to login to the service. You said other things didn't work when you used the "hints" file.
Just write all of the policies in "unlang". So I disabled preprocess modul and added the following into authorize section: if (User-Password) { update control { Auth-Type := ldap Ldap-UserDN := "uid=%{User-Name},ou=test,dc=example,dc=com", Auth-Type := LDAP } }
It's working not. Is that the correct way to solve my problem? Matej
On 17 Oct 2014, at 06:43, Matej Zerovnik <matej@zunaj.si> wrote:
I saw that thread and read it, but unfortunately, I dont have/can't get credetials to search LDAP. I will try and ask them again, but I think they won't give it to me. Currently, my solution works, but 'ou' is hardcoded. This is ok for now, but in the future I would like to expand that...
Well, that complicates matters, doesn't it?
So I disabled preprocess modul and added the following into authorize section: if (User-Password) { update control { Auth-Type := ldap Ldap-UserDN := "uid=%{User-Name},ou=test,dc=example,dc=com", Auth-Type := LDAP } }
The comma and the Auth-Type won't work, no. What happens when you delete those from that line? Stefan Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
On 17.10.2014 11:54, Stefan Paetow wrote:
On 17 Oct 2014, at 06:43, Matej Zerovnik <matej@zunaj.si> wrote:
I saw that thread and read it, but unfortunately, I dont have/can't get credetials to search LDAP. I will try and ask them again, but I think they won't give it to me. Currently, my solution works, but 'ou' is hardcoded. This is ok for now, but in the future I would like to expand that... Well, that complicates matters, doesn't it? Yea, it does a bit:) But we found a solution, since I can login as UserDN PersonName=test.username,dc=example,dc=com as well...
So I disabled preprocess modul and added the following into authorize section: if (User-Password) { update control { Auth-Type := ldap Ldap-UserDN := "uid=%{User-Name},ou=test,dc=example,dc=com", Auth-Type := LDAP } } The comma and the Auth-Type won't work, no. What happens when you delete those from that line? Strangley it worked with comma there. I deleted ', Auth-Type := LDAP' and it still works. Anyway, it works and that's enough for me:)
Thanks all for help. -- --- Matej Zerovnik
} The comma and the Auth-Type won't work, no. What happens when you delete those from that line? Strangley it worked with comma there. I deleted ', Auth-Type := LDAP' and it still works. Anyway, it works and that's enough for me:)
Ok, it sounded like it hadn't worked, but if it does, great :-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Janet, the UK's research and education network. Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238 Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
On 17.10.2014 22:58, Stefan Paetow wrote:
} The comma and the Auth-Type won't work, no. What happens when you delete those from that line? Strangley it worked with comma there. I deleted ', Auth-Type := LDAP' and it still works. Anyway, it works and that's enough for me:) Ok, it sounded like it hadn't worked, but if it does, great :-) I went back and checked my post... I made a typo there:)
Matej -- --- Matej Zerovnik
participants (4)
-
Alan DeKok -
Matej Zerovnik -
Matej Žerovnik -
Stefan Paetow