FreeRadius authorise against Samab 4 LDB Problem
Hi, First time posting here. I have just started out and am trying to get a FreeRadius 3.0.6 server working with Samba 4.1.16. Specifically authorising against Samba’s LDB backend. So what I have got working is FreeRadius binding correctly to Samba’s LDB ldap server as well as the correct user objects being found when running a test with radtest. Below is the request output from FreeRadius: (0) Received Access-Request Id 150 from 127.0.0.1:39860 to 127.0.0.1:1812 length 83 (0) User-Name = ’test' (0) User-Password = ‘password' (0) NAS-IP-Address = 192.168.6.221 (0) NAS-Port = 0 (0) Message-Authenticator = 0x5a261850779b1ad52861b77dc4914cb0 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) (null) { (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop rlm_ldap (ldap): Reserved connection (4) (0) ldap: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap: --> (sAMAccountName=test) (0) ldap: EXPAND OU=Users,DC=example,DC=com (0) ldap: --> OU=Users,DC=example,DC=com (0) ldap: Performing search in 'OU=Users,DC=example,DC=com' with filter '(sAMAccountName=test)', scope 'sub' (0) ldap: Waiting for search result... (0) ldap: User object found at DN “CN=test,OU=Users,DC=example,DC=com" rlm_ldap (ldap): Released connection (4) (0) [ldap] = ok (0) [expiration] = noop (0) [logintime] = noop WARNING: (0) pap: No "known good" password found for the user. Not setting Auth-Type WARNING: (0) pap: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # (null) = ok ERROR: (0) No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user (0) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [test/password] (from client vpn port 0) (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) (null) { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> test (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) } # (null) = updated (0) Delaying response for 1.000000 seconds Waking up in 0.6 seconds. Waking up in 0.3 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 150 from 127.0.0.1:1812 to 127.0.0.1:39860 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 150 with timestamp +4 Ready to process requests As you can see I am not sure why it fails at the pap stage and what is going on. I think it may have something to do with the user password hash not being retrieved from ldap but can’t be sure and from the searching I have done FreeRadius would seem to provide and error if this was the case. The sites-enable/default looks like the following: authorize { preprocess # auth_log chap mschap ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } } preacct { preprocess acct_unique # suffix files } accounting { detail radutmp attr_filter.accounting_response } session { radutmp } post-auth { exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { } And my ldap config is as follows: ldap { server = '192.168.6.221' identity = 'CN=FreeRadius,OU=Users,DC=example,DC=com' password = radpassword base_dn = 'OU=Users,DC=example,DC=com' user { base_dn = 'OU=Users,DC=example,DC=com' filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" scope = 'sub' } ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no } Any help would be greatly appreciated. Kind Regards Thom
participants (1)
-
Thomas Miller