LDAP bind user authentication
Hello there, I spend countless hours on this topic. The farthest i could get was this topic from 2008: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg49999.h... Freeradius version: 2.1.12 on debian Basically followed this guide: http://jitendrakumaryogi.blogspot.de/2013/10/step-by-step-free-radius-config... so ldap is configured in authorize section in default server and as authorize and authentication in inner-tunnel. I would like to use EAP-TTLS-PAP. The aim is to authorize via LDAP by binding anonymously and just looking up the uid, start an EAP-TTLS tunnel, tunnel the request to the inner-tunnel server and there use the clear password send by the supplicant in the following tunneled request to bind with the credentials against the LDAP server. If the bind is successfull the auth should be considered successfull. It works _if_ i provide a manager login to the ldap server so the ldap module can find the user and add a good password, **but if i delete those credentials it fails.** The whole process reaches the point where the authorize section in inner-tunnel is executed. It says: ..... [ldap] user pete authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. [ttls] Got tunneled reply code 3 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. ...... So why is that? I set the set_auth_type in module/ldap to yes since what's described there is exactly the behaviour i'd like. Why it says that no authenticate method is set? What can i do that LDAP is doing the authentication at this point? Thanks in advance. I hope i delivered al Infrormation needed. JoVaRi
LDAP with TTLS/PAP will work. What version of FR are you using as there are some fairly big differences with what you need to do. .. especially with 3.x release! :) Alan
It works _if_ i provide a manager login to the ldap server so the ldap module can find the user and add a good password, **but if i delete those credentials it fails.**
You'll need a set of credentials to search LDAP for the DN… But a credential should be one that can read/traverse LDAP, but nothing else. Then at the bottom of the authorize section, add this: if (User-Password) { update control { Auth-Type := ldap } } Finally, in the authenticate section, insert just 'ldap' at the top and change the Auth-Type PAP stanza from the default to the below (which allows you to use the LDAP bind with things like EAP-TTLS/EAP-GTC, which uses PAP): Auth-Type PAP { # pap ldap } If you use FreeRADIUS 3.0.x, this becomes a *LOT* easier and straight-forward. The FreeRADIUS guys have built a repository for all major Linux platforms, so you can upgrade to the newest without waiting for your distribution to catch up. Stefan Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
participants (3)
-
Alan Buxey -
jopo jopo -
Stefan Paetow