Freeradius How to integrate Active Directory[ADIntegrationWindowsXP NTLM Tutorial]

darkblue darkblue2000 at gmail.com
Fri Dec 2 11:07:55 CET 2005 

I have upgrade my libs, but when execute dpkg-buildpackage -uc
-b(under root privilege), some error show out:
.....
dpkg-buildpackage: source maintainer is Paul Hampson <Paul.Hampson at anu.edu.au>
dpkg-buildpackage: host architecture is i386
 debian/rules clean
dh_testdir
rm -f stamp-build debian/{files,substvars} debian/*.debhelper libltdl/stamp-h1
[ -f Make.inc ] && make distclean || true
dh_clean
rm -rf /home/software/freeradius-1.0.5/debian/freeradius
for modname in krb5 ldap mysql iodbc postgresql; do \
        rm -rf /home/software/freeradius-1.0.5/debian/freeradius-${modname}{,.substvars};
\
done
[ -f config.sub.dist ] && rm config.sub && mv config.sub.dist config.sub || true
[ -f config.guess.dist ] && rm config.guess && mv config.guess.dist
config.guess || true
dpatch deapply-all
/bin/bash: line 1: dpatch: command not found
make: *** [unpatch] Error 127

any idea?

2005/12/2, darkblue <darkblue2000 at gmail.com>:
> hi,
>
> sorry to boring you.
> according to your comment.
> I encounter such error:
> sccgd:/home/software/freeradius-1.0.5# dpkg-buildpackage -b -uc
> dpkg-buildpackage: source package is freeradius
> dpkg-buildpackage: source version is 1.0.5-0
> dpkg-buildpackage: source maintainer is Paul Hampson <Paul.Hampson at anu.edu.au>
> dpkg-buildpackage: host architecture is i386
> dpkg-checkbuilddeps: Unmet build dependencies: debhelper (>= 4.1.68)
> libltdl3-dev libpam0g-dev libpq-dev | postgresql-dev
> libmysqlclient12-dev | libmysqlclient-dev libgdbm-dev | libgdbmg1-dev
> libldap2-dev libsasl2-dev libsnmp5-dev | libsnmp4.2-dev libiodbc2-dev
> libkrb5-dev libssl-dev libtool1.4 | libtool (< 1.5) snmp autotools-dev
> dpkg-buildpackage: Build dependencies/conflicts unsatisfied; aborting.
> dpkg-buildpackage: (Use -d flag to override.)
>
> I also use the -d flag, but failed.
> any suggestion?
>
>
> 2005/11/23, Nicolas Baradakis <nbk at sitadelle.com>:
> > King, Michael wrote:
> >
> > > Ignore the freeRADIUS package.  Due to license restrictions, it cannot
> > > contain the binaries for OpenSSL. We have to use the source.
> >
> > Indeed.
> >
> > > Download the latest release of freeRADIUS
> > >
> > > Unzip freeRADIUS
> > > Tar -zxvf freeradius-1.0.5.tar.gz
> > >
> > > Switch to the directory
> > > then
> > >
> > > ./configure --disable-shared
> > > make
> > > make install
> >
> > I don't recommend this method to the Debian users, because it
> > confuses dpkg about the files installed on the system and it's
> > not possible to uninstall the files later. I think it's a lot
> > better to build FreeRADIUS from sources using dpkg-buildpackage.
> >
> > $ tar zxf freeradius-1.0.5.tar.gz
> > $ cd freeradius-1.0.5
> > $ fakeroot dpkg-buildpackage -b -uc
> > $ sudo dpkg -i ../freeradius_1.0.5-0_i386.deb
> >
> > > You can look at my notes if you want:
> > > http://www.mpking.com/articles.php?lng=en&pg=55
> >
> > Please add a note about dpkg-buildpackage, too.
> >
> > --
> > Nicolas Baradakis
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
>
>
> --
> He is nothing
>


--
He is nothing


2005/11/27, Alhagie Puye <APuye at datawave.com>:
> Thanks Dusty. That's very helpful.
>
> I have one little problem. I was hoping someone can shed some light on
> it.
>
> For the Active Directory security, I need to specify the username as
> "Domain\user" instead of just "user" for the identity in radiusd.conf
>
> "user at domain.com" doesn't seem to work.
>
> Here is the output:
>
> rad_recv: Access-Request packet from host 192.168.42.1:50667, id=146,
> length=57
>        User-Name = "user"
>        User-Password = "password"
>        NAS-IP-Address = 255.255.255.255
>        NAS-Port = 1
>  Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 4
>  modcall[authorize]: module "preprocess" returns ok for request 4
>  modcall[authorize]: module "chap" returns noop for request 4
>  modcall[authorize]: module "mschap" returns noop for request 4
>    rlm_realm: No '@' in User-Name = "apuye", looking up realm NULL
>    rlm_realm: No such realm "NULL"
>  modcall[authorize]: module "suffix" returns noop for request 4
>  rlm_eap: No EAP-Message, not doing EAP
>  modcall[authorize]: module "eap" returns noop for request 4
>    users: Matched entry DEFAULT at line 153
>  modcall[authorize]: module "files" returns ok for request 4
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for apuye
> radius_xlat:  '(uid=apuye)'
> radius_xlat:  'dc=ad,dc=puyenet,dc=com'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to orion.puyenet.com:389, authentication 0
> rlm_ldap: bind as
> cn=apuye at ad.puyenet.com,ou=users,dc=ad,dc=puyenet,dc=com/password to
> orion.puyenet.com:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: LDAP login failed: check identity, password settings in ldap
> section of radiusd.conf
> rlm_ldap: (re)connection attempt failed
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
>  modcall[authorize]: module "ldap" returns fail for request 4
> modcall: group authorize returns fail for request 4
> Finished request 4
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> --- Walking the entire request list ---
> Cleaning up request 4 ID 146 with timestamp 4388ab87
> Nothing to do.  Sleeping until we see a request.
>
> The radiusd.conf file looks like this for the ldap section:
> ldap {
>                server = "orion.puyenet.com"
>                # identity = "cn=admin,o=My Org,c=UA"
>                 identity =
> "cn=apuye at ad.puyenet.com,ou=users,dc=ad,dc=puyenet,dc=com"
>                 password = password
>                #basedn = "o=My Org,c=UA"
>                basedn = "dc=ad,dc=puyenet,dc=com"
>                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>                # base_filter = "(objectclass=radiusprofile)"
>
>
> Thanks in advance.
>
> Alhagie Puye - Network Engineer
> Datawave Group of Companies
> (604)295-1817
>
> > >-----Original Message-----
> > >From: freeradius-users-bounces at lists.freeradius.org
> > >[mailto:freeradius-users-bounces at lists.freeradius.org] On
> > >Behalf Of Dusty Doris
> > >Sent: November 25, 2005 9:43 AM
> > >To: FreeRadius users mailing list
> > >Subject: RE: Freeradius How to integrate Active
> > >Directory[ADIntegrationWindowsXP NTLM Tutorial]
> > >
> > >
> > >> So, the question again is if the VPN Concentrator is only sending
> > >> username and password, do I need ntml_auth or ms-chap? FreeRADIUS
> > >> doesn't have any usernames and password and will query Active
> > >> Directory for the actual authentication.
> > >>
> > >> Thanks,
> > >>
> > >
> > >If the packet is merely containing plaintext username and
> > >password, then you can probably just use rlm_ldap against AD
> > >and hit it directly.  Just need to setup a user with read
> > >access to the directory to do the initial bind with and
> > >search of the user for authorization.  Then the user will be
> > >authenticated by doing a bind against AD with the
> > >username/password in the packet.
> > >
> > >BTW - I use freeradius w/ ldap for cisco VPN concentrators
> > >as well, although its openldap instead of AD.  To pass back
> > >the class attribute, you must modify ldap.attrmap and
> > >specify the reply item of Class to match what you call it in
> > >the directory.
> > >
> > >eg:
> > >
> > >replyItem    Class   radiusClass
> > >
> > >Then in the directory, you have
> > >
> > >dn: cn=someuser,...
> > >...
> > >radiusClass: "OU=myvpngroup;"
> > >
> > >So, for AD, you'll need to extend the schema and add an
> > >attribute for this.  Or if you already have something that
> > >you can use, just modify ldap.attrmap to know what it is.
> > >
> > >-Dusty Doris
> > >-
> > >List info/subscribe/unsubscribe? See
> > >http://www.freeradius.org/list/users.html
> > >
>
>
> Disclaimer: This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed.  If you have received it by mistake please notify the sender by return e-mail and delete this message from your system.  Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited.  E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change.  We will use alternate communication means upon request.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>


--
He is nothing

More information about the Freeradius-Users mailing list