Freeradius - LDAP - Active Directory
Konne
bridge_stone at gmx.net
Mon Nov 21 11:54:49 CET 2005
hi at all
my system:
Debian Sarge 3.1
Kernel 2.6.8
i installed the following software with apt-get
apache-ssl 1.3.34-1
php4
php4-mysql
mysql 4.1.14
openssl 0.9.8a-3
openldap stable 2.3.11 2005-10-18 [compiled]
freeradius 1.0.5-2
freeradius-ldap 1.0.5-2
freeradius-mysql 1.0.5-2
freeradius-krb5 1.0.5-2
----------------------------
i have a lot of problems with freeradius... i would like to authenticate
my users from AP via AD. only the user which is member of a specific
group should become access.
*my ldap.conf*
deref never
referrals no
i tried to authenticate but i become following error:
rad_recv: Access-Request packet from host 192.168.184.26:22381, id=13,
length=57
User-Name = "wuser"
User-Password = "wuser"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: Looking up realm "my.dom" for User-Name = "wuser"
rlm_realm: No such realm "my.dom"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 152
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'dc=my,dc=dom'
radius_xlat: '(&(sAMAccountname=wuser)(objectClass=person))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to myserver.my.dom:389, authentication 0
rlm_ldap: bind as cn=ldapuser,cn=Users,dc=my,dc=dom/ldapuser to
myserver.my.dom:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=my,dc=dom, with filter
(&(sAMAccountname=wuser)(objectClass=person))
rlm_ldap: ldap_search() failed: Operations error
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for wuser
radius_xlat: '(&(sAMAccountname=wuser)(objectClass=person))'
radius_xlat: 'dc=my,dc=dom'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: closing existing LDAP connection
rlm_ldap: (re)connect to myserver.my.dom:389, authentication 0
rlm_ldap: bind as cn=ldapuser,cn=Users,dc=my,dc=dom/ldapuser to
myserver.my.dom:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=my,dc=dom, with filter
(&(sAMAccountname=wuser)(objectClass=person))
rlm_ldap: ldap_search() failed: Operations error
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns fail for request 0
modcall: group authorize returns fail for request 0
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 13 with timestamp 4381a433
Nothing to do. Sleeping until we see a request.
--------------------
*users*
DEFAULT Auth-Type = System
Fall-Through = 1,
Reply-Message = "System Logon"
DEFAULT Ldap-Group == "wireless", Auth-Type :=LDAP
Fall-Through = Yes,
Reply-Message = "LDAP Logon"
DEFAULT Service-Type == Framed-User
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = Yes
--------------------
*radiusd.conf*
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
domstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${domstatedir}/run/freeradius
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
user = freerad
group = freerad
max_requests = 1024
hostname_lookups = no
# Core dumps are a bad thing. This should only be set to 'yes'
# if you're debugging a problem with the server.
#
# allowed values: {no, yes}
#
allow_core_dumps = no
log_stripped_names = no
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
modules {
pap {
encryption_scheme = md5
}
chap {
authtype = CHAP
}
unix {
cache = no
cache_reload = 600
passwd = /etc/passwd
# shadow = /etc/shadow
# group = /etc/group
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAP
}
ldap {
server = "myserver.my.dom"
identity = "cn=ldapuser,cn=Users,dc=my,dc=dom"
password = ldapuser
basedn = "dc=my,dc=dom"
#filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# base_filter = "(objectclass=radiusprofile)"
filter =
"(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))"
start_tls = no
#access_attr = "dialupAccess"
access_attr = "memberOf"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
# groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
}
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
# 'username at realm'
#
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
# 'username%realm'
#
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
#
# 'domain\user'
#
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{Stripped-User-Name:-%{User-Name}}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
authorize {
preprocess
chap
mschap
suffix
eap
files
# sql
ldap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
# sql
}
session {
radutmp
# sql
}
post-auth {
ldap
}
pre-proxy {
}
post-proxy {
eap
}
i would like to connect to my AD from remote w2k3 server. but i receive
only following:
More information about the Freeradius-Users
mailing list