Freeradius How to integrate Active Directory and return group attribute to VPN Concentrator
Alhagie Puye
APuye at datawave.com
Wed Nov 30 02:49:05 CET 2005
> >-----Original Message-----
> >From: freeradius-users-bounces at lists.freeradius.org
> >[mailto:freeradius-users-bounces at lists.freeradius.org] On
> >Behalf Of Dusty Doris
> >Sent: November 25, 2005 9:43 AM
> >To: FreeRadius users mailing list
> >Subject: RE: Freeradius How to integrate Active
> >Directory[ADIntegrationWindowsXP NTLM Tutorial]
> >
> >
> >> So, the question again is if the VPN Concentrator is only sending
> >> username and password, do I need ntml_auth or ms-chap? FreeRADIUS
> >> doesn't have any usernames and password and will query Active
> >> Directory for the actual authentication.
> >>
> >> Thanks,
> >>
> >
> >If the packet is merely containing plaintext username and
> >password, then you can probably just use rlm_ldap against AD
> >and hit it directly. Just need to setup a user with read
> >access to the directory to do the initial bind with and
> >search of the user for authorization. Then the user will be
> >authenticated by doing a bind against AD with the
> >username/password in the packet.
> >
> >BTW - I use freeradius w/ ldap for cisco VPN concentrators
> >as well, although its openldap instead of AD. To pass back
> >the class attribute, you must modify ldap.attrmap and
> >specify the reply item of Class to match what you call it in
> >the directory.
> >
> >eg:
> >
> >replyItem Class radiusClass
> >
> >Then in the directory, you have
> >
> >dn: cn=someuser,...
> >...
> >radiusClass: "OU=myvpngroup;"
> >
> >So, for AD, you'll need to extend the schema and add an
> >attribute for this. Or if you already have something that
> >you can use, just modify ldap.attrmap to know what it is.
> >
Ok, this is the part that's not working for me. I have gotten FreeRADIUS
to authenticate and authorize both user and group.
Radiusd.conf:
filter =
"(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(memberOf=CN=rptp
cps,OU=Datawave Users,DC=corp,DC=van,DC=dwave))"
This works fine. However I can't get it to return any replyItems. Has
anyone gotten this to work with Active Directory? All the docs I see on
the Net refeerence OpenLDAP. I'm sure there is a lot of folks out there
running Windows 2000/2003 Active Directory.
I have spent a couple of days on this not having much luck. Here are a
few questions that would help me a bit.
1) Do I need groupname_attribute to get this to work?
2) What about groupmembership_filter and groupmembership_attribute?
My ldap.attrmap looks like this:
replyItem Class groupofnames
replyItem Class group
I think the above is correct. Can some shed some light on this?
Here is my debug output when I authenticate....
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:37372, id=210,
length=57
User-Name = "apuye"
User-Password = "XXXXXXXX"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
rlm_realm: No '@' in User-Name = "apuye", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
users: Matched entry DEFAULT at line 155
modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for apuye
radius_xlat: '(&(sAMAccountName=apuye)(memberOf=CN=rptpcps,OU=Datawave
Users,DC=corp,DC=van,DC=dwave))'
radius_xlat: 'DC=corp,DC=van,DC=dwave'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to huckster.corp.van.dwave:389, authentication 0
rlm_ldap: bind as cn=Alhagie Puye,ou=Information Technology,ou=DataWave
Users,dc=corp,dc=van,dc=dwave/XXXXXXXX to huckster.corp.van.dwave:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in DC=corp,DC=van,DC=dwave, with filter
(&(sAMAccountName=apuye)(memberOf=CN=rptpcps,OU=Datawave
Users,DC=corp,DC=van,DC=dwave))
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user apuye authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "apuye" with password "XXXXXXXX"
rlm_ldap: user DN: CN=Alhagie Puye,OU=Information Technology,OU=DataWave
Users,DC=corp,DC=van,DC=dwave
rlm_ldap: (re)connect to huckster.corp.van.dwave:389, authentication 1
rlm_ldap: bind as CN=Alhagie Puye,OU=Information Technology,OU=DataWave
Users,DC=corp,DC=van,DC=dwave/XXXXXXXX to huckster.corp.van.dwave:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user apuye authenticated succesfully
modcall[authenticate]: module "ldap" returns ok for request 0
modcall: group Auth-Type returns ok for request 0
Sending Access-Accept of id 210 to 127.0.0.1:37372
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 210 with timestamp 438d009d
Nothing to do. Sleeping until we see a request.
The ObjectClass for group is "group". Shouldn't I just be able to use
that instead of extending the schema?
Any help is greatly appreciated.
Thanks in advance
> >-Dusty Doris
> >-
> >List info/subscribe/unsubscribe? See
> >http://www.freeradius.org/list/users.html
> >
Disclaimer: This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request.
More information about the Freeradius-Users
mailing list