Can not authenticate against Active directory as LDAP server

Anup Parkhi anup_parkhi at hotmail.com
Wed Nov 30 03:44:17 CET 2005 

My environment is

FreeRadius: 1.0.5 on RedHat
Funk Odyssey supplicant. (Tried with XP supplicant also)
Authenticator: HP procurve switch
EAP: EAP-MD5
Directory: Active directory as LDAP server

I am getting the following error while authenticating users in Active 
directory. Any help is appreciated. I went through ldap_how_to.txt and 
changed my radiusd.conf to tailor for active directory but it is still 
failing.

My configuration sections are
lldap {
               server = "10.11.12.137"
               identity = "cn=Administrator,cn=users,dc=parkhi,dc=net"
               password = mypassword
               basedn = "cn=users,dc=parkhi,dc=net"
               filter = 
"(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
               # base_filter = "(objectclass=radiusprofile)"

               # set this to 'yes' to use TLS encrypted connections
               # to the LDAP database by using the StartTLS extended
               # operation.
               # The StartTLS operation is supposed to be used with normal
               # ldap connections instead of using ldaps (port 689) 
connections                start_tls = no

               # tls_cacertfile        = /path/to/cacert.pem
               # tls_cacertdir         = /path/to/ca/dir/
               # tls_certfile          = /path/to/radius.crt
               # tls_keyfile           = /path/to/radius.key
               # tls_randfile          = /path/to/rnd
               # tls_require_cert      = "demand"

               # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
               #access_attr = "dialupAccess"

               # Mapping of RADIUS dictionary attributes to LDAP
               # directory attributes.
               dictionary_mapping = ${raddbdir}/ldap.attrmap

               ldap_connections_number = 10

               #
               # NOTICE: The password_header directive is NOT case 
insensitive
               #
               # password_header = "{clear}"
               #
               #  The server can usually figure this out on its own, and 
pull
               #  the correct User-Password or NT-Password from the 
database.
               #
               #  Note that NT-Passwords MUST be stored as a 32-digit hex
               #  string, and MUST start off with "0x", such as:
               #
               #       0x000102030405060708090a0b0c0d0e0f
               #
#  Without the leading "0x", NT-Passwords will not work.
               #  This goes for NT-Passwords stored in SQL, too.
               #
               password_attribute = User-Password
               # groupname_attribute = cn
               # groupmembership_filter = 
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
               # groupmembership_attribute = radiusGroupName
               timeout = 4
               timelimit = 3
               net_timeout = 1
               compare_check_items = no
               # do_xlat = yes
               # access_attr_used_for_allow = yes
       }

authorize {
       preprocess
       suffix
       files
       ldap
}

authenticate {
       Auth-Type LDAP {
               ldap
       }
}



the console output of radiusd -X





Cleaning up request 4 ID 229 with timestamp 438d0d46
Nothing to do.  Sleeping until we see a request.
rad_recv: Access-Request packet from host 10.11.12.107:1024, id=230, 
length=214
       Framed-MTU = 1480
       NAS-IP-Address = 10.11.12.107
       NAS-Identifier = "HP ProCurve Switch 2824"
       User-Name = "test"
       Service-Type = Framed-User
       Framed-Protocol = PPP
       NAS-Port = 24
       NAS-Port-Type = Ethernet
       NAS-Port-Id = "24"
       Called-Station-Id = "00-0f-20-8d-04-c8"
       Calling-Station-Id = "00-c0-9f-0d-4a-1f"
       Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
       Tunnel-Type:0 = VLAN
       Tunnel-Medium-Type:0 = IEEE-802
       Tunnel-Private-Group-Id:0 = "1010"
       EAP-Message = 0x020100090174657374
       Message-Authenticator = 0xaf12ec64c245045bbf5a5cc4985025de
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
   rlm_realm: No '@' in User-Name = "test", looking up realm NULL
   rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 5
   users: Matched test at 66
modcall[authorize]: module "files" returns ok for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test
radius_xlat:  '(sAMAccountName=test)'
radius_xlat:  'cn=users,dc=parkhi,dc=net'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=users,dc=parkhi,dc=net, with filter 
(sAMAccou)rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user test authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 5
rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 5
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication.
modcall[authenticate]: module "ldap" returns invalid for request 5
modcall: group Auth-Type returns invalid for request 5
auth: Failed to validate the user.
Delaying request 5 for 1 seconds
Finished request 5

More information about the Freeradius-Users mailing list