Freeradius + Microsoft Active Directory
Natalia Escalera
nescalera at gmail.com
Sat Feb 25 18:53:20 CET 2006
Hello Mr. DeKok
Thank you for the fast response. The password is clear-text. We are
using ethereal to debug why we are getting "Operations Error" on the
Search Result. The Operation Errors comment is the following:
"In order to perform this operation a successful bind must be completed."
The search request on ethereal from Freeradius to the active directory
gives the following:
Message Type: Search Request
Message Length: 96
Response In: 469
Base DN: dc=test, dc=prt
Scope: subtree (0x02)
Derefence: Never (0x00)
Size Limit: 0
Time Limit: 4
Attributes only: False
Filter: (&(objectclass=person)(sAMAccountName=%u))
Attribute: uid ????we are not sending this attribute and we do not
know where it is specified on Freeradius
Here are the settings given for LDAP module on radius.conf and user file:
#radius.conf
ldap {
server="xxx.xx.xxx.xxx"
identity ="" # If this is suppose to be the bind dn???
password = "mypassword"
basedn ="dc=test,dc=prt"
#filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
filter ="(&(objectclass=person) (sAMAccountName=%u))"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = no
# tls_cacertfile = /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout =5
timelimit =4
net_timeout =2
compare_check_items = yes
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
eap
}
#users file
DEFAULT Auth-Type := LDAP
Fall-Through = 1
Can you please tell us if there is something wrong or if we are
missing something on the configuration files?
Thanks in advance,
Nataly
On 2/25/06, Alan DeKok <aland at ox.org> wrote:
> "Natalia Escalera" <nescalera at gmail.com> wrote:
> > I am setting up freeradius with Microsoft Active Directory. So far, I
> > am able to connect to the server but not to authenticate a user. Can
> > you please give me a hint of how the configuration files need to be
> > set in order to authenticate the user.
>
> If the RADIUS packets have clear-text passwords, then the normal
> LDAP module should work. If you're using PEAP or MS-CHAP, read
> "radiusd.conf",m and use "ntlm_auth".
>
> > Also, what is "3D" used for? (Example: server =3D your.ad.server.org ...)
>
> Nothing. It's an artifact of stupid mailers. 3D is ASCII for '='.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list