wireless - freeradius - MS ldap

Dickson, John JDickson2 at mccneb.edu
Wed Jan 4 20:32:28 CET 2006 

 Here is my ldap section:

ldap {
		server = "10.1.1.29"
		identity = dmadmin1
		password = rDkf at my
		basedn = "dc=ssotest,dc=mccsso,dc=mccneb,dc=edu"
		filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
		# base_filter = "(objectclass=radiusprofile)"

		# set this to 'yes' to use TLS encrypted connections
		# to the LDAP database by using the StartTLS extended
		# operation.
		# The StartTLS operation is supposed to be used with
normal
		# ldap connections instead of using ldaps (port 689)
connections
		start_tls = no

		# tls_cacertfile	= /path/to/cacert.pem
		# tls_cacertdir		= /path/to/ca/dir/
		# tls_certfile		= /path/to/radius.crt
		# tls_keyfile		= /path/to/radius.key
		# tls_randfile		= /path/to/rnd
		# tls_require_cert	= "demand"

		# default_profile = "cn=radprofile,ou=dialup,o=My
Org,c=UA"
		# profile_attribute = "radiusProfileDn"
		access_attr = "dialupAccess"

		# Mapping of RADIUS dictionary attributes to LDAP
		# directory attributes.
		dictionary_mapping = ${raddbdir}/ldap.attrmap

		ldap_connections_number = 5

		#
		# NOTICE: The password_header directive is NOT case
insensitive
		#
		# password_header = "{clear}"
		#
		# Set:
		#	password_attribute = nspmPassword
		#
		# to get the user's password from a Novell eDirectory
		# backend. This will work *only if* freeRADIUS is
		# configured to build with --with-edir option.
		#
		#
		#  The server can usually figure this out on its own,
and pull
		#  the correct User-Password or NT-Password from the
database.
		#
		#  Note that NT-Passwords MUST be stored as a 32-digit
hex
		#  string, and MUST start off with "0x", such as:
		#
		#	0x000102030405060708090a0b0c0d0e0f
		#
		#  Without the leading "0x", NT-Passwords will not work.
		#  This goes for NT-Passwords stored in SQL, too.
		#
		# password_attribute = userPassword
		#
		# Un-comment the following to disable Novell eDirectory
account
		# policy check and intruder detection. This will work
*only if*
		# FreeRADIUS is configured to build with --with-edir
option.
		#
		# edir_account_policy_check=no
		#
		# groupname_attribute = cn
		# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gr
oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
		# groupmembership_attribute = radiusGroupName
		timeout = 4
		timelimit = 3
		net_timeout = 1
		# compare_check_items = yes
		# do_xlat = yes
		# access_attr_used_for_allow = yes
	}


Verify first that you can infact query Active Directory with this
username/password combination.

There is a utility called ldapsearch. I believe it comes with OpenLDAP.
Use that to directly query AD for verification.

Here is an example:

ldapsearch -LLL -h name.serverdm.domain.edu -x -b
'dc=domain,dc=com''(samaccountname=powerful)' -D powerful  -w userspass

This seeems to work:

[john at magellan ~]$ ldapsearch -LLL -h name.serverdm.domain.edu -x -b
'ou=Users,dc=name,dc=serverdm,dc=domain,dc=edu'  -D
any-user at serverdm.domain.edu -w Passw0rd
No such object (32)
Matched DN: DC=serverdm,DC=domain,DC=edu
Additional information: 0000208D: NameErr: DSID-031001CD, problem 2001
(NO_OBJECT), data 0, best match of:
        'DC=serverdm,DC=domain,DC=edu'


What does your "ldap" section in radiusd.conf look like? Can you please
provide copy?


This will make sure that the credentials are correct or not.

More information about the Freeradius-Users mailing list