Yet Another AD Question

ho nospam at berwicke.de
Wed May 24 19:58:43 CEST 2006


Hi,

i've tried a lot, but at the moment we have got a very smart solution to 
combine the flexibility of freeradius with authentication of central AD:

1) setting up an ms ias server, which is only there for authenticating, i 
have got only one policy!
2) setting up freeradius to proxy the authentication-requests to the ias.
3) Authorization still remains on the freeradius
4) Accounting with freeradius/mysql

I've tried to use samba but AD-Gurus were not amused to integrate a 
samba-box into the AD ;-)

For me it was the "perfect" solution.

ho


----- Original Message ----- 
From: "Josh" <josh2780 at yahoo.com>
To: <freeradius-users at lists.freeradius.org>
Sent: Wednesday, May 24, 2006 6:36 PM
Subject: Yet Another AD Question


> I've crawled the web for info and tried numerous
> things to get FreeRadius authenticating users with a
> 2003 Active Directory.
>
> I'm currently running FreeRadius (with MySQL) on RHEL4
> using the RPMs included with RHEL4:
>
>  freeradius-1.0.1-3.RHEL4
>  freeradius-mysql-1.0.1-3.RHEL4
>
> Running radiusd in debug mode (-X) shows a successful
> bind to the AD server. I then can see rlm_ldap
> performing a search and then eventually fails:
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
> <snip>
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in
> cn=Users,dc=org,dc=my,dc=domain,dc=com, with filter
> cn=administrator
> ldap_search
> put_filter: "cn=administrator"
> put_filter: default
> put_simple_filter: "cn=administrator"
> ldap_send_initial_request
> ldap_send_server_request
> ldap_result msgid 2
> ldap_chkResponseList for msgid=2, all=1
> ldap_chkResponseList returns NULL
> wait4msg (timeout 4 sec, 0 usec), msgid 2
> wait4msg continue, msgid 2, all 1
> ** Connections:
> * host: org.my.domain.com  port: 389  (default)
>  refcnt: 2  status: Connected
>  last used: Wed May 24 12:14:51 2006
>
> ** Outstanding Requests:
> * msgid 2,  origid 2, status InProgress
>   outstanding referrals 0, parent count 0
> ** Response Queue:
>   Empty
> ldap_chkResponseList for msgid=2, all=1
> ldap_chkResponseList returns NULL
> ldap_int_select
> read1msg: msgid 2, all 1
> ldap_read: message type search-result msgid 2,
> original id 2
> ldap_chase_referrals
> read1msg:  V2 referral chased, mark request completed,
> id = 2
> new result:  res_errno: 1, res_error: <00000000:
> LdapErr: DSID-0C090627, comment: In order to perform
> this operation a successful bind must be completed on
> the connection., data 0, vece>, res_matched: <>
> read1msg:  0 new referrals
> read1msg:  mark request completed, id = 2
> request 2 done
> res_errno: 1, res_error: <00000000: LdapErr:
> DSID-0C090627, comment: In order to perform this
> operation a successful bind must be completed on the
> connection., data 0, vece>, res_matched: <>
> ldap_free_request (origid 2, msgid 2)
> ldap_free_connection
> ldap_free_connection: refcnt 1
> ldap_parse_result
> ldap_err2string
> rlm_ldap: ldap_search() failed: Operations error
> ldap_msgfree
> rlm_ldap: ldap_release_conn: Release Id: 0
>  modcall[authenticate]: module "ldap" returns fail
> for request 0
> modcall: group authenticate returns fail for request 0
> auth: Failed to validate the user.
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
> I'm not sure if I'm using the wrong ldap search or
> what.  Here's my ldap section of radiusd.conf:
>
>   server = "org.my.domain.com"
>   ldap_debug = 0xFFFF
>   basedn = "cn=Users,dc=org,dc=my,dc=domain,dc=com"
>   filter = "cn=%u"
>   start_tls = no
>   access_attr = "dialupAccess"
>   dictionary_mapping = ${raddbdir}/ldap.attrmap
>   ldap_connections_number = 5
>   timeout = 4
>   timelimit = 3
>   net_timeout = 1
>
>
> Although I'd like to avoid it, but, would it be easier
> to install SAMBA on the RHES4 box and connect SAMBA to
> AD and then connect FreeRadius to SAMBA?  I've also
> come across possible issues with certain versions of
> openldap and 2003 AD?
>
> As soon as this part is working I'll be authenticating
> wireless users (using Cisco APs) as well.  But I think
> that should run fairly smooth as soon as FreeRadius
> and AD are talking the same language.
>
> I hope there are some Radius/AD gurus out there?
>
> Many thanks in advance...
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html 




More information about the Freeradius-Users mailing list