Yet Another AD Question

Josh josh2780 at yahoo.com
Wed May 24 21:25:44 CEST 2006 

The only trouble I have with IAS is that most of the
users are contained in a seperate AD forest.  I have a
2-way trust with another organization. I can
authenticate users of the trusted org from my domain
over LDAP... however, I can't rely on the trusted
domain's "Dial In" settings for IAS.  Which is why I'm
looking for a way to use LDAP only.  I've tried, as
you suggested, proxying requests to my AD IAS, but I
suppose my remote access policy has issues of its own.

--- ho <nospam at berwicke.de> wrote:

> Hi,
> 
> i've tried a lot, but at the moment we have got a
> very smart solution to 
> combine the flexibility of freeradius with
> authentication of central AD:
> 
> 1) setting up an ms ias server, which is only there
> for authenticating, i 
> have got only one policy!
> 2) setting up freeradius to proxy the
> authentication-requests to the ias.
> 3) Authorization still remains on the freeradius
> 4) Accounting with freeradius/mysql
> 
> I've tried to use samba but AD-Gurus were not amused
> to integrate a 
> samba-box into the AD ;-)
> 
> For me it was the "perfect" solution.
> 
> ho
> 
> 
> ----- Original Message ----- 
> From: "Josh" <josh2780 at yahoo.com>
> To: <freeradius-users at lists.freeradius.org>
> Sent: Wednesday, May 24, 2006 6:36 PM
> Subject: Yet Another AD Question
> 
> 
> > I've crawled the web for info and tried numerous
> > things to get FreeRadius authenticating users with
> a
> > 2003 Active Directory.
> >
> > I'm currently running FreeRadius (with MySQL) on
> RHEL4
> > using the RPMs included with RHEL4:
> >
> >  freeradius-1.0.1-3.RHEL4
> >  freeradius-mysql-1.0.1-3.RHEL4
> >
> > Running radiusd in debug mode (-X) shows a
> successful
> > bind to the AD server. I then can see rlm_ldap
> > performing a search and then eventually fails:
> >
> >
>
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> >
> > <snip>
> > rlm_ldap: Bind was successful
> > rlm_ldap: performing search in
> > cn=Users,dc=org,dc=my,dc=domain,dc=com, with
> filter
> > cn=administrator
> > ldap_search
> > put_filter: "cn=administrator"
> > put_filter: default
> > put_simple_filter: "cn=administrator"
> > ldap_send_initial_request
> > ldap_send_server_request
> > ldap_result msgid 2
> > ldap_chkResponseList for msgid=2, all=1
> > ldap_chkResponseList returns NULL
> > wait4msg (timeout 4 sec, 0 usec), msgid 2
> > wait4msg continue, msgid 2, all 1
> > ** Connections:
> > * host: org.my.domain.com  port: 389  (default)
> >  refcnt: 2  status: Connected
> >  last used: Wed May 24 12:14:51 2006
> >
> > ** Outstanding Requests:
> > * msgid 2,  origid 2, status InProgress
> >   outstanding referrals 0, parent count 0
> > ** Response Queue:
> >   Empty
> > ldap_chkResponseList for msgid=2, all=1
> > ldap_chkResponseList returns NULL
> > ldap_int_select
> > read1msg: msgid 2, all 1
> > ldap_read: message type search-result msgid 2,
> > original id 2
> > ldap_chase_referrals
> > read1msg:  V2 referral chased, mark request
> completed,
> > id = 2
> > new result:  res_errno: 1, res_error: <00000000:
> > LdapErr: DSID-0C090627, comment: In order to
> perform
> > this operation a successful bind must be completed
> on
> > the connection., data 0, vece>, res_matched: <>
> > read1msg:  0 new referrals
> > read1msg:  mark request completed, id = 2
> > request 2 done
> > res_errno: 1, res_error: <00000000: LdapErr:
> > DSID-0C090627, comment: In order to perform this
> > operation a successful bind must be completed on
> the
> > connection., data 0, vece>, res_matched: <>
> > ldap_free_request (origid 2, msgid 2)
> > ldap_free_connection
> > ldap_free_connection: refcnt 1
> > ldap_parse_result
> > ldap_err2string
> > rlm_ldap: ldap_search() failed: Operations error
> > ldap_msgfree
> > rlm_ldap: ldap_release_conn: Release Id: 0
> >  modcall[authenticate]: module "ldap" returns fail
> > for request 0
> > modcall: group authenticate returns fail for
> request 0
> > auth: Failed to validate the user.
> >
> >
>
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> >
> > I'm not sure if I'm using the wrong ldap search or
> > what.  Here's my ldap section of radiusd.conf:
> >
> >   server = "org.my.domain.com"
> >   ldap_debug = 0xFFFF
> >   basedn =
> "cn=Users,dc=org,dc=my,dc=domain,dc=com"
> >   filter = "cn=%u"
> >   start_tls = no
> >   access_attr = "dialupAccess"
> >   dictionary_mapping = ${raddbdir}/ldap.attrmap
> >   ldap_connections_number = 5
> >   timeout = 4
> >   timelimit = 3
> >   net_timeout = 1
> >
> >
> > Although I'd like to avoid it, but, would it be
> easier
> > to install SAMBA on the RHES4 box and connect
> SAMBA to
> > AD and then connect FreeRadius to SAMBA?  I've
> also
> > come across possible issues with certain versions
> of
> > openldap and 2003 AD?
> >
> > As soon as this part is working I'll be
> authenticating
> > wireless users (using Cisco APs) as well.  But I
> think
> > that should run fairly smooth as soon as
> FreeRadius
> > and AD are talking the same language.
> >
> > I hope there are some Radius/AD gurus out there?
> >
> > Many thanks in advance...
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com
> > -
> > List info/subscribe/unsubscribe? See 
> > http://www.freeradius.org/list/users.html 
> 
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the Freeradius-Users mailing list