Yet Another AD Question
Josh
josh2780 at yahoo.com
Wed May 24 21:25:44 CEST 2006
The only trouble I have with IAS is that most of the
users are contained in a seperate AD forest. I have a
2-way trust with another organization. I can
authenticate users of the trusted org from my domain
over LDAP... however, I can't rely on the trusted
domain's "Dial In" settings for IAS. Which is why I'm
looking for a way to use LDAP only. I've tried, as
you suggested, proxying requests to my AD IAS, but I
suppose my remote access policy has issues of its own.
--- ho <nospam at berwicke.de> wrote:
> Hi,
>
> i've tried a lot, but at the moment we have got a
> very smart solution to
> combine the flexibility of freeradius with
> authentication of central AD:
>
> 1) setting up an ms ias server, which is only there
> for authenticating, i
> have got only one policy!
> 2) setting up freeradius to proxy the
> authentication-requests to the ias.
> 3) Authorization still remains on the freeradius
> 4) Accounting with freeradius/mysql
>
> I've tried to use samba but AD-Gurus were not amused
> to integrate a
> samba-box into the AD ;-)
>
> For me it was the "perfect" solution.
>
> ho
>
>
> ----- Original Message -----
> From: "Josh" <josh2780 at yahoo.com>
> To: <freeradius-users at lists.freeradius.org>
> Sent: Wednesday, May 24, 2006 6:36 PM
> Subject: Yet Another AD Question
>
>
> > I've crawled the web for info and tried numerous
> > things to get FreeRadius authenticating users with
> a
> > 2003 Active Directory.
> >
> > I'm currently running FreeRadius (with MySQL) on
> RHEL4
> > using the RPMs included with RHEL4:
> >
> > freeradius-1.0.1-3.RHEL4
> > freeradius-mysql-1.0.1-3.RHEL4
> >
> > Running radiusd in debug mode (-X) shows a
> successful
> > bind to the AD server. I then can see rlm_ldap
> > performing a search and then eventually fails:
> >
> >
>
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> >
> > <snip>
> > rlm_ldap: Bind was successful
> > rlm_ldap: performing search in
> > cn=Users,dc=org,dc=my,dc=domain,dc=com, with
> filter
> > cn=administrator
> > ldap_search
> > put_filter: "cn=administrator"
> > put_filter: default
> > put_simple_filter: "cn=administrator"
> > ldap_send_initial_request
> > ldap_send_server_request
> > ldap_result msgid 2
> > ldap_chkResponseList for msgid=2, all=1
> > ldap_chkResponseList returns NULL
> > wait4msg (timeout 4 sec, 0 usec), msgid 2
> > wait4msg continue, msgid 2, all 1
> > ** Connections:
> > * host: org.my.domain.com port: 389 (default)
> > refcnt: 2 status: Connected
> > last used: Wed May 24 12:14:51 2006
> >
> > ** Outstanding Requests:
> > * msgid 2, origid 2, status InProgress
> > outstanding referrals 0, parent count 0
> > ** Response Queue:
> > Empty
> > ldap_chkResponseList for msgid=2, all=1
> > ldap_chkResponseList returns NULL
> > ldap_int_select
> > read1msg: msgid 2, all 1
> > ldap_read: message type search-result msgid 2,
> > original id 2
> > ldap_chase_referrals
> > read1msg: V2 referral chased, mark request
> completed,
> > id = 2
> > new result: res_errno: 1, res_error: <00000000:
> > LdapErr: DSID-0C090627, comment: In order to
> perform
> > this operation a successful bind must be completed
> on
> > the connection., data 0, vece>, res_matched: <>
> > read1msg: 0 new referrals
> > read1msg: mark request completed, id = 2
> > request 2 done
> > res_errno: 1, res_error: <00000000: LdapErr:
> > DSID-0C090627, comment: In order to perform this
> > operation a successful bind must be completed on
> the
> > connection., data 0, vece>, res_matched: <>
> > ldap_free_request (origid 2, msgid 2)
> > ldap_free_connection
> > ldap_free_connection: refcnt 1
> > ldap_parse_result
> > ldap_err2string
> > rlm_ldap: ldap_search() failed: Operations error
> > ldap_msgfree
> > rlm_ldap: ldap_release_conn: Release Id: 0
> > modcall[authenticate]: module "ldap" returns fail
> > for request 0
> > modcall: group authenticate returns fail for
> request 0
> > auth: Failed to validate the user.
> >
> >
>
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> >
> > I'm not sure if I'm using the wrong ldap search or
> > what. Here's my ldap section of radiusd.conf:
> >
> > server = "org.my.domain.com"
> > ldap_debug = 0xFFFF
> > basedn =
> "cn=Users,dc=org,dc=my,dc=domain,dc=com"
> > filter = "cn=%u"
> > start_tls = no
> > access_attr = "dialupAccess"
> > dictionary_mapping = ${raddbdir}/ldap.attrmap
> > ldap_connections_number = 5
> > timeout = 4
> > timelimit = 3
> > net_timeout = 1
> >
> >
> > Although I'd like to avoid it, but, would it be
> easier
> > to install SAMBA on the RHES4 box and connect
> SAMBA to
> > AD and then connect FreeRadius to SAMBA? I've
> also
> > come across possible issues with certain versions
> of
> > openldap and 2003 AD?
> >
> > As soon as this part is working I'll be
> authenticating
> > wireless users (using Cisco APs) as well. But I
> think
> > that should run fairly smooth as soon as
> FreeRadius
> > and AD are talking the same language.
> >
> > I hope there are some Radius/AD gurus out there?
> >
> > Many thanks in advance...
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the Freeradius-Users
mailing list