Freeradius Auth via LDAP against Active Directory Server 2003
Jacob Jarick
mem.namefix at gmail.com
Sun Apr 29 12:30:03 CEST 2007
radiusd.conf: http://pastebin.ca/464133
radius -X ouput: http://pastebin.ca/464138
Tried with 1.1.6 and fails with this error:
rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: Opening file /etc/raddb/ldap.attrmap failed
rlm_ldap: Reading dictionary mappings from file /etc/raddb/ldap.attrmap failed
radiusd.conf[540]: ldap: Module instantiation failed.
radiusd.conf[586] Unknown module "ldap".
radiusd.conf[586] Failed to parse "ldap" entry.
-----------------------------
/etc/raddb/ldap.attrmap does exist as provided by the rpm.
[root at localhost src]# ls -l /etc/raddb/ldap.attrmap
-rw-r----- 1 root root 2424 Apr 19 16:32 /etc/raddb/ldap.attrmap
I assume the permissions are correct, as it was installed by rpm. Im
building the 1.1.4 rpm now, will report back once done.
On 4/29/07, Jacob Jarick <mem.namefix at gmail.com> wrote:
> Thanks for the very detailed instructions.
>
> I will attempt this shortly (bought rad & ad servers home for weekend study).
>
> Quite possible the biggest learning curve for me is the ldap fields
> but I am finally starting to get familar with them.
>
> Cheers again, will post back once Ive run the radtest.
>
> On 4/28/07, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> > I haven't been following your (quite extensive) queries, so apologies if
> > I've missed something fundamental.
> >
> > I honestly don't know why this is proving so difficult. I've just tested
> > this against our own 2k3 AD service, and although I'm pretty familiar
> > with FR it took under 5 minutes. Try following the instructions below.
> > These were tested with FreeRadius 1.1.4
> >
> > 1. First, create or locate an existing account which FreeRadius can bind
> > and do it's searches as. Record the following variables:
> >
> > SEARCHDN=<the DN of the account>
> > SEARCHPW=<the password>
> > BASEDN=<the DN below which all your accounts live in AD>
> > ADHOST=<hostname of the AD controller you'll search against>
> >
> > For example, these might be:
> >
> > SEARCHDN=CN=freeradius,OU=Users,OU=My Site,DC=mysite,DC=com
> > SEARCHPW=blahblah
> > BASEDN=OU=My Site,DC=mysite,DC=com
> >
> > 2. Next, take the default "radiusd.conf"
> >
> > 3. Find the start of the modules section:
> >
> > modules {
> > ...
> >
> > Delete this line and all the following lines
> >
> > 4. Insert the following config:
> >
> > modules {
> > ldap {
> > server = "$ADHOST"
> > identity = "$SEARCHDN"
> > password = "$SEARCHPW"
> >
> > basedn = "$BASEDN"
> > filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
> >
> > dictionary_mapping = ${raddbdir}/ldap.attrmap
> >
> > ldap_connections_number = 5
> > timeout = 4
> > timelimit = 3
> > net_timeout = 1
> > }
> >
> > preprocess {
> > huntgroups = ${confdir}/huntgroups
> > hints = ${confdir}/hints
> >
> > with_ascend_hack = no
> > ascend_channels_per_line = 23
> >
> > with_ntdomain_hack = no
> > with_specialix_jetstream_hack = no
> > with_cisco_vsa_hack = no
> > }
> >
> > detail {
> > detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
> > detailperm = 0644
> > }
> >
> > }
> >
> > instantiate {
> > }
> >
> > authorize {
> > preprocess
> >
> > ldap
> > }
> >
> > authenticate {
> > Auth-Type LDAP {
> > ldap
> > }
> > }
> >
> >
> > preacct {
> > preprocess
> > }
> >
> > accounting {
> > detail
> > }
> >
> >
> > session {
> > }
> >
> > post-auth {
> > }
> >
> > pre-proxy {
> > }
> >
> > post-proxy {
> > }
> >
> > 5. Start the server with -X
> >
> > 6. Run "radtest" to send a checking PAP request
> >
> > It should work.
> >
> > The above config is the ABSOLUTE BARE MINIMUM server config which will
> > check PAP requests ONLY against an AD LDAP server. I do NOT recommend
> > you go into service with this config. Try to look at it, understand how
> > it's doing what it's doing, *then* start again with the default
> > FreeRadius config and make the absolute minimum changes to get back to
> > that point.
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
>
More information about the Freeradius-Users
mailing list