LDAP Group membership check not working after upgrade to Windows Server 2003
kesm0724
kevin.smith at emp.shentel.com
Mon Sep 15 18:20:40 CEST 2008
Hello All,
I had FreeRADIUS Version 2.0.5 working fine until I upgraded our domain this
past weekend to Server 2003. When I try to authenticate to our configured
devices this morning I see the following generic error in the debug:
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns fails
The odd part about it is that I still have our previous 2000 domain
controllers in place but it appears LDAP group checking is not working. I
have only dcpromo'd the new 2003 controllers and have not made them global
catalogs. Would anyone have any idea why my group checking would no longer
be working?
With LDAP debug turned on....not much more informative:
rlm_ldap: performing user authorization for voila\webtest
expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) ->
(sAMAccountName=webtest)
expand: dc=voila,dc=com -> dc=voila,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: closing existing LDAP connection
rlm_ldap: (re)connect to control.voila.com:389, authentication 0
rlm_ldap: bind as cn=testuser,cn=users,dc=voila,dc=com/mypass to
control.voila.com:389
rlm_ldap: waiting for bind result ...
request done: ld 0x98c6708 msgid 1
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=voila,dc=com, with filter
(sAMAccountName=webtest)
request done: ld 0x98c6708 msgid 4
request done: ld 0x98c6708 msgid 2
rlm_ldap: ldap_search() failed: Operations error
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns fail
Invalid user: [voila\\webtest/<via Auth-Type = mschap>] (from client Test
port 1176 cli xxxxxxxxx)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> voila\webtest
Complete Debug:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
rad_recv: Access-Request packet from host xxxxxxxxxxx port 1059, id=117,
length=191
User-Name = "voila\\testuser"
NAS-Port = 1175
Service-Type = Framed-User
Framed-Protocol = PPP
Called-Station-Id = "xxxxxxxxxxx"
Calling-Station-Id = "xxxxxxxxxx"
Tunnel-Client-Endpoint:0 = "xxxxxxxxxxxxx"
MS-CHAP-Challenge = 0x949d0f260c0a83423f766c1ba4786e6f
MS-CHAP2-Response =
0x00008c51e82b0b401baffa11bbe4804841af0000000000000000b90e47cdede219ef0896903add05ea5ada973c6c8d58d431
NAS-IP-Address = xxxxxxxxxx
NAS-Port-Type = Virtual
+- entering group authorize
++[preprocess] returns ok
expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/xxxxxxxxx/auth-detail-20080915
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/xxxxxxxxxx/auth-detail-20080915
expand: %t -> Mon Sep 15 11:52:00 2008
++[auth_log] returns ok
++[chap] returns noop
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
rlm_realm: No '@' in User-Name = "voila\testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_realm: No '"' in User-Name = "voila\testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[ntdomain] returns noop
++[unix] returns notfound
rlm_ldap: Entering ldap_groupcmp()
expand: dc=voila,dc=com -> dc=voila,dc=com
expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) ->
(sAMAccountName=testuser)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to control.voila.com:389, authentication 0
rlm_ldap: bind as cn=project,cn=users,dc=voila,dc=com/mypass to
control.voila.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=voila,dc=com, with filter
(sAMAccountName=testuser)
rlm_ldap: ldap_search() failed: Operations error
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for voila\testuser
expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) ->
(sAMAccountName=testuser)
expand: dc=voila,dc=com -> dc=voila,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: closing existing LDAP connection
rlm_ldap: (re)connect to control.voila.com:389, authentication 0
rlm_ldap: bind as cn=project,cn=users,dc=voila,dc=com/mypass to
control.voila.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=voila,dc=com, with filter
(sAMAccountName=testuser)
rlm_ldap: ldap_search() failed: Operations error
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns fail
Invalid user: [voila\\testuser/<via Auth-Type = mschap>] (from client Test
port 1175 cli xxxxxxxxxxxxx)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> voila\testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 117 to xxxxxxxxxxxx port 1059
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 117 with timestamp +18
Ready to process requests.
___________
Freeradius - 2.0.5
[root at ras modules]# rpm -qa | grep openldap
openldap-devel-2.3.27-8.el5_2.4
openldap-2.3.27-8.el5_2.4
[root at ras modules]# rpm -qa | grep samba
samba-common-3.0.28-1.el5_2.1
samba-3.0.28-1.el5_2.1
samba-client-3.0.28-1.el5_2.1
______________________________________________
LDAP.CONF
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "control.voila.com"
identity = "cn=testuser,cn=users,dc=voila,dc=com"
password = mypass
basedn = "dc=voila,dc=com"
# CHANGED filter object search to look for 'SamAccountName'
# filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
filter = "(sAMAccountName=%{mschap:User-Name:-%{User-Name}})"
# filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# base_filter = "(objectclass=radiusprofile)"
# How many connections to keep open to the LDAP server.
# This saves time over opening a new LDAP socket for
# every authentication request.
ldap_connections_number = 5
# seconds to wait for LDAP query to finish. default: 20
# seconds to wait for LDAP query to finish. default: 20
timeout = 4
# seconds LDAP server has to process the query (server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
#
# seconds to wait for response of the server. (network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
#
# This subsection configures the tls related items
# that control how FreeRADIUS connects to an LDAP
# server. It contains all of the "tls_*" configuration
# entries used in older versions of FreeRADIUS. Those
# configuration entries can still be used, but we recommend
# using these.
#
tls {
# Set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = no
# cacertfile = /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# Certificate Verification requirements. Can be:
# "never" (don't even bother trying)
# "allow" (try, but don't fail if the cerificate
# can't be verified)
# "demand" (fail if the certificate doesn't verify.)
#
# The default is "allow"
# require_cert = "demand"
}
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
# access_attr = "User-Password"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has been
# built with the --with-edir configure option.
#
# See also the following links:
#
# http://www.novell.com/coolsolutions/appnote/16745.html
#
https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
#
# Novell may require TLS encrypted sessions before returning
# the user's password.
#
# password_attribute = User-Password
# Un-comment the following to disable Novell
# eDirectory account policy check and intruder
# detection. This will work *only if* FreeRADIUS is
# configured to build with --with-edir option.
#
edir_account_policy_check = no
#
# Group membership checking. Disabled by default.
#
groupname_attribute = cn
#groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_filter =
"(|(&(objectClass=group)(member=%{check:LDAP-UserDn}))(&(objectClass=GroupOfNames)(member=%{check:LDAP-UserDn})))"
groupmembership_attribute = memberOf
# compare_check_items = yes
do_xlat = yes
# access_attr_used_for_allow = yes
#
# By default, if the packet contains a User-Password,
# and no other module is configured to handle the
# authentication, the LDAP module sets itself to do
# LDAP bind for authentication.
#
#
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
#
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
#
# You can disable this behavior by setting the following
# configuration entry to "no".
#
# allowed values: {no, yes}
# set_auth_type = yes
# ldap_debug: debug flag for LDAP SDK
# (see OpenLDAP documentation). Set this to enable
# huge amounts of LDAP debugging on the screen.
# You should only use this if you are an LDAP expert.
#
# default: 0x0000 (no debugging messages)
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
ldap_debug = 0x0028
______________________________________________________
Samba / Windbind responses:
[root at ras modules]# wbinfo -t
checking the trust secret via RPC calls succeeded
[root at ras modules]# wbinfo -a testuser%mypass
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user testuser%mypass with plaintext password
challenge/response password authentication succeeded
wbinfo -u and wbinfo -g enumerate all users/groups.
--
View this message in context: http://www.nabble.com/LDAP-Group-membership-check-not-working-after-upgrade-to-Windows-Server-2003-tp19496304p19496304.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list