LDAP Group membership check not working after upgrade to Windows Server 2003
kesm0724
kevin.smith at emp.shentel.com
Thu Sep 18 03:52:48 CEST 2008
The issue in my previous post was resolved by following the instructions in:
http://support.microsoft.com/kb/326690
As I stated in my previous post I was running a 2000 SP4 domain and we just
upgraded to a 2003 domain. After the upgrade ldap queries were failing.
This basically allows anonymous ldap lookups (limited information) as 2000
did. I did put authentication credentials in for my ldap user so I'm not
sure why it's using anonymous bind still. I would prefer to have the added
security of 2003. My ldap configuration is below if anyone has any advice
so I wouldn't have to enable anonymous bind within the domain.
___________________________________________________________
kesm0724 wrote:
>
> Hello All,
>
> I had FreeRADIUS Version 2.0.5 working fine until I upgraded our domain
> this past weekend to Server 2003. When I try to authenticate to our
> configured devices this morning I see the following generic error in the
> debug:
>
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap] returns fails
>
> The odd part about it is that I still have our previous 2000 domain
> controllers in place but it appears LDAP group checking is not working. I
> have only dcpromo'd the new 2003 controllers and have not made them global
> catalogs. Would anyone have any idea why my group checking would no
> longer be working?
>
> With LDAP debug turned on....not much more informative:
>
> rlm_ldap: performing user authorization for voila\webtest
> expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) ->
> (sAMAccountName=webtest)
> expand: dc=voila,dc=com -> dc=voila,dc=com
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: closing existing LDAP connection
> rlm_ldap: (re)connect to control.voila.com:389, authentication 0
> rlm_ldap: bind as cn=testuser,cn=users,dc=voila,dc=com/mypass to
> control.voila.com:389
> rlm_ldap: waiting for bind result ...
> request done: ld 0x98c6708 msgid 1
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in dc=voila,dc=com, with filter
> (sAMAccountName=webtest)
> request done: ld 0x98c6708 msgid 4
> request done: ld 0x98c6708 msgid 2
> rlm_ldap: ldap_search() failed: Operations error
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap] returns fail
> Invalid user: [voila\\webtest/<via Auth-Type = mschap>] (from client Test
> port 1176 cli xxxxxxxxx)
> Found Post-Auth-Type Reject
> +- entering group REJECT
> expand: %{User-Name} -> voila\webtest
>
>
>
>
> Complete Debug:
>
> Listening on authentication address * port 1812
> Listening on accounting address * port 1813
> Ready to process requests.
> rad_recv: Access-Request packet from host xxxxxxxxxxx port 1059, id=117,
> length=191
> User-Name = "voila\\testuser"
> NAS-Port = 1175
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Called-Station-Id = "xxxxxxxxxxx"
> Calling-Station-Id = "xxxxxxxxxx"
> Tunnel-Client-Endpoint:0 = "xxxxxxxxxxxxx"
> MS-CHAP-Challenge = 0x949d0f260c0a83423f766c1ba4786e6f
> MS-CHAP2-Response =
> 0x00008c51e82b0b401baffa11bbe4804841af0000000000000000b90e47cdede219ef0896903add05ea5ada973c6c8d58d431
> NAS-IP-Address = xxxxxxxxxx
> NAS-Port-Type = Virtual
> +- entering group authorize
> ++[preprocess] returns ok
> expand:
> /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
> /var/log/radius/radacct/xxxxxxxxx/auth-detail-20080915
> rlm_detail:
> /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to
> /var/log/radius/radacct/xxxxxxxxxx/auth-detail-20080915
> expand: %t -> Mon Sep 15 11:52:00 2008
> ++[auth_log] returns ok
> ++[chap] returns noop
> rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
> ++[mschap] returns ok
> rlm_realm: No '@' in User-Name = "voila\testuser", looking up realm
> NULL
> rlm_realm: No such realm "NULL"
> ++[suffix] returns noop
> rlm_realm: No '"' in User-Name = "voila\testuser", looking up realm
> NULL
> rlm_realm: No such realm "NULL"
> ++[ntdomain] returns noop
> ++[unix] returns notfound
> rlm_ldap: Entering ldap_groupcmp()
> expand: dc=voila,dc=com -> dc=voila,dc=com
> expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) ->
> (sAMAccountName=testuser)
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to control.voila.com:389, authentication 0
> rlm_ldap: bind as cn=project,cn=users,dc=voila,dc=com/mypass to
> control.voila.com:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in dc=voila,dc=com, with filter
> (sAMAccountName=testuser)
> rlm_ldap: ldap_search() failed: Operations error
> rlm_ldap::ldap_groupcmp: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[files] returns noop
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for voila\testuser
> expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) ->
> (sAMAccountName=testuser)
> expand: dc=voila,dc=com -> dc=voila,dc=com
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: closing existing LDAP connection
> rlm_ldap: (re)connect to control.voila.com:389, authentication 0
> rlm_ldap: bind as cn=project,cn=users,dc=voila,dc=com/mypass to
> control.voila.com:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in dc=voila,dc=com, with filter
> (sAMAccountName=testuser)
> rlm_ldap: ldap_search() failed: Operations error
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap] returns fail
> Invalid user: [voila\\testuser/<via Auth-Type = mschap>] (from client Test
> port 1175 cli xxxxxxxxxxxxx)
> Found Post-Auth-Type Reject
> +- entering group REJECT
> expand: %{User-Name} -> voila\testuser
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Sending Access-Reject of id 117 to xxxxxxxxxxxx port 1059
> Finished request 0.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 117 with timestamp +18
> Ready to process requests.
>
> ___________
>
> Freeradius - 2.0.5
>
> [root at ras modules]# rpm -qa | grep openldap
> openldap-devel-2.3.27-8.el5_2.4
> openldap-2.3.27-8.el5_2.4
> [root at ras modules]# rpm -qa | grep samba
> samba-common-3.0.28-1.el5_2.1
> samba-3.0.28-1.el5_2.1
> samba-client-3.0.28-1.el5_2.1
>
> ______________________________________________
>
> LDAP.CONF
>
> ldap {
> #
> # Note that this needs to match the name in the LDAP
> # server certificate, if you're using ldaps.
> server = "control.voila.com"
> identity = "cn=testuser,cn=users,dc=voila,dc=com"
> password = mypass
> basedn = "dc=voila,dc=com"
>
> # CHANGED filter object search to look for 'SamAccountName'
>
> # filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
> filter = "(sAMAccountName=%{mschap:User-Name:-%{User-Name}})"
> # filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>
> # base_filter = "(objectclass=radiusprofile)"
>
> # How many connections to keep open to the LDAP server.
> # This saves time over opening a new LDAP socket for
> # every authentication request.
> ldap_connections_number = 5
>
> # seconds to wait for LDAP query to finish. default: 20
> # seconds to wait for LDAP query to finish. default: 20
> timeout = 4
>
> # seconds LDAP server has to process the query (server-side
> # time limit). default: 20
> #
> # LDAP_OPT_TIMELIMIT is set to this value.
> timelimit = 3
>
> #
> # seconds to wait for response of the server. (network
> # failures) default: 10
> #
> # LDAP_OPT_NETWORK_TIMEOUT is set to this value.
> net_timeout = 1
>
> #
> # This subsection configures the tls related items
> # that control how FreeRADIUS connects to an LDAP
> # server. It contains all of the "tls_*" configuration
> # entries used in older versions of FreeRADIUS. Those
> # configuration entries can still be used, but we recommend
> # using these.
> #
> tls {
> # Set this to 'yes' to use TLS encrypted connections
> # to the LDAP database by using the StartTLS extended
> # operation.
> #
> # The StartTLS operation is supposed to be
> # used with normal ldap connections instead of
> # using ldaps (port 689) connections
> start_tls = no
>
> # cacertfile = /path/to/cacert.pem
> # cacertdir = /path/to/ca/dir/
> # certfile = /path/to/radius.crt
> # keyfile = /path/to/radius.key
> # randfile = /path/to/rnd
>
> # Certificate Verification requirements. Can be:
> # "never" (don't even bother trying)
> # "allow" (try, but don't fail if the cerificate
> # can't be verified)
> # "demand" (fail if the certificate doesn't verify.)
> #
> # The default is "allow"
> # require_cert = "demand"
> }
> # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
> # profile_attribute = "radiusProfileDn"
> # access_attr = "User-Password"
>
> # Mapping of RADIUS dictionary attributes to LDAP
> # directory attributes.
> dictionary_mapping = ${confdir}/ldap.attrmap
>
> # Set password_attribute = nspmPassword to get the
> # user's password from a Novell eDirectory
> # backend. This will work ONLY IF FreeRADIUS has been
> # built with the --with-edir configure option.
> #
> # See also the following links:
> #
> # http://www.novell.com/coolsolutions/appnote/16745.html
>
> #
> https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
> #
> # Novell may require TLS encrypted sessions before returning
> # the user's password.
> #
> # password_attribute = User-Password
>
> # Un-comment the following to disable Novell
> # eDirectory account policy check and intruder
> # detection. This will work *only if* FreeRADIUS is
> # configured to build with --with-edir option.
> #
> edir_account_policy_check = no
>
> #
> # Group membership checking. Disabled by default.
> #
> groupname_attribute = cn
> #groupmembership_filter =
> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
> groupmembership_filter =
> "(|(&(objectClass=group)(member=%{check:LDAP-UserDn}))(&(objectClass=GroupOfNames)(member=%{check:LDAP-UserDn})))"
> groupmembership_attribute = memberOf
>
> # compare_check_items = yes
> do_xlat = yes
> # access_attr_used_for_allow = yes
>
> #
> # By default, if the packet contains a User-Password,
> # and no other module is configured to handle the
> # authentication, the LDAP module sets itself to do
> # LDAP bind for authentication.
> #
> #
> # THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
> #
> # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
> #
> # You can disable this behavior by setting the following
> # configuration entry to "no".
> #
> # allowed values: {no, yes}
>
> # set_auth_type = yes
>
> # ldap_debug: debug flag for LDAP SDK
> # (see OpenLDAP documentation). Set this to enable
> # huge amounts of LDAP debugging on the screen.
> # You should only use this if you are an LDAP expert.
> #
> # default: 0x0000 (no debugging messages)
> # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
> ldap_debug = 0x0028
>
> ______________________________________________________
>
> Samba / Windbind responses:
>
> [root at ras modules]# wbinfo -t
> checking the trust secret via RPC calls succeeded
>
> [root at ras modules]# wbinfo -a testuser%mypass
> plaintext password authentication failed
> error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
> error messsage was: No such user
> Could not authenticate user testuser%mypass with plaintext password
> challenge/response password authentication succeeded
>
> wbinfo -u and wbinfo -g enumerate all users/groups.
>
>
>
>
>
>
--
View this message in context: http://www.nabble.com/LDAP-Group-membership-check-not-working-after-upgrade-to-Windows-Server-2003-tp19496304p19544572.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list