ntlm_auth & ldap authorize questions
Tobias Hachmer
lists at kokelnet.de
Wed Apr 4 11:53:07 CEST 2012
Hello list,
I set up a testing environment with an virtual Windows Server 2008 R2
server with Active Directory Role and a virtual freeradius server
(v2.1.12).
For the authentication I use ntlm_auth (followed instructions on
http://deployingradius.com/documents/configuration/active_directory.html)
which works great.
I understand that I cannot authorize using ntlm_auth so I want to set
up the ldap module for authorization, e.g. perform checks on group
memberships.
The ldap bind with the builtin Administrator and also the ldap search
in the basedn for the builtin account Administrator is successful:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 42796, id=160,
length=83
User-Name = "Administrator"
User-Password = "abc123!"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x2f21233db6232800e133f6891b78309d
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "Administrator", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 205
++[files] returns ok
[ldap] performing user authorization for Administrator
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> Administrator
[ldap] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(cn=Administrator)
[ldap] expand: cn=Users,dc=test,dc=local -> cn=Users,dc=test,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Users,dc=test,dc=local, with filter
(cn=Administrator)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user Administrator authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = ntlm_auth
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} ->
--username=Administrator
[ntlm_auth] expand: --password=%{User-Password} ->
--password=abc123!
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 160 to 127.0.0.1 port 42796
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 160 with timestamp +380
Ready to process requests.
My first problem is that I cannot do the ldap bind with any other user
as the builtin Administrator. I created a new user freeradius in
cn=Users,dc=test,dc=local where the builtin Administrator also is
located but the bind fails:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 44706, id=162,
length=83
User-Name = "Administrator"
User-Password = "abc123!"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x6b50ad7469b14cd74c9fcb7c41d93cc1
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "Administrator", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 205
++[files] returns ok
[ldap] performing user authorization for Administrator
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> Administrator
[ldap] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(cn=Administrator)
[ldap] expand: cn=Users,dc=test,dc=local -> cn=Users,dc=test,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to testwdc.test.local:389, authentication 0
[ldap] bind as cn=freeradius,cn=Users,dc=test,dc=local/abc234! to
testwdc.test.local:389
[ldap] waiting for bind result ...
[ldap] LDAP login failed: check identity, password settings in ldap
section of radiusd.conf
[ldap] (re)connection attempt failed
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns fail
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> Administrator
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 162 to 127.0.0.1 port 44706
Waking up in 4.9 seconds.
Cleaning up request 0 ID 162 with timestamp +6
Ready to process requests
Question: Are there any permission requirements for binddn user or has
anyone a hint why the ldap bind with any other user as builtin
Administrator fails?
Also the ldap search for any other user as the builtin Administrator
fails:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 54411, id=98,
length=80
User-Name = "freeradius"
User-Password = "abc234!"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x5158c0c680156b9feda64a7ac17c880e
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "freeradius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 205
++[files] returns ok
[ldap] performing user authorization for freeradius
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> freeradius
[ldap] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(cn=freeradius)
[ldap] expand: cn=Users,dc=test,dc=local -> cn=Users,dc=test,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Users,dc=test,dc=local, with filter
(cn=freeradius)
[ldap] object not found
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = ntlm_auth
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} ->
--username=freeradius
[ntlm_auth] expand: --password=%{User-Password} ->
--password=abc234!
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 98 to 127.0.0.1 port 54411
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 98 with timestamp +32
Ready to process requests.
Thanks in advance for pointing me to the right direction.
Regards,
Tobias Hachmer
More information about the Freeradius-Users
mailing list