Can't figure out Group Authentication

Julson, Jim jjulson at MARKETRON.COM
Mon Jun 25 17:13:01 CEST 2012


Thank you once again Alan.  I know you probably have to "face palm" yourself sometimes when you see the same questions over and over.  I appreciate your patience with me.  I don't want someone to do it for me, I want to learn it so I can support it.  I have decided to start fresh.  I had clean copies of every file I've ever touched, so I'm going to try to tackle this sometime during the week.  This Amazon AWS Cloud VPC isn't going to build itself  :)

-----Original Message-----
From: freeradius-users-bounces+jjulson=marketron.com at lists.freeradius.org [mailto:freeradius-users-bounces+jjulson=marketron.com at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Monday, June 25, 2012 6:54 AM
To: FreeRadius users mailing list
Subject: Re: Can't figure out Group Authentication

Julson, Jim wrote:
> Okay, so I think I’m getting closer.  But I have a few challenges 
> still.  I am slowly learning how to parse the RADIUS –X debug output, 
> now it’s a matter of knowing what to do with the information.

  Use the handy form at:

networkradius.com/freeradius.html

  It tells you the important things to look at.

> 1.  Domain Groups with spaces sometimes would or wouldn't work.  (Is 
> that the case with FreeRADIUS?)

  It shouldn't be, but you never know.

> 2.  Recursive searches were a problem.  See below for how the basic 
> Active Directory structure looks for us (Note the spaces in the names).
> For Cacti, I had to create a new OU, with a new Security Group that 
> didn’t have spaces in it.  That was the only way I could get LDAP 
> Binds to work for Group Authentication.  (I find it hard to belive 
> that’s the case with FreeRADIUS…I tend to lean more towards my bad configuration).

  Recursive searches are supported in FreeRADIUS.  See the "rebind"
configuration in the ldap module.

> So, in that example, if I wanted to have a user be Authenticated who 
> resides in “ADMIN – Users”, but the group is in “ADMIN – Groups”, does 
> it matter to the RADIUS LDAP module?

  It shouldn't.

> NOTE:  I am kind of lost here.  I see so many people using so many 
> different syntaxes that I’m not sure if I’m using the right one.

  The documentation is correct.  Almost every third-party site is wrong.

>  At
> present, the “users” file is completely default except for the following
> lines I’ve added at the very top.   So, no matter what my LDAP output
> shows, If I uncomment the two lines for ntlm_auth, I can login with 
> any Domain User regardless of the top 2 lines that say “Domain 
> Admins”, and all others are rejected.  So I’m thinking ultimately my 
> problem is not just here, but also with the LDAP bind taking place as you can see below.
> **************************************
> */etc/raddb/users** *
>  
> DEFAULT Ldap-Group == "CN=Domain Admins,CN=ADMIN - 
> Groups,DC=DOMAIN,DC=HOME,DC=COM",

  You just need the group name "admin" or "sales".  Not the whole path.

> Auth-Type = ntlm_auth
> DEFAULT Auth-Type = Reject

  You don't need the default reject.  The server will ALWAYS reject people it doesn't know.

> Here’s the RADIUSD –X output from my last auth attempt.
>  
> BEGIN RADIUS – X DEBUG OUTPUT
> NOTE:  I’ve changed all my domain information for this 
> troubleshooting, and also highlighted anywhere it’s referenced.  I’m 
> hoping I’m On the right track with what I’ve highlighted below as to 
> where I believe the problem is.

  Part of the reason for the debug output is to show you what's going on.  It prints out the LDAP queries it does.  You can copy them, and use them in command-line tests with "ldapsearch".  That helps.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

The information contained in this e-mail message may be confidential and
protected from disclosure.  If you are not the intended recipient, any
dissemination, distribution or copying is strictly prohibited. If you
think that you have received this e-mail message in error, please notify
the sender immediately by replying to this message and then delete it
from your system.



More information about the Freeradius-Users mailing list