FR 3 to AD via ldap

Bc. Radovan Matisko rado.matisko at centrum.sk
Sat Apr 12 00:51:54 CEST 2014


Hi, Im trying to use FR 3 to connect to remote AD via ldap module, tried playing with parameters but with no luck. Idk what i miss.
I use own certificates. PEAP with MSCHAPv2.
 
I config. ldap module :
server = "pegasus.fri.uniza.sk"
        port = 636
        base_dn = "dc=fri,dc=uniza,dc=sk"
        user {
                base_dn = "ou=People,dc=fri,dc=uniza,dc=sk"
                filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
                scope = 'sub'
        }
 options {
                chase_referrals = yes
                rebind = yes
 }
 tls {
                ca_path = ${certdir}           
         ca_file = ${certdir}/cacert.cer
                certificate_file = ${certdir}/friradius.cer
                private_key_file = ${certdir}/friradius.key
                require_cert    = "demand"
        }
 
In sites-available/default and inner-tunnel I just added :
authorize {
        ldap
}
In eap I config >eap {        default_eap_type = peap        tls {                tls = tls-common        }        ttls {                tls = tls-common                default_eap_type = mschapv2                copy_request_to_tunnel = yes                use_tunneled_reply = yes                virtual_server = "inner-tunnel"        }        peap {                tls = tls-common                default_eap_type = mschapv2                copy_request_to_tunnel = yes                use_tunneled_reply = yes                virtual_server = "inner-tunnel"        }In mschap >mschap {        use_mppe = no        require_encryption = yes        require_strong = yes        passchange {        }}Also added realm to proxy >realm fri.uniza.sk {}Its starting all-right :
"Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
Listening on auth address * port 1812 as server default
Listening on acct address * port 1813 as server default
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 47617
Ready to process requests."
But when I try radtest :radtest -t mschap matisko at fri.uniza.sk <password>localhost 0 testing123rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=213, length=20Debug is : (1) suffix : Looking up realm "fri.uniza.sk" for User-Name = "hajtmanek at fri.uniza.sk"(1) suffix : Found realm "fri.uniza.sk"(1) suffix : Adding Stripped-User-Name = "hajtmanek"(1) suffix : Adding Realm = "fri.uniza.sk"(1) suffix : Authentication realm is LOCAL.(1)   [suffix] = ok(1) eap : No EAP-Message, not doing EAP(1)   [eap] = noop(1)   [files] = nooprlm_ldap (ldap): Reserved connection (4)(1) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})(1) ldap :    --> (uid=hajtmanek)(1) ldap : EXPAND ou=People,dc=fri,dc=uniza,dc=sk(1) ldap :    --> ou=People,dc=fri,dc=uniza,dc=sk(1) ldap : Performing search in 'ou=People,dc=fri,dc=uniza,dc=sk' with filter '(uid=hajtmanek)', scope 'sub'(1) ldap : Waiting for search result...(1) ERROR: ldap : Failed performing search: Please set 'chas
 e_referrals=yes' and 'rebind=yes'. See the ldap module configuration for details.(1) ERROR: ldap : Server said: 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1.rlm_ldap (ldap): Released connection (4)rlm_ldap (ldap): Opening additional connection (5)rlm_ldap (ldap): Connecting to pegasus.fri.uniza.sk:636TLS: warning: cacertdir not implemented for gnutlsrlm_ldap (ldap): Waiting for bind result...rlm_ldap (ldap): Bind successful(1)   [ldap] = fail(1)  } #  authorize = fail(1) Invalid user (ldap: Failed performing search: Please set 'chase_referrals=yes' and 'rebind=yes'. See the ldap module configuration for details.): [hajtmanek/pokus123] (from client localhost port 0)(1) Using Post-Auth-Type RejectBinding is succesfull, referals and rebind are changed. SSL handshake I think is ok (according to wireshark :) ).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140412/3685da3d/attachment-0001.html>


More information about the Freeradius-Users mailing list