FR 3 to AD via ldap
Bc. Radovan Matisko
rado.matisko at centrum.sk
Sat Apr 12 00:51:54 CEST 2014
Hi, Im trying to use FR 3 to connect to remote AD via ldap module, tried playing with parameters but with no luck. Idk what i miss.
I use own certificates. PEAP with MSCHAPv2.
I config. ldap module :
server = "pegasus.fri.uniza.sk"
port = 636
base_dn = "dc=fri,dc=uniza,dc=sk"
user {
base_dn = "ou=People,dc=fri,dc=uniza,dc=sk"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = 'sub'
}
options {
chase_referrals = yes
rebind = yes
}
tls {
ca_path = ${certdir}
ca_file = ${certdir}/cacert.cer
certificate_file = ${certdir}/friradius.cer
private_key_file = ${certdir}/friradius.key
require_cert = "demand"
}
In sites-available/default and inner-tunnel I just added :
authorize {
ldap
}
In eap I config >eap { default_eap_type = peap tls { tls = tls-common } ttls { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" } peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" }In mschap >mschap { use_mppe = no require_encryption = yes require_strong = yes passchange { }}Also added realm to proxy >realm fri.uniza.sk {}Its starting all-right :
"Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
Listening on auth address * port 1812 as server default
Listening on acct address * port 1813 as server default
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 47617
Ready to process requests."
But when I try radtest :radtest -t mschap matisko at fri.uniza.sk <password>localhost 0 testing123rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=213, length=20Debug is : (1) suffix : Looking up realm "fri.uniza.sk" for User-Name = "hajtmanek at fri.uniza.sk"(1) suffix : Found realm "fri.uniza.sk"(1) suffix : Adding Stripped-User-Name = "hajtmanek"(1) suffix : Adding Realm = "fri.uniza.sk"(1) suffix : Authentication realm is LOCAL.(1) [suffix] = ok(1) eap : No EAP-Message, not doing EAP(1) [eap] = noop(1) [files] = nooprlm_ldap (ldap): Reserved connection (4)(1) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})(1) ldap : --> (uid=hajtmanek)(1) ldap : EXPAND ou=People,dc=fri,dc=uniza,dc=sk(1) ldap : --> ou=People,dc=fri,dc=uniza,dc=sk(1) ldap : Performing search in 'ou=People,dc=fri,dc=uniza,dc=sk' with filter '(uid=hajtmanek)', scope 'sub'(1) ldap : Waiting for search result...(1) ERROR: ldap : Failed performing search: Please set 'chas
e_referrals=yes' and 'rebind=yes'. See the ldap module configuration for details.(1) ERROR: ldap : Server said: 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1.rlm_ldap (ldap): Released connection (4)rlm_ldap (ldap): Opening additional connection (5)rlm_ldap (ldap): Connecting to pegasus.fri.uniza.sk:636TLS: warning: cacertdir not implemented for gnutlsrlm_ldap (ldap): Waiting for bind result...rlm_ldap (ldap): Bind successful(1) [ldap] = fail(1) } # authorize = fail(1) Invalid user (ldap: Failed performing search: Please set 'chase_referrals=yes' and 'rebind=yes'. See the ldap module configuration for details.): [hajtmanek/pokus123] (from client localhost port 0)(1) Using Post-Auth-Type RejectBinding is succesfull, referals and rebind are changed. SSL handshake I think is ok (according to wireshark :) ).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140412/3685da3d/attachment-0001.html>
More information about the Freeradius-Users
mailing list