Authenticate users different Domain using LDAP group search

Luis Diaz ldiaz at rumbo.com
Fri Jan 24 10:20:13 CET 2014 

Hi there!

First of all, I'd like to thank everybody in this forum for the help you
provide. This forum has been very helpful for me in order to deploy and
make my FreeRADIUS server work.

However, I'm facing a config problem that I couldn't solve just searching
on this forum. So, I need a little bit of help with it.

I'm running FreeRADIUS Version 2.2.0 and I've managed to make the server
work to authenticate users against our AD. I'm using ntlm_auth + mschap +
ldap. Everything works very fine with domain users. I have no problem.

I use the ldap module in order to authenticate just some users inside
specific groups and also, assigning the VLAN dynamically.

The issue comes when I try to authenticate users from a different domain. I
highlight that both domains share a trust relationship.
I read on the forum that just configuring NTLM module adding the trusted
domain would work, but for the moment, it doesn't work.

I'll show you part of my config for this purpose:

NTLM_AUTH Module:

exec ntlm_auth {
        wait = yes
        program = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
--domain=%{%{mschap:NT-Domain}:-MAIN-DOMAIN}
--domain=%{%{mschap:NT-Domain}:-TRUSTED-DOMAIN}--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
}

If I exec the command:

ntlm_auth --request-nt-key --domain=TRUSTED-DOMAIN
--username=USER-TURSTED-DOMAIN --password=********
NT_STATUS_OK: Success (0x0)

As you can see, ntlm module works. However, when the request comes through
the radius I get a prompt from ldap module saying "object (user) not
found".

This is the error from the debug output:

[ldap] object not found
rlm_ldap::ldap_groupcmp: search failed


The user from the trusted domain is inside the same group for users from my
domain. The ldap search works for user form my domain, but fails when it
tries to search a user from the trusted domain.

I guess the problem lies on the ldap module. However, I don't fully
understand where the config problem can be.


Any help would be appreciate it very much.


Thank you so much in advance. And have a great day!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140124/affc8b66/attachment.html>

More information about the Freeradius-Users mailing list