Authenticating users on LDAP based on Group name

Jose Torres-Berrocal jetsystemservices at gmail.com
Tue Apr 21 06:07:23 CEST 2015 

I noticed that my problem is that when using group options I get authorized
successfully but does not get authenticated (Using Compare Check Items = No
results in Access-Accept). When not using group options I get authorized
and authenticated succesfully.

Is there a way to do a two pass process?  If I could run the first pass
without group options and the second pass if authenticated run with group
options, I will get my desired result.

By the way I found how to run in debug mode in pfsense and do some custome
changes in the Users.conf file.

On Wed, Mar 25, 2015 at 2:24 PM, Jose Torres-Berrocal <
jetsystemservices at gmail.com> wrote:

> I am using the Freeradius2 2.1.12_1/2.2.5_3 pkg v1.6.10 in pfsense 2.1.5
>
> I can't modify the conf files manually.  I have to use the pfsense WebGui.
>
> I could authenticate the users of the LDAP succesfully but when I try to
> authenticate using group membership options it fails with the following
> logs.
>
> Wed Mar 25 13:39:09 2015 : Info: Loaded virtual server <default>
> Wed Mar 25 13:39:09 2015 : Info: Ready to process requests.
> Wed Mar 25 13:39:27 2015 : Auth: Invalid user (  [ldap] Pairs do not
> match): [administrator] (from client squid port 111)
> Wed Mar 25 13:39:33 2015 : Auth: Invalid user (  [ldap] Pairs do not
> match): [administrator] (from client squid port 111)
> Wed Mar 25 13:39:34 2015 : Auth: Invalid user (  [ldap] Pairs do not
> match): [administrator] (from client squid port 111)
>
> On pfsense I do not see an option to run in debug mode, but probably you
> can help me with the pfsense produced ldap conf file.  I do not use fancy
> stuff. After I get it working I may try to add TLS configuration to have
> encrypted comm or passwords.
>
> The LDAP is an Active Directory on a Windows 2003 Server.
> The group name is InternetAccess.  (Is this case sensitive?)
> I do not have a radiusprofile, where there is mention of radiusprofile is
> a default generated line.  (In pfsense I may change the line but can not
> removed it or comment it.)
>
> LDAP CONF:
>
> /usr/pbi/freeradius-i386/etc/raddb/modules/ldap
> # -*- text -*-
> #
> #  $
>
> # Lightweight Directory Access Protocol (LDAP)
> #
> #  This module definition allows you to use LDAP for
> #  authorization and authentication.
> #
> #  See raddb/sites-available/default for reference to the
> #  ldap module in the authorize and authenticate sections.
> #
> #  However, LDAP can be used for authentication ONLY when the
> #  Access-Request packet contains a clear-text User-Password
> #  attribute.  LDAP authentication will NOT work for any other
> #  authentication method.
> #
> #  This means that LDAP servers don't understand EAP.  If you
> #  force "Auth-Type = LDAP", and then send the server a
> #  request containing EAP authentication, then authentication
> #  WILL NOT WORK.
> #
> #  The solution is to use the default configuration, which does
> #  work.
> #
> #  Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG.  We
> #  really can't emphasize this enough.
> #
> ldap {
> #
> #  Note that this needs to match the name in the LDAP
> #  server certificate, if you're using ldaps.
> server = "jetsms-srv2003.jetdom.local"
> port = "389"
> identity = "cn=pfsense,cn=Users,dc=jetdom,dc=local"
> password = Mypassword
> basedn = "cn=Users,dc=jetdom,dc=local"
> filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
> base_filter = "(objectclass=radiusprofile)"
>
> #  How many connections to keep open to the LDAP server.
> #  This saves time over opening a new LDAP socket for
> #  every authentication request.
> ldap_connections_number = 5
>
> # seconds to wait for LDAP query to finish. default: 20
> timeout = 4
>
> #  seconds LDAP server has to process the query (server-side
> #  time limit). default: 20
> #
> #  LDAP_OPT_TIMELIMIT is set to this value.
> timelimit = 3
>
> #
> #  seconds to wait for response of the server. (network
> #   failures) default: 10
> #
> #  LDAP_OPT_NETWORK_TIMEOUT is set to this value.
> net_timeout = 1
>
> #
> #  This subsection configures the tls related items
> #  that control how FreeRADIUS connects to an LDAP
> #  server.  It contains all of the "tls_*" configuration
> #  entries used in older versions of FreeRADIUS.  Those
> #  configuration entries can still be used, but we recommend
> #  using these.
> #
> tls {
> # Set this to 'yes' to use TLS encrypted connections
> # to the LDAP database by using the StartTLS extended
> # operation.
> #
> # The StartTLS operation is supposed to be
> # used with normal ldap connections instead of
> # using ldaps (port 689) connections
> start_tls = no
>
> cacertfile = /usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem
> cacertdir = /usr/pbi/freeradius-i386/etc/raddb/certs/
> certfile = /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt
> keyfile = /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key
> randfile = /usr/pbi/freeradius-i386/etc/raddb/certs/random
>
> #  Certificate Verification requirements.  Can be:
> #    "never" (don't even bother trying)
> #    "allow" (try, but don't fail if the certificate
> # can't be verified)
> #    "demand" (fail if the certificate doesn't verify.)
> #
> # The default is "allow"
> require_cert = "never"
> }
>
> ### default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" ###
> ### profile_attribute = "radiusProfileDn" ###
> ### access_attr = "dialupAccess" ###
>
> # Mapping of RADIUS dictionary attributes to LDAP
> # directory attributes.
> dictionary_mapping = ${confdir}/ldap.attrmap
> ################## THE BELOW IS NOT COMPILED WITH FREERADIUS
> #################################
> #  Set password_attribute = nspmPassword to get the
> #  user's password from a Novell eDirectory
> #  backend. This will work ONLY IF FreeRADIUS has been
> #  built with the --with-edir configure option.
> #
> #  See also the following links:
> #
> #  http://www.novell.com/coolsolutions/appnote/16745.html
> #
> https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
> #
> #  Novell may require TLS encrypted sessions before returning
> #  the user's password.
> #
> # password_attribute = userPassword
>
> #  Un-comment the following to disable Novell
> #  eDirectory account policy check and intruder
> #  detection. This will work *only if* FreeRADIUS is
> #  configured to build with --with-edir option.
> #
> edir_account_policy_check = no
> ################## THE ABOVE IS NOT COMPILED WITH FREERADIUS
> #################################
> #
> #  Group membership checking.  Disabled by default.
> #
> groupname_attribute = cn
> groupmembership_filter =
> "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
> groupmembership_attribute = InternetAccess
>
> compare_check_items = yes
> do_xlat = yes
> access_attr_used_for_allow = yes
>
> #
> #  The following two configuration items are for Active Directory
> #  compatibility.  If you see the helpful "operations error"
> #  being returned to the LDAP module, uncomment the next
> #  two lines.
> #
>
> ### MS Active Directory Compatibility is disabled ###
>
> #
> #  By default, if the packet contains a User-Password,
> #  and no other module is configured to handle the
> #  authentication, the LDAP module sets itself to do
> #  LDAP bind for authentication.
> #
> #  THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
> #
> #  THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
> #
> #  You can disable this behavior by setting the following
> #  configuration entry to "no".
> #
> #  allowed values: {no, yes}
> # set_auth_type = yes
>
> #  ldap_debug: debug flag for LDAP SDK
> #  (see OpenLDAP documentation).  Set this to enable
> #  huge amounts of LDAP debugging on the screen.
> #  You should only use this if you are an LDAP expert.
> #
> # default: 0x0000 (no debugging messages)
> # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
> #ldap_debug = 0x0028
>
> #
> #  Keepalive configuration.  This MAY NOT be supported by your
> #  LDAP library.  If these configuration entries appear in the
> #  output of "radiusd -X", then they are supported.  Otherwise,
> #  they are unsupported, and changing them will do nothing.
> #
> keepalive {
> # LDAP_OPT_X_KEEPALIVE_IDLE
> idle = 60
>
> # LDAP_OPT_X_KEEPALIVE_PROBES
> probes = 3
>
> # LDAP_OPT_X_KEEPALIVE_INTERVAL
> interval = 3
> }
> }
>

More information about the Freeradius-Users mailing list