FreeRadius authorise against Samab 4 LDB Problem

Thomas Miller thomas at tlm.id.au
Thu Feb 12 14:24:10 CET 2015


Hi,

First time posting here. I have just started out and am trying to get a FreeRadius 3.0.6 server working with Samba 4.1.16. Specifically authorising against Samba’s LDB backend.

So what I have got working is FreeRadius binding correctly to Samba’s LDB ldap server as well as the correct user objects being found when running a test with radtest.

Below is the request output from FreeRadius:

(0) Received Access-Request Id 150 from 127.0.0.1:39860 to 127.0.0.1:1812 length 83
(0)   User-Name = ’test'
(0)   User-Password = ‘password'
(0)   NAS-IP-Address = 192.168.6.221
(0)   NAS-Port = 0
(0)   Message-Authenticator = 0x5a261850779b1ad52861b77dc4914cb0
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0)   (null) {
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
rlm_ldap (ldap): Reserved connection (4)
(0) ldap: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap:    --> (sAMAccountName=test)
(0) ldap: EXPAND OU=Users,DC=example,DC=com
(0) ldap:    --> OU=Users,DC=example,DC=com
(0) ldap: Performing search in 'OU=Users,DC=example,DC=com' with filter '(sAMAccountName=test)', scope 'sub'
(0) ldap: Waiting for search result...
(0) ldap: User object found at DN “CN=test,OU=Users,DC=example,DC=com"
rlm_ldap (ldap): Released connection (4)
(0)     [ldap] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
WARNING: (0) pap: No "known good" password found for the user.  Not setting Auth-Type
WARNING: (0) pap: Authentication will fail unless a "known good" password is available
(0)     [pap] = noop
(0)   } # (null) = ok
ERROR: (0) No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [test/password] (from client vpn port 0)
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   (null) {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> test
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)   } # (null) = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.6 seconds.
Waking up in 0.3 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 150 from 127.0.0.1:1812 to 127.0.0.1:39860 length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 150 with timestamp +4
Ready to process requests

As you can see I am not sure why it fails at the pap stage and what is going on. I think it may have something to do with the user password hash not being retrieved from ldap but can’t be sure and from the searching I have done FreeRadius would seem to provide and error if this was the case.

The sites-enable/default looks like the following:

authorize {
       preprocess
      # auth_log
       chap
       mschap
       ldap
       expiration
       logintime
       pap
}

authenticate {
       Auth-Type PAP {
               pap
       }
       Auth-Type CHAP {
               chap
       }
       Auth-Type MS-CHAP {
               mschap
       }
       Auth-Type LDAP {
               ldap
       }
}
preacct {
     preprocess
       acct_unique
      # suffix
       files
}
accounting {
       detail
       radutmp
       attr_filter.accounting_response
}
session {
       radutmp
}
post-auth {
       exec
       Post-Auth-Type REJECT {
               attr_filter.access_reject
       }
}
pre-proxy {
}
post-proxy {
}

And my ldap config is as follows:

ldap {
       server = '192.168.6.221'
       identity = 'CN=FreeRadius,OU=Users,DC=example,DC=com'
       password = radpassword
       base_dn = 'OU=Users,DC=example,DC=com'

       user {
          base_dn = 'OU=Users,DC=example,DC=com'
          filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
          scope = 'sub'
       }
       ldap_connections_number = 5
       timeout = 4
       timelimit = 3
       net_timeout = 1
       tls {
               start_tls = no
       }
       dictionary_mapping = ${confdir}/ldap.attrmap
       edir_account_policy_check = no
}

Any help would be greatly appreciated.

Kind Regards
Thom


More information about the Freeradius-Users mailing list