FreeRadius authorise against Samab 4 LDB Problem
Thomas Miller
thomas at tlm.id.au
Thu Feb 12 14:24:10 CET 2015
Hi,
First time posting here. I have just started out and am trying to get a FreeRadius 3.0.6 server working with Samba 4.1.16. Specifically authorising against Samba’s LDB backend.
So what I have got working is FreeRadius binding correctly to Samba’s LDB ldap server as well as the correct user objects being found when running a test with radtest.
Below is the request output from FreeRadius:
(0) Received Access-Request Id 150 from 127.0.0.1:39860 to 127.0.0.1:1812 length 83
(0) User-Name = ’test'
(0) User-Password = ‘password'
(0) NAS-IP-Address = 192.168.6.221
(0) NAS-Port = 0
(0) Message-Authenticator = 0x5a261850779b1ad52861b77dc4914cb0
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) (null) {
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
rlm_ldap (ldap): Reserved connection (4)
(0) ldap: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap: --> (sAMAccountName=test)
(0) ldap: EXPAND OU=Users,DC=example,DC=com
(0) ldap: --> OU=Users,DC=example,DC=com
(0) ldap: Performing search in 'OU=Users,DC=example,DC=com' with filter '(sAMAccountName=test)', scope 'sub'
(0) ldap: Waiting for search result...
(0) ldap: User object found at DN “CN=test,OU=Users,DC=example,DC=com"
rlm_ldap (ldap): Released connection (4)
(0) [ldap] = ok
(0) [expiration] = noop
(0) [logintime] = noop
WARNING: (0) pap: No "known good" password found for the user. Not setting Auth-Type
WARNING: (0) pap: Authentication will fail unless a "known good" password is available
(0) [pap] = noop
(0) } # (null) = ok
ERROR: (0) No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [test/password] (from client vpn port 0)
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) (null) {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> test
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) } # (null) = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.6 seconds.
Waking up in 0.3 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 150 from 127.0.0.1:1812 to 127.0.0.1:39860 length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 150 with timestamp +4
Ready to process requests
As you can see I am not sure why it fails at the pap stage and what is going on. I think it may have something to do with the user password hash not being retrieved from ldap but can’t be sure and from the searching I have done FreeRadius would seem to provide and error if this was the case.
The sites-enable/default looks like the following:
authorize {
preprocess
# auth_log
chap
mschap
ldap
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
}
preacct {
preprocess
acct_unique
# suffix
files
}
accounting {
detail
radutmp
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
}
And my ldap config is as follows:
ldap {
server = '192.168.6.221'
identity = 'CN=FreeRadius,OU=Users,DC=example,DC=com'
password = radpassword
base_dn = 'OU=Users,DC=example,DC=com'
user {
base_dn = 'OU=Users,DC=example,DC=com'
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = 'sub'
}
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
}
Any help would be greatly appreciated.
Kind Regards
Thom
More information about the Freeradius-Users
mailing list