Authenticating users on LDAP based on Group name

Brendan Kearney bpk678 at gmail.com
Wed Mar 25 21:41:36 CET 2015


> I could authenticate the users of the LDAP succesfully but when I try to
> authenticate using group membership options it fails with the following
> logs.
> 
you do not authenticate using group membership.  you authorize using
group membership.  you must authenticate an identity before you can
authorize it.

> Wed Mar 25 13:39:09 2015 : Info: Loaded virtual server <default>
> Wed Mar 25 13:39:09 2015 : Info: Ready to process requests.
> Wed Mar 25 13:39:27 2015 : Auth: Invalid user (  [ldap] Pairs do not
> match): [administrator] (from client squid port 111)
> Wed Mar 25 13:39:33 2015 : Auth: Invalid user (  [ldap] Pairs do not
> match): [administrator] (from client squid port 111)
> Wed Mar 25 13:39:34 2015 : Auth: Invalid user (  [ldap] Pairs do not
> match): [administrator] (from client squid port 111)
> 
> On pfsense I do not see an option to run in debug mode, but probably you
> can help me with the pfsense produced ldap conf file.  I do not use fancy
> stuff. After I get it working I may try to add TLS configuration to have
> encrypted comm or passwords.
> 
> The LDAP is an Active Directory on a Windows 2003 Server.
> The group name is InternetAccess.  (Is this case sensitive?)
> I do not have a radiusprofile, where there is mention of radiusprofile is a
> default generated line.  (In pfsense I may change the line but can not
> removed it or comment it.)
> 
> LDAP CONF:
> 
> /usr/pbi/freeradius-i386/etc/raddb/modules/ldap
> # -*- text -*-
> #
> #  $
> 
> # Lightweight Directory Access Protocol (LDAP)
> #
> #  This module definition allows you to use LDAP for
> #  authorization and authentication.
> #
> #  See raddb/sites-available/default for reference to the
> #  ldap module in the authorize and authenticate sections.
> #
> #  However, LDAP can be used for authentication ONLY when the
> #  Access-Request packet contains a clear-text User-Password
> #  attribute.  LDAP authentication will NOT work for any other
> #  authentication method.
> #
> #  This means that LDAP servers don't understand EAP.  If you
> #  force "Auth-Type = LDAP", and then send the server a
> #  request containing EAP authentication, then authentication
> #  WILL NOT WORK.
> #
> #  The solution is to use the default configuration, which does
> #  work.
> #
> #  Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG.  We
> #  really can't emphasize this enough.
> #
> ldap {
> #
> #  Note that this needs to match the name in the LDAP
> #  server certificate, if you're using ldaps.
> server = "jetsms-srv2003.jetdom.local"
> port = "389"
> identity = "cn=pfsense,cn=Users,dc=jetdom,dc=local"
> password = Mypassword
> basedn = "cn=Users,dc=jetdom,dc=local"
> filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
> base_filter = "(objectclass=radiusprofile)"
> 
> #  How many connections to keep open to the LDAP server.
> #  This saves time over opening a new LDAP socket for
> #  every authentication request.
> ldap_connections_number = 5
> 
> # seconds to wait for LDAP query to finish. default: 20
> timeout = 4
> 
> #  seconds LDAP server has to process the query (server-side
> #  time limit). default: 20
> #
> #  LDAP_OPT_TIMELIMIT is set to this value.
> timelimit = 3
> 
> #
> #  seconds to wait for response of the server. (network
> #   failures) default: 10
> #
> #  LDAP_OPT_NETWORK_TIMEOUT is set to this value.
> net_timeout = 1
> 
> #
> #  This subsection configures the tls related items
> #  that control how FreeRADIUS connects to an LDAP
> #  server.  It contains all of the "tls_*" configuration
> #  entries used in older versions of FreeRADIUS.  Those
> #  configuration entries can still be used, but we recommend
> #  using these.
> #
> tls {
> # Set this to 'yes' to use TLS encrypted connections
> # to the LDAP database by using the StartTLS extended
> # operation.
> #
> # The StartTLS operation is supposed to be
> # used with normal ldap connections instead of
> # using ldaps (port 689) connections
> start_tls = no
> 
> cacertfile = /usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem
> cacertdir = /usr/pbi/freeradius-i386/etc/raddb/certs/
> certfile = /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt
> keyfile = /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key
> randfile = /usr/pbi/freeradius-i386/etc/raddb/certs/random
> 
> #  Certificate Verification requirements.  Can be:
> #    "never" (don't even bother trying)
> #    "allow" (try, but don't fail if the certificate
> # can't be verified)
> #    "demand" (fail if the certificate doesn't verify.)
> #
> # The default is "allow"
> require_cert = "never"
> }
> 
> ### default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" ###
> ### profile_attribute = "radiusProfileDn" ###
> ### access_attr = "dialupAccess" ###
> 
> # Mapping of RADIUS dictionary attributes to LDAP
> # directory attributes.
> dictionary_mapping = ${confdir}/ldap.attrmap
> ################## THE BELOW IS NOT COMPILED WITH FREERADIUS
> #################################
> #  Set password_attribute = nspmPassword to get the
> #  user's password from a Novell eDirectory
> #  backend. This will work ONLY IF FreeRADIUS has been
> #  built with the --with-edir configure option.
> #
> #  See also the following links:
> #
> #  http://www.novell.com/coolsolutions/appnote/16745.html
> #
> https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
> #
> #  Novell may require TLS encrypted sessions before returning
> #  the user's password.
> #
> # password_attribute = userPassword
> 
> #  Un-comment the following to disable Novell
> #  eDirectory account policy check and intruder
> #  detection. This will work *only if* FreeRADIUS is
> #  configured to build with --with-edir option.
> #
> edir_account_policy_check = no
> ################## THE ABOVE IS NOT COMPILED WITH FREERADIUS
> #################################
> #
> #  Group membership checking.  Disabled by default.
> #
> groupname_attribute = cn
> groupmembership_filter =
> "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
> groupmembership_attribute = InternetAccess
> 
the groupmembership_attribute is not the group name in AD, but a RADIUS
Attribute that is returned by LDAP.  you have to add the objectClass and
AttributeType to the group object in AD so that it is returned when
queried.  someone will keep me honest if i am incorrect.

> compare_check_items = yes
> do_xlat = yes
> access_attr_used_for_allow = yes
> 
> #
> #  The following two configuration items are for Active Directory
> #  compatibility.  If you see the helpful "operations error"
> #  being returned to the LDAP module, uncomment the next
> #  two lines.
> #
> 
> ### MS Active Directory Compatibility is disabled ###
> 
> #
> #  By default, if the packet contains a User-Password,
> #  and no other module is configured to handle the
> #  authentication, the LDAP module sets itself to do
> #  LDAP bind for authentication.
> #
> #  THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
> #
> #  THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
> #
> #  You can disable this behavior by setting the following
> #  configuration entry to "no".
> #
> #  allowed values: {no, yes}
> # set_auth_type = yes
> 
> #  ldap_debug: debug flag for LDAP SDK
> #  (see OpenLDAP documentation).  Set this to enable
> #  huge amounts of LDAP debugging on the screen.
> #  You should only use this if you are an LDAP expert.
> #
> # default: 0x0000 (no debugging messages)
> # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
> #ldap_debug = 0x0028
> 
> #
> #  Keepalive configuration.  This MAY NOT be supported by your
> #  LDAP library.  If these configuration entries appear in the
> #  output of "radiusd -X", then they are supported.  Otherwise,
> #  they are unsupported, and changing them will do nothing.
> #
> keepalive {
> # LDAP_OPT_X_KEEPALIVE_IDLE
> idle = 60
> 
> # LDAP_OPT_X_KEEPALIVE_PROBES
> probes = 3
> 
> # LDAP_OPT_X_KEEPALIVE_INTERVAL
> interval = 3
> }
> }
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





More information about the Freeradius-Users mailing list