Help PLease

Adam Schappell aschappell at clearedgeit.com
Mon Mar 30 18:56:57 CEST 2015


Yes I did bind with that command and everything was successful and I have
the same setup in freeradius. That was an old post that you pasted and am
not using them credentials anymore.

This is a couple seconds ago:

[ldap] performing user authorization for radius

[ldap] expand: %{Stripped-User-Name} ->

[ldap] ... expanding second conditional

[ldap] expand: %{User-Name} -> radius

[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=radius)

[ldap] expand: dc=corp,dc=clearedgeit,dc=com ->
dc=corp,dc=clearedgeit,dc=com

  [ldap] ldap_get_conn: Checking Id: 0

  [ldap] ldap_get_conn: Got Id: 0

  [ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter
(uid=radius)

  [ldap] ldap_search() failed: LDAP connection lost.

  [ldap] Attempting reconnect

  [ldap] attempting LDAP reconnection

  [ldap] closing existing LDAP connection

  [ldap] (re)connect to dc1.corp.clearedgeit.com:389, authentication 0

  [ldap] bind as
cn=radius,ou=users,ou=jessup,ou=clearedge,dc=corp,dc=clearedgeit,dc=com/ceadmin
to dc1.corp.clearedgeit.com:389

  [ldap] waiting for bind result ...

  [ldap] Bind was successful

  [ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter
(uid=radius)

  [ldap] object not found

[ldap] search failed

  [ldap] ldap_release_conn: Release Id: 0

++[ldap] returns notfound

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING: Auth-Type already set.  Not setting to PAP

++[pap] returns noop

Found Auth-Type = LDAP

# Executing group from file /etc/raddb/sites-enabled/default

+- entering group LDAP {...}

[ldap] login attempt by "radius" with password "ceadmin"

[ldap] expand: %{Stripped-User-Name} ->

[ldap] ... expanding second conditional

[ldap] expand: %{User-Name} -> radius

[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=radius)

[ldap] expand: dc=corp,dc=clearedgeit,dc=com ->
dc=corp,dc=clearedgeit,dc=com

  [ldap] ldap_get_conn: Checking Id: 0

  [ldap] ldap_get_conn: Got Id: 0

  [ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter
(uid=radius)

  [ldap] object not found

  [ldap] ldap_release_conn: Release Id: 0

++[ldap] returns notfound

Failed to authenticate the user.

Using Post-Auth-Type Reject

# Executing group from file /etc/raddb/sites-enabled/default

+- entering group REJECT {...}

[attr_filter.access_reject] expand: %{User-Name} -> radius

attr_filter: Matched entry DEFAULT at line 11

++[attr_filter.access_reject] returns updated

Delaying reject of request 4 for 1 seconds

Going to the next request

Waking up in 0.9 seconds.

Sending delayed reject for request 4

Sending Access-Reject of id 144 to 127.0.0.1 port 44267

Waking up in 4.9 seconds.

Cleaning up request 4 ID 144 with timestamp +3796

Ready to process requests.


Adam Schappell
System Administrator II
Clearedge IT Solutions, LLC
10620 Guilford Road
Jessup, MD 20794
Office:443-212-4712
Fax:443-212-4809
www.ClearEdgeIT.com <http://www.clearedgeit.com/>


On Mon, Mar 30, 2015 at 12:37 PM, Michael Ströder <michael at stroeder.com>
wrote:

> Adam Schappell wrote:
>
>> I can
>> successfully do a ldapsearch and everything pops up successfully.
>>
>
> Did you bind to AD's LDAP server with
> ldapsearch [..] -D <identity> -w <password>
> with the very same values used in FreeRADIUS configuration or for RADIUS
> login?
>
> From one of your former postings it seems that FreeRADIUS is using filter
> (uid=aschappell) to search for your user account.
>
> Is attribute 'uid' actually set in your AD user account? This is rather
> unusal.  By default MS AD stores user name in attribut 'sAMAccountName'.
> So you'd have to change your FreeRADIUS LDAP configuration to use this
> attribute when generating the search filter.
>
> Well, another log of you shows:
>
> ---------------------- snip ----------------------
>   [ldap] bind as cn=Adam L. Schappell,ou=Domain
> Admins,ou=Users,ou=Jessup,ou=ClearEdge,dc=corp,dc=
> clearedge,dc=com/Schappell##113
> to corp.clearedgeit.com:389
>
>   [ldap] waiting for bind result ...
>
>   [ldap] LDAP login failed: check identity, password settings in ldap
> section of radiusd.conf
> ---------------------- snip ----------------------
>
> It seems in this case the user entry was found but LDAP simple bind
> failed. You should check whether AD account got locked during your failing
> attempts.
>
> Ciao, Michael.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


More information about the Freeradius-Users mailing list