LDAP authentication

chenjiang chenjiang at microshield.com.cn
Tue May 19 05:11:16 CEST 2015

   Hi! Experts

   Sorry for disturbing, I try to use LDAP as FreeRADIUS backend DB to
   authentication Windows2008 domain users but the POC test is failed, do
   you have experience on this and could shed some light on it? Thanks for
   your support.

    My FreeRADIUS LDAP related configuration listed below:

   more /etc/raddb/modules/ldap


   ldap {


   #  Note that this needs to match the name in the LDAP

   #  server certificate, if you're using ldaps.

   server = ""

   identity = "cn=Administrator,cn=Users,dc=ms,dc=local"

   password = "1qaz!QAZ"

   basedn = "dc=ms,dc=local"

   filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"

   ldap_connections_number = 5

   # seconds to wait for LDAP query to finish. default: 20

   timeout = 20

   #  seconds LDAP server has to process the query (server-side

   #  time limit). default: 20


   #  LDAP_OPT_TIMELIMIT is set to this value.

   timelimit = 20


   And my radiusd -X output as below, you could see there is Access-Reject
   messages sent to NAS.

   rad_recv: Access-Request packet from host port 49603,
   id=77, length=253

           NAS-IP-Address =

           NAS-Port = 0

           NAS-Port-Type = Wireless-802.11

           User-Name = "lab"

           Service-Type = Login-User

           Calling-Station-Id = "F437B7011933"

           Called-Station-Id = "000B86999D57"

           MS-CHAP-Challenge = 0xbd38014db9614219e63be5946a2e5e37

           MS-CHAP2-Response =

           Aruba-Essid-Name = "microshield-lab"

           Aruba-Location-Id = "lab-AP-1"

           Aruba-Attr-10 = 0x6d6963726f736869656c642d6c6162

           Aruba-Attr-12 = 0x6950686f6e65

           Message-Authenticator = 0x530723b754043a3c9ff8cdc151e2ed87

   # Executing section authorize from file

   +- entering group authorize {...}

   ++[preprocess] returns ok

   ++[digest] returns noop

   [suffix] No '@' in User-Name = "lab", looking up realm NULL

   [suffix] No such realm "NULL"

   ++[suffix] returns noop

   [ldap] performing user authorization for lab

   [ldap]  expand: %{Stripped-User-Name} ->

   [ldap]  ... expanding second conditional

   [ldap]  expand: %{User-Name} -> lab

   [ldap]  expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
   -> (sAMAccountName=lab)

   [ldap]  expand: dc=ms,dc=local -> dc=ms,dc=local

     [ldap] ldap_get_conn: Checking Id: 0

     [ldap] ldap_get_conn: Got Id: 0

     [ldap] performing search in dc=ms,dc=local, with filter

   [ldap] looking for check items in directory...

   [ldap] looking for reply items in directory...

   WARNING: No "known good" password was found in LDAP.  Are you sure that
   the user is configured correctly?

   [ldap] user lab authorized to use remote access

     [ldap] ldap_release_conn: Release Id: 0

   ++[ldap] returns ok

   ++[expiration] returns noop

   ++[logintime] returns noop

   Failed to authenticate the user.

   Using Post-Auth-Type Reject

   # Executing group from file /etc/raddb/sites-enabled/default

   +- entering group REJECT {...}

   [sql]   expand: %{User-Name} -> lab

   [sql] sql_set_user escaped user --> 'lab'

   [sql]   expand: %{User-Password} ->

   [sql]   ... expanding second conditional

   [sql]   expand: %{Chap-Password} ->

   [sql]   expand: INSERT INTO radpostauth
   (username, pass, reply, authdate)                           VALUES (
   '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
               (username, pass, reply, authdate)
   VALUES (                           'lab',                           '',
                             'Access-Reject', '2015-05-18 13:53:47')

   rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
                     (username, pass, reply, authdate)
         VALUES (                           'lab',
     '',                           'Access-Reject', '2015-05-18 13:53:47')

   rlm_sql (sql): Reserving sql socket id: 2

   rlm_sql (sql): Released sql socket id: 2

   ++[sql] returns ok

   [attr_filter.access_reject]     expand: %{User-Name} -> lab

   attr_filter: Matched entry DEFAULT at line 11

   ++[attr_filter.access_reject] returns updated

   Sending Access-Reject of id 77 to port 49603

   Finished request 26.

   Chen Jiang
   Microshield Technology Co., Ltd
   å京å¸æµ·æ·åºè¥¿ä¸ç¯åè·¯50å·è±ªæ大å¦C2座18-19å± 100048
   [1]chenjiang at microshield.com.cn


   1. mailto:chenjiang at microshield.com.cn

More information about the Freeradius-Users mailing list