authenticating against local LDAP and Jumpcloud LDAP

Michael Martinez mwtzzz at gmail.com
Thu Feb 18 21:03:11 CET 2016


Ok, bit by bit I'm learning how freeradius works and making progress.
The suggestion to look at the man page for unlang was very helpful,
there's a lot of good information in there. Also the suggestion to
test the inner tunnel with "radtest" has been useful.

I've gotten a working configuration where my local ldap users are
authenticated with PAM and jumpcloud users are authenticated with the
little script I mentioned earlier. All this through the inner tunnel
in EAP/TTLS-PAP. The way I have set this up is in inner-tunnel I have:

if ("%{User-Name}" =~ /jumpcloud/i) {
                update control {
                        Auth-Type := `/bin/bash
/opt/RadiusCheck/CheckUser.sh '%{User-Name}' '%{User-Password}'`
                }
                update reply {
                        Reply-Message = "Hello jumpcloud ldap user"
                }
        }
If it doesn't match then it defaults to PAM because I have DEFAULT
Auth-Type = PAM in the users file. One question: I know Alan and the
docs always say not to set the auth type manually. I would like to
know how to configure it so it will automatically recognize and
configure the user with PAM.

I also at Alan's suggestion added the following lines at the end of proxy.conf:
realm "jumpcloud" {
        auth_pool = my_auth_failover
}


Ok, moving on. I would like to use ldap instead of PAM. So what I did
in the inner-tunnel file was uncomment "ldap" in the authorize
section, and uncomment Auth-Type LDAP { ldap } in the authenticate
section. Then I modified modules/ldap as follows:

        server = "<ip address>"
        identity = "cn=Manager,dc=xxxx"
        password = xxxxxxx
        basedn = "ou=People,dc=xxxx"
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        #base_filter = "(objectclass=radiusprofile)"

then I uncommented the "DEFAULT Auth-Type = PAM" line in users, so
that I'm not explicitly setting the auth-type anywhere. Then I run "
radtest test2 testing 127.0.0.1:18120 0 xxxxx" and here's what the log
shows. It binds to ldap, looks up the user and grabs the password. But
bombs out with an error that the Auth-Type isn't set.  What am I doing
wrong?

Thu Feb 18 11:43:42 2016 : Info: [ldap]         expand: %{Stripped-User-Name} ->
Thu Feb 18 11:43:42 2016 : Info: [ldap]         ... expanding second conditional
Thu Feb 18 11:43:42 2016 : Info: [ldap]         expand: %{User-Name} -> test2
Thu Feb 18 11:43:42 2016 : Info: [ldap]         expand:
(uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test2)
Thu Feb 18 11:43:42 2016 : Info: [ldap]         expand:
ou=People,dc=xxxx -> ou=People,dc=xxxx
Thu Feb 18 11:43:42 2016 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Thu Feb 18 11:43:42 2016 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Thu Feb 18 11:43:42 2016 : Debug:   [ldap] attempting LDAP reconnection
Thu Feb 18 11:43:42 2016 : Debug:   [ldap] (re)connect to <ip>:389,
authentication 0
Thu Feb 18 11:43:42 2016 : Debug:   [ldap] bind as
cn=Manager,dc=xxxx/xxxxxx to <ip.>:389
Thu Feb 18 11:43:42 2016 : Debug:   [ldap] waiting for bind result ...
Thu Feb 18 11:43:42 2016 : Debug:   [ldap] Bind was successful
Thu Feb 18 11:43:42 2016 : Debug:   [ldap] performing search in
ou=People,dc=xxxx, with filter (uid=test2)
Thu Feb 18 11:43:42 2016 : Debug:   [ldap] userPassword ->
Password-With-Header == "{crypt}v0EA8plSCTsuk"
Thu Feb 18 11:43:42 2016 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Thu Feb 18 11:43:42 2016 : Info: ++[ldap] returns ok
Thu Feb 18 11:43:42 2016 : Info: ++[expiration] returns noop
Thu Feb 18 11:43:42 2016 : Info: ++[logintime] returns noop
Thu Feb 18 11:43:42 2016 : Info: ++[pap] returns noop
Thu Feb 18 11:43:42 2016 : Info: ERROR: No authenticate method
(Auth-Type) found for the request: Rejecting the user
Thu Feb 18 11:43:42 2016 : Info: Failed to authenticate the user.
Thu Feb 18 11:43:42 2016 : Info: } # server inner-tunnel
Thu Feb 18 11:43:42 2016 : Info: Using Post-Auth-Type Reject


On Tue, Feb 16, 2016 at 12:53 PM, Alan DeKok <aland at deployingradius.com> wrote:
> On Feb 16, 2016, at 2:46 PM, Michael Martinez <mwtzzz at gmail.com> wrote:
>>>  Why not just configure LDAP directly in FreeRADIUS?  The server has done LDAP for oh, 15 years now.
>
>   Yes.  Most users should be using email addresses for their identifiers.  i.e. "user at my.domain.tld".  That way you can easily distinguish users from different domain.

Unfortunately jumpcloud doesn't permit an "@" symbol in their
usernames. I've submitted a feature request to them to allow this.
I've gotten around this meanwhile by creating a username as
"user.jumpcloud"

On Tue, Feb 16, 2016 at 12:20 PM,  <A.L.M.Buxey at lboro.ac.uk> wrote:
>> Is wpa_supplicant appropriate for this? I downloaded it, but having
>> compile issues so I haven't been able to try it.
>
> what compilation issues? its usually just the libnl/libnl-devel packages

../src/drivers/driver_nl80211.c:17:31: fatal error:
netlink/genl/genl.h: No such file or directory
compilation terminated.

fixed it with apt-get install libnl1 libnl-dev


-- 
---
Michael Martinez
http://www.michael--martinez.com


More information about the Freeradius-Users mailing list