authenticating against local LDAP and Jumpcloud LDAP

Alan DeKok aland at deployingradius.com
Thu Feb 18 21:39:34 CET 2016 

On Feb 18, 2016, at 3:03 PM, Michael Martinez <mwtzzz at gmail.com> wrote:
> 
> Ok, bit by bit I'm learning how freeradius works and making progress.
> The suggestion to look at the man page for unlang was very helpful,
> there's a lot of good information in there. Also the suggestion to
> test the inner tunnel with "radtest" has been useful.

  That's good.

> I've gotten a working configuration where my local ldap users are
> authenticated with PAM

  Please no.  Please use the LDAP module.  PAM has all kinds of problems.

> and jumpcloud users are authenticated with the
> little script I mentioned earlier. All this through the inner tunnel
> in EAP/TTLS-PAP. The way I have set this up is in inner-tunnel I have:
> 
> if ("%{User-Name}" =~ /jumpcloud/i) {
>                update control {
>                        Auth-Type := `/bin/bash
> /opt/RadiusCheck/CheckUser.sh '%{User-Name}' '%{User-Password}'`
>                }
>                update reply {
>                        Reply-Message = "Hello jumpcloud ldap user"
>                }
>        }

  You should really do instead:

	suffix
	if (Realm == "jumpcloud") {
		update control {
			Auth-Type := `/opt/RadiusCheck/CheckUser.sh '%{Stripped-User-Name}' '%{User-Password}'
		}
	}
	else {
		ldap	# local users
	}

  There's no need to run /bin/bash, if the CheckUser.sh script is executable.

  And you should key off of realms, like I suggested.  And use the Stripped-User-Name, which is the user name without the realm.


> If it doesn't match then it defaults to PAM because I have DEFAULT
> Auth-Type = PAM in the users file.

  And don't do that.  Just use LDAP in "authorize", and let the server figure it out.

> One question: I know Alan and the
> docs always say not to set the auth type manually. I would like to
> know how to configure it so it will automatically recognize and
> configure the user with PAM.

  You don't.  FreeRADIUS is an *authentication server*.   You should have *FreeRADIUS* do authentication.  Not anything else.

> I also at Alan's suggestion added the following lines at the end of proxy.conf:
> realm "jumpcloud" {
>        auth_pool = my_auth_failover
> }

  I didn't say that.  I suggested:

realm jumpcloud {
}

  which make it a local realm.  You don't need to proxy the jumpcloud users.

> Ok, moving on. I would like to use ldap instead of PAM. So what I did
> in the inner-tunnel file was uncomment "ldap" in the authorize
> section, and uncomment Auth-Type LDAP { ldap } in the authenticate
> section. Then I modified modules/ldap as follows:
> 
>        server = "<ip address>"
>        identity = "cn=Manager,dc=xxxx"
>        password = xxxxxxx
>        basedn = "ou=People,dc=xxxx"
>        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
>        #base_filter = "(objectclass=radiusprofile)"
> 
> then I uncommented the "DEFAULT Auth-Type = PAM" line in users, so
> that I'm not explicitly setting the auth-type anywhere.

  That's good.

> Then I run "
> radtest test2 testing 127.0.0.1:18120 0 xxxxx" and here's what the log
> shows. It binds to ldap, looks up the user and grabs the password. But
> bombs out with an error that the Auth-Type isn't set.  What am I doing
> wrong?
> 
> Thu Feb 18 11:43:42 2016 : Info: [ldap]         expand: %{Stripped-User-Name} ->
> Thu Feb 18 11:43:42 2016 : Info: [ldap]         ... expanding second conditional
> Thu Feb 18 11:43:42 2016 : Info: [ldap]         expand: %{User-Name} -> test2
> Thu Feb 18 11:43:42 2016 : Info: [ldap]         expand:
> (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test2)
> Thu Feb 18 11:43:42 2016 : Info: [ldap]         expand:
> ou=People,dc=xxxx -> ou=People,dc=xxxx
> Thu Feb 18 11:43:42 2016 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
> Thu Feb 18 11:43:42 2016 : Debug:   [ldap] ldap_get_conn: Got Id: 0
> Thu Feb 18 11:43:42 2016 : Debug:   [ldap] attempting LDAP reconnection
> Thu Feb 18 11:43:42 2016 : Debug:   [ldap] (re)connect to <ip>:389,
> authentication 0
> Thu Feb 18 11:43:42 2016 : Debug:   [ldap] bind as
> cn=Manager,dc=xxxx/xxxxxx to <ip.>:389
> Thu Feb 18 11:43:42 2016 : Debug:   [ldap] waiting for bind result ...
> Thu Feb 18 11:43:42 2016 : Debug:   [ldap] Bind was successful
> Thu Feb 18 11:43:42 2016 : Debug:   [ldap] performing search in
> ou=People,dc=xxxx, with filter (uid=test2)
> Thu Feb 18 11:43:42 2016 : Debug:   [ldap] userPassword ->
> Password-With-Header == "{crypt}v0EA8plSCTsuk"
> Thu Feb 18 11:43:42 2016 : Debug:   [ldap] ldap_release_conn: Release Id: 0
> Thu Feb 18 11:43:42 2016 : Info: ++[ldap] returns ok
> Thu Feb 18 11:43:42 2016 : Info: ++[expiration] returns noop
> Thu Feb 18 11:43:42 2016 : Info: ++[logintime] returns noop
> Thu Feb 18 11:43:42 2016 : Info: ++[pap] returns noop
> Thu Feb 18 11:43:42 2016 : Info: ERROR: No authenticate method

 Which version are you running?  If it's 2.1.12, stop wasting your time, and upgrade to 3.0.  Or even 2.2.9.

  The PAP module *should* recognize crypt'd passwords and authenticate them.

> Unfortunately jumpcloud doesn't permit an "@" symbol in their
> usernames. I've submitted a feature request to them to allow this.
> I've gotten around this meanwhile by creating a username as
> "user.jumpcloud"

  So tell your users "user at jumpcloud", configure a "jumpcloud" realm as I suggested, use Stripped-user-Name, and the server will figure it out.

  Alan DeKok.

More information about the Freeradius-Users mailing list