LDAP + SASL Freeradius 3.0.11

Danner, Mearl jmdanner at samford.edu
Thu May 5 23:20:37 CEST 2016 


> -----Original Message-----
> From: Freeradius-Users [mailto:freeradius-users-
> bounces+jmdanner=samford.edu at lists.freeradius.org] On Behalf Of
> Matthew Beckler
> Sent: Thursday, May 05, 2016 3:25 PM
> To: Freeradius-Users at lists.freeradius.org
> Subject: LDAP + SASL Freeradius 3.0.11
> 
> Hello,
> 
> I'm currently learning Freeradius so most of this is new to me.
> My ultimate goal is to authenticate users via winbind and check group
> membership via LDAP to Active Directory in post_auth.
> I was feeling good until I got to ldap section.
> 
> I have the following working:
> Winbind authentication
> LDAPSearch is working for testing with : ldapsearch -LLL -Y "DIGEST-MD5" -h
> dc.dc.local -U ldaplookup -W -b "ou=Users,ou=OU,dc=dc,dc=local"
> sAMAccountName=usertoget
> 
> However when running freeradius -X I receive the following:
> 
> rlm_ldap (ldap): Connecting to ldap://dc.dc.local:389
> rlm_ldap (ldap): Starting SASL mech(s): DIGEST-MD5
> SASL/DIGEST-MD5 authentication started
> rlm_ldap (ldap): Bind credentials incorrect: Invalid credentials
> rlm_ldap (ldap): Server said: 8009030C: LdapErr: DSID-0C0904DC, comment:
> AcceptSecurityContext error, data 52e, v1db1.
> rlm_ldap (ldap): Opening connection failed (0)
> rlm_ldap (ldap): Removing connection pool
> /etc/freeradius/mods-enabled/ldap[8]: Instantiation failed for module
> "ldap"
> 
> 
> Obviously I have checked username and password at least 10 times and
> pasted them in. It appears 52e is correct username but bad password.
> 
> I'm probably setting up my ldap config wrong so here are the sections I have
> changed I did not change anything else below this line. Maybe I'm doing this
> totally incorrectly.
> 
> ldap {
> 
>         server = 'dc.dc.local'
>         #  Port to connect on, defaults to 389, will be ignored for LDAP URIs.
> #       port = 389
>         #  Administrator account for searching and possibly modifying. If using
> SASL + KRB5 these should be commented out.
>         identity = 'ldaplookup'

You'll probably need the FQDN of the user. I.E. cn=ldaplookup, ..........

>         password = ****************
>         #  Unless overridden in another section, the dn from which all searches
> will start from.
>         base_dn = 'ou=Users,ou=Company,dc=dc,dc=local'

Also, with most AD implementations the Users container is CN= rather than OU=


>         #
>         #  SASL parameters to use for admin binds
>         #
>         #  When we're prompted by the SASL library, these control the
> responses given, as well as the identity and password directives above.
>         #
>         #  If any directive is commented out, a NULL response will be provided to
> cyrus-sasl.
>         #
>         #  Unfortunately the only way to control Keberos here is through
> environmental variables, as cyrus-sasl provides no API to set the krb5 config
> directly.
>         #
>         #  Full documentation for MIT krb5 can be found here:
>         #
>         #       http://web.mit.edu/kerberos/krb5-
> devel/doc/admin/env_variables.html
>         #
>         #  At a minimum you probably want to set KRB5_CLIENT_KTNAME.
>         #
>         sasl {
>                 # SASL mechanism
>                 mech = 'DIGEST-MD5'
>                 # SASL authorisation identity to proxy.
> #               proxy = 'autz_id'
>                 # SASL realm. Used for kerberos.
> #               realm = 'example.org'
>         }
> 
> 
> Thanks for any assistance
> Matt
> 
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list