How to configure non-priveleged LDAP bind in FreeRADIUS 3.0.11

Bogdan Rudas brudas at exadel.com
Mon Sep 5 15:24:48 CEST 2016 

Hi,

I would like to configure LDAP authentication for WiFi users with OpenLDAP
back-ends (passwords are hashed). To perform initial bind to LDAP database
I use restricted account which can read directory tree, determine DN on
user and most of it's attributes but can't read passwords hashes. Then I
expect FreeRadius to bind with DN found on previous step and user-supplied
password. But instead of this I've got  messages:

Ready to process requests
(0)   User-Name = "brudas"
(0)   User-Password = "clearpass"
(0)   NAS-IP-Address = 127.0.0.1
(0)   NAS-Port = 10
(0)   Message-Authenticator = 0x86f22bc484991235fa4335a8b959a351
(0) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "brudas", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap:    --> (uid=brudas)
(0) ldap: Performing search in "ou=users,dc=office,dc=local" with filter
"(uid=brudas)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: User object found at DN "cn=Rudas
Bogdan,ou=users,dc=office,dc=local"
(0) ldap: Processing user attributes
*(0) ldap: WARNING: No "known good" password added. Ensure the admin user
has permission to read the password attribute*
(0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory
(if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (0)
rlm_ldap (ldap): Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots
used
rlm_ldap (ldap): Connecting to ldap://ldap.office.local:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0)     [ldap] = ok
(0) pap: WARNING: No "known good" password found for the user.  Not setting
Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password
is available
(0)     [pap] = noop
(0)   } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> brudas
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated

When I use admin user account (which can read password hashes) for initial
bind, authentication test with *radtest *works well, but it is not what I
want to do.

I want to keep my OpenLDAP password policy working, this requires true LDAP
bind attempt with credential of end-user.

My final destination is EAP-TTLS with PAP inside. Please, help me to
establish desired LDAP authorization schema. As far as I know it was
possible in FreeRadius 2.1.x and I believe some additional configuration
required here.

Thank you.

-- 
Bogdan Rudas
Head of Minsk IT Support Department
Exadel Inc.
http://www.exadel.com/
E-mail: brudas at exadel.com
Skype ID: bogdan.rudas

-- 


CONFIDENTIALITY NOTICE: This email and files attached to it are 
confidential. If you are not the intended recipient you are hereby notified 
that using, copying, distributing or taking any action in reliance on the 
contents of this information is strictly prohibited. If you have received 
this email in error please notify the sender and delete this email.

More information about the Freeradius-Users mailing list