FreeRADIUS 3, FreeBSD, eDirectory

Tue Aug 1 17:29:54 CEST 2017

Hello list,

we are using FreeRADIUS to authenticate students wireless access.
It's FreeRADIUS Version 2.2.8 running on FreeBSD 9.2-STABLE.

Our LDAP server is eDirectory version 8.8

Now, we are upgrading to FreeRADIUS 3.0.15 (installed from ports) running on FreeBSD 11.1-RELEASE.
LDAP is always eDirectory 8.8.

The bind to LDAP server it's ok, but the user is not authenticate, the error is:

  Invalid user (eDirectory-ICT: Failed to retrieve eDirectory password: (80) Other (e.g., implementation specific) error):

This is the ldap module configuration:

#
# ICT per test
#
ldap eDirectory-ICT {
	server = 'ldaps.unibocconi.it'
	port = 636

	identity = 'cn=yyyyyyyyy,ou=Servers,o=INetServices'
	password = xxxxxxx

	base_dn = 'ou=Faculty-Staff,ou=Bocconi,o=INetServices'

	edir = yes
	edir_autz = no

	#
	#  User object identification.
	#
	user {
		base_dn = "${..base_dn}"
		filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})"
	}

	#
	#  User membership checking.
	#
	group {
		base_dn = "${..base_dn}"
		filter = '(objectClass=posixGroup)'
		membership_attribute = 'memberOf'
	}

	#
	#  User profiles.
	#
	profile {
		filter = '(objectclass=radiusprofile)'
	}

	#
	#  Bulk load clients from the directory
	#
	client {
		base_dn = "${..base_dn}"
		filter = '(objectClass=radiusClient)'
		template {
		}
		attribute {
			ipaddr				= 'radiusClientIdentifier'
			secret				= 'radiusClientSecret'
		}
	}

	read_clients = no

	accounting {
		reference = "%{tolower:type.%{Acct-Status-Type}}"

		type {
			start {
				update {
					description := "Online at %S"
				}
			}

			interim-update {
				update {
					description := "Last seen at %S"
				}
			}

			stop {
				update {
					description := "Offline at %S"
				}
			}
		}
	}

	#
	#  Post-Auth can modify LDAP objects too
	#
	post-auth {
		update {
			description := "Authenticated at %S"
		}
	}

	#
	#  LDAP connection-specific options.
	#
	options {
		chase_referrals = yes
		rebind = yes
		res_timeout = 10
		srv_timelimit = 3
		net_timeout = 1
		idle = 60
		probes = 3
		interval = 3
		ldap_debug = 0x0028
	}

	#
	#  This subsection configures the tls related items
	#  that control how FreeRADIUS connects to an LDAP
	#  server.
	#
	tls {
		start_tls = no
		ca_file	= ${certdir}/DigiCertAssuredIDRootCA-TERENA-CA3.crt
		ca_path	= ${certdir}
		certificate_file = ${certdir}/ldaps.unibocconi.it.crt
		private_key_file = ${certdir}/ldaps.unibocconi.it.key
		random_file = /dev/urandom
		require_cert	= 'demand'
	}

	#
	#  ldap_connections_number
	#
	pool {
		start = ${thread[pool].start_servers}
		min = ${thread[pool].min_spare_servers}
		max = ${thread[pool].max_servers}
		spare = ${thread[pool].max_spare_servers}
		uses = 0
		retry_delay = 30
		lifetime = 0
		idle_timeout = 60
	}
}

What's wrong ?

Thanks for your help.

Ciao
Marco
-- 
Marco Pirovano
Infrastrutture e Tecnologie
Information and Communication Technology
Universita' Bocconi
via Gobbi, 5 - 20136 Milano
Tel. +39 02 5836.3173  Fax. +39 02 5836.3160

Windows makes noise, Linux plays music,
but BSD Rocks!