Freeradius 3.x with LDAP authentication
Adam Cage
adamcage27 at gmail.com
Tue Aug 15 17:58:12 CEST 2017
Dear all, finally I have followed as you said: Authentication with samba,
winbind, ntlm_auth and Authorization with LDAP, but I fails. I post my main
config LDAP files and the debug output in order to get your help please:
*/etc/freeradius/modules/ldap:*
ldap {
server = "ldap.company.com"
identity = "cn=connect,ou=users,dc=company,dc=com"
password = 1234
basedn = "OU=users,DC=company,DC=com"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
ldap_connections_number = 5
max_uses = 0
port = 389
timeout = 4
timelimit = 3
net_timeout = 1
edir_account_policy_check = no
groupmembership_filter =
"(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))"
groupmembership_attribute = memberOf
chase_referrals = yes
rebind = yes
set_auth_type = no
}
*/etc/freeradius/users:*
DEFAULT Ldap-Group == "cn=group1,ou=wifi,dc=company,dc=com"
Service-Type = Login-User
DEFAULT Auth-Type := Reject
*/etc/freeradius/sites-available/default:*
authorize {
preprocess
chap
mschap
digest
suffix
eap {
ok = return
}
files
*ldap*
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
unix
eap
ntlm_auth
}
*/etc/freeradius/sites-available/inner-tunnel:*
server inner-tunnel {
listen {
ipaddr = 127.0.0.1
port = 18120
type = auth
}
authorize {
chap
mschap
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
files
* ldap*
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
ntlm_auth
}
After that I start "freeradius -XX" and execute:
$ radtest adam 1234abcd 127.0.0.1 0 testing123
And I fail, this is the debug output:
rad_recv: Access-Request packet from host 127.0.0.1 port 47637, id=109,
length=79
User-Name = "adam"
User-Password = "1234abcd"
NAS-IP-Address = 10.10.10.1
NAS-Port = 0
Message-Authenticator = 0x817a524013d20e2d4f40cfbc99661b35
Tue Aug 15 12:38:27 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Tue Aug 15 12:38:27 2017 : Info: +group authorize {
Tue Aug 15 12:38:27 2017 : Info: ++[preprocess] = ok
Tue Aug 15 12:38:27 2017 : Info: ++[chap] = noop
Tue Aug 15 12:38:27 2017 : Info: ++[mschap] = noop
Tue Aug 15 12:38:27 2017 : Info: ++[digest] = noop
Tue Aug 15 12:38:27 2017 : Info: [suffix] No '@' in User-Name = "adam",
looking up realm NULL
Tue Aug 15 12:38:27 2017 : Info: [suffix] No such realm "NULL"
Tue Aug 15 12:38:27 2017 : Info: ++[suffix] = noop
Tue Aug 15 12:38:27 2017 : Info: [eap] No EAP-Message, not doing EAP
Tue Aug 15 12:38:27 2017 : Info: ++[eap] = noop
Tue Aug 15 12:38:27 2017 : Debug: [ldap] Entering ldap_groupcmp()
Tue Aug 15 12:38:27 2017 : Info: [files] expand: OU=
users,DC=company,DC=com -> OU=users,DC=company,DC=com
Tue Aug 15 12:38:27 2017 : Info: [files] expand:
%{Stripped-User-Name} ->
Tue Aug 15 12:38:27 2017 : Info: [files] ... expanding second
conditional
Tue Aug 15 12:38:27 2017 : Info: [files] expand: %{User-Name} -> adam
Tue Aug 15 12:38:27 2017 : Info: [files] expand:
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=adam)
Tue Aug 15 12:38:27 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Tue Aug 15 12:38:27 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0
Tue Aug 15 12:38:27 2017 : Debug: [ldap] attempting LDAP reconnection
Tue Aug 15 12:38:27 2017 : Debug: [ldap] (re)connect to
ldap.company.com:389, authentication 0
Tue Aug 15 12:38:27 2017 : Debug: [ldap] bind as
cn=,ou=connect,ou=users,dc=company,dc=com/wP67yh345 to ldap.company.com:389
Tue Aug 15 12:38:27 2017 : Debug: [ldap] waiting for bind result ...
Tue Aug 15 12:38:27 2017 : Debug: [ldap] Bind was successful
Tue Aug 15 12:38:27 2017 : Debug: [ldap] performing search in
OU=users,DC=company,DC=com, with filter (sAMAccountName=adam)
Tue Aug 15 12:38:27 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0
Tue Aug 15 12:38:27 2017 : Info: [files] expand:
(|(&(objectClass=group)(member=%{control:Ldap-UserDn}))) ->
(|(&(objectClass=group)(member=CN\3dadam\OU\3dUsers\2cOU\DC\3dcompany\2cDC\3dcom)))
Tue Aug 15 12:38:27 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Tue Aug 15 12:38:27 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0
Tue Aug 15 12:38:27 2017 : Debug: [ldap] performing search in
cn=group1,ou=wifi,dc=company,dc=com, with filter
(|(&(objectClass=group)(member=CN\3dAdam\2cOU\3dUsers\2cDC\3dcompany\2cDC\3dcom)))
Tue Aug 15 12:38:27 2017 : Debug: rlm_ldap::ldap_groupcmp: User found in
group cn=group1,ou=wifi,dc=company,dc=com
Tue Aug 15 12:38:27 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0
Tue Aug 15 12:38:27 2017 : Info: [files] users: Matched entry DEFAULT at
line 207
Tue Aug 15 12:38:27 2017 : Info: ++[files] = ok
Tue Aug 15 12:38:27 2017 : Info: [ldap] performing user authorization for
adam
Tue Aug 15 12:38:27 2017 : Info: [ldap] expand:
%{Stripped-User-Name} ->
Tue Aug 15 12:38:27 2017 : Info: [ldap] ... expanding second
conditional
Tue Aug 15 12:38:27 2017 : Info: [ldap] expand: %{User-Name} -> adam
Tue Aug 15 12:38:27 2017 : Info: [ldap] expand:
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=adam)
Tue Aug 15 12:38:27 2017 : Info: [ldap] expand:
OU=users,DC=company,DC=com -> OU=users,DC=company,DC=com
Tue Aug 15 12:38:27 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Tue Aug 15 12:38:27 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0
Tue Aug 15 12:38:27 2017 : Debug: [ldap] performing search in
OU=users,DC=company,DC=com, with filter (sAMAccountName=adam)
Tue Aug 15 12:38:27 2017 : Info: [ldap] No default NMAS login sequence
Tue Aug 15 12:38:27 2017 : Info: [ldap] looking for check items in
directory...
Tue Aug 15 12:38:27 2017 : Info: [ldap] looking for reply items in
directory...
Tue Aug 15 12:38:27 2017 : Debug: WARNING: No "known good" password was
found in LDAP. Are you sure that the user is configured correctly?
Tue Aug 15 12:38:27 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0
Tue Aug 15 12:38:27 2017 : Info: ++[ldap] = ok
Tue Aug 15 12:38:27 2017 : Info: ++[expiration] = noop
Tue Aug 15 12:38:27 2017 : Info: ++[logintime] = noop
Tue Aug 15 12:38:27 2017 : Info: [pap] WARNING! No "known good" password
found for the user. Authentication may fail because of this.
Tue Aug 15 12:38:27 2017 : Info: ++[pap] = noop
Tue Aug 15 12:38:27 2017 : Info: +} # group authorize = ok
Tue Aug 15 12:38:27 2017 : Info: *ERROR: No authenticate method (Auth-Type)
found for the request: Rejecting the user*
Tue Aug 15 12:38:27 2017 : Info: Failed to authenticate the user.
Tue Aug 15 12:38:27 2017 : Info: Using Post-Auth-Type REJECT
Tue Aug 15 12:38:27 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Tue Aug 15 12:38:27 2017 : Info: +group REJECT {
Tue Aug 15 12:38:27 2017 : Info: [attr_filter.access_reject] expand:
%{User-Name} -> adam
Tue Aug 15 12:38:27 2017 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Tue Aug 15 12:38:27 2017 : Info: ++[attr_filter.access_reject] = updated
Tue Aug 15 12:38:27 2017 : Info: +} # group REJECT = updated
Tue Aug 15 12:38:27 2017 : Info: Delaying reject of request 0 for 1 seconds
Tue Aug 15 12:38:27 2017 : Debug: Going to the next request
Tue Aug 15 12:38:27 2017 : Debug: Waking up in 0.9 seconds.
Tue Aug 15 12:38:28 2017 : Info: Sending delayed reject for request 0
Sending Access-Reject of id 109 to 127.0.0.1 port 47637
Tue Aug 15 12:38:28 2017 : Debug: Waking up in 4.9 seconds.
Tue Aug 15 12:38:33 2017 : Info: Cleaning up request 0 ID 109 with
timestamp +8
Tue Aug 15 12:38:33 2017 : Info: Ready to process requests
Special thanks !!!
ADAM
2017-08-15 10:02 GMT-03:00 Alan DeKok <aland at deployingradius.com>:
> On Aug 15, 2017, at 2:49 PM, Adam Cage <adamcage27 at gmail.com> wrote:
> >
> > Dear Matthew and Alan, I take your advice and I will use my current
> > succesful Freeradius platform for AUTHENTICATION (samba, winbind,
> > ntlm_auth, mschapv2....according to Alan Dekok guide) and I will try to
> use
> > LDAP for AUTHORIZATION as you said.
> >
> > I'm listing my current Debian packages installed in my Freeradius server,
> > and I see freeradius-ldap is not present:
> >
> > freeradius 2.2.5+dfsg-0.2
>
> That version is YEARS out of date.
>
> Please install a recent version of the server. Packages for most
> common OS's are on http://packages.networkradius.com/
>
> > When I go to /etc/freeradius/modules I can see the ldap file, so is it
> > necessary to install freeradius-ldap or not??? Because maybe it's
> > sufficient to edit my current /etc/freeradius/modules/ldap file, I can't
> > understand the sense of having freeradius-ldap package.
>
> The freeradius-ldap package has the rlm_ldap library. The main package
> has the configuration files.
>
> Think of it this way: if freereadius-ldap wasn't needed to do LDAP...
> then why would it exist?
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
More information about the Freeradius-Users
mailing list