Freeradius 3.x with LDAP authentication

Adam Cage adamcage27 at gmail.com
Tue Aug 15 17:58:12 CEST 2017


Dear all, finally I have followed as you said: Authentication with samba,
winbind, ntlm_auth and Authorization with LDAP, but I fails. I post my main
config LDAP files and the debug output in order to get your help please:

*/etc/freeradius/modules/ldap:*

ldap {
        server = "ldap.company.com"
        identity = "cn=connect,ou=users,dc=company,dc=com"
        password = 1234
        basedn = "OU=users,DC=company,DC=com"
        filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
        ldap_connections_number = 5
        max_uses = 0
        port = 389
        timeout = 4
        timelimit = 3
        net_timeout = 1
        edir_account_policy_check = no
        groupmembership_filter =
"(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))"
        groupmembership_attribute = memberOf
        chase_referrals = yes
        rebind = yes
        set_auth_type = no
}

*/etc/freeradius/users:*

DEFAULT Ldap-Group == "cn=group1,ou=wifi,dc=company,dc=com"
        Service-Type = Login-User

DEFAULT Auth-Type := Reject

*/etc/freeradius/sites-available/default:*

authorize {
preprocess
chap
mschap
digest
suffix
eap {
                ok = return
        }
files
*ldap*
}

authenticate {
Auth-Type PAP {
                pap
        }
Auth-Type CHAP {
                chap
        }
 Auth-Type MS-CHAP {
                mschap
        }
digest
unix
eap
ntlm_auth
}

*/etc/freeradius/sites-available/inner-tunnel:*

server inner-tunnel {

listen {
       ipaddr = 127.0.0.1
       port = 18120
       type = auth
}

authorize {
        chap
        mschap
        suffix
        update control {
               Proxy-To-Realm := LOCAL
        }
        eap {
                ok = return
        }
        files
*        ldap*
        pap
}

authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
        unix
        ntlm_auth
}

After that I start "freeradius -XX" and execute:

$ radtest adam 1234abcd 127.0.0.1 0 testing123

And I fail, this is the debug output:

rad_recv: Access-Request packet from host 127.0.0.1 port 47637, id=109,
length=79
        User-Name = "adam"
        User-Password = "1234abcd"
        NAS-IP-Address = 10.10.10.1
        NAS-Port = 0
        Message-Authenticator = 0x817a524013d20e2d4f40cfbc99661b35
Tue Aug 15 12:38:27 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Tue Aug 15 12:38:27 2017 : Info: +group authorize {
Tue Aug 15 12:38:27 2017 : Info: ++[preprocess] = ok
Tue Aug 15 12:38:27 2017 : Info: ++[chap] = noop
Tue Aug 15 12:38:27 2017 : Info: ++[mschap] = noop
Tue Aug 15 12:38:27 2017 : Info: ++[digest] = noop
Tue Aug 15 12:38:27 2017 : Info: [suffix] No '@' in User-Name = "adam",
looking up realm NULL
Tue Aug 15 12:38:27 2017 : Info: [suffix] No such realm "NULL"
Tue Aug 15 12:38:27 2017 : Info: ++[suffix] = noop
Tue Aug 15 12:38:27 2017 : Info: [eap] No EAP-Message, not doing EAP
Tue Aug 15 12:38:27 2017 : Info: ++[eap] = noop
Tue Aug 15 12:38:27 2017 : Debug:   [ldap] Entering ldap_groupcmp()
Tue Aug 15 12:38:27 2017 : Info: [files]        expand: OU=
users,DC=company,DC=com -> OU=users,DC=company,DC=com
Tue Aug 15 12:38:27 2017 : Info: [files]        expand:
%{Stripped-User-Name} ->
Tue Aug 15 12:38:27 2017 : Info: [files]        ... expanding second
conditional
Tue Aug 15 12:38:27 2017 : Info: [files]        expand: %{User-Name} -> adam
Tue Aug 15 12:38:27 2017 : Info: [files]        expand:
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=adam)
Tue Aug 15 12:38:27 2017 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Tue Aug 15 12:38:27 2017 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Tue Aug 15 12:38:27 2017 : Debug:   [ldap] attempting LDAP reconnection
Tue Aug 15 12:38:27 2017 : Debug:   [ldap] (re)connect to
ldap.company.com:389, authentication 0
Tue Aug 15 12:38:27 2017 : Debug:   [ldap] bind as
cn=,ou=connect,ou=users,dc=company,dc=com/wP67yh345 to ldap.company.com:389
Tue Aug 15 12:38:27 2017 : Debug:   [ldap] waiting for bind result ...
Tue Aug 15 12:38:27 2017 : Debug:   [ldap] Bind was successful
Tue Aug 15 12:38:27 2017 : Debug:   [ldap] performing search in
OU=users,DC=company,DC=com, with filter (sAMAccountName=adam)
Tue Aug 15 12:38:27 2017 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Tue Aug 15 12:38:27 2017 : Info: [files]        expand:
(|(&(objectClass=group)(member=%{control:Ldap-UserDn}))) ->
(|(&(objectClass=group)(member=CN\3dadam\OU\3dUsers\2cOU\DC\3dcompany\2cDC\3dcom)))
Tue Aug 15 12:38:27 2017 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Tue Aug 15 12:38:27 2017 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Tue Aug 15 12:38:27 2017 : Debug:   [ldap] performing search in
cn=group1,ou=wifi,dc=company,dc=com, with filter
(|(&(objectClass=group)(member=CN\3dAdam\2cOU\3dUsers\2cDC\3dcompany\2cDC\3dcom)))
Tue Aug 15 12:38:27 2017 : Debug: rlm_ldap::ldap_groupcmp: User found in
group cn=group1,ou=wifi,dc=company,dc=com
Tue Aug 15 12:38:27 2017 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Tue Aug 15 12:38:27 2017 : Info: [files] users: Matched entry DEFAULT at
line 207
Tue Aug 15 12:38:27 2017 : Info: ++[files] = ok
Tue Aug 15 12:38:27 2017 : Info: [ldap] performing user authorization for
adam
Tue Aug 15 12:38:27 2017 : Info: [ldap]         expand:
%{Stripped-User-Name} ->
Tue Aug 15 12:38:27 2017 : Info: [ldap]         ... expanding second
conditional
Tue Aug 15 12:38:27 2017 : Info: [ldap]         expand: %{User-Name} -> adam
Tue Aug 15 12:38:27 2017 : Info: [ldap]         expand:
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=adam)
Tue Aug 15 12:38:27 2017 : Info: [ldap]         expand:
OU=users,DC=company,DC=com -> OU=users,DC=company,DC=com
Tue Aug 15 12:38:27 2017 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Tue Aug 15 12:38:27 2017 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Tue Aug 15 12:38:27 2017 : Debug:   [ldap] performing search in
OU=users,DC=company,DC=com, with filter (sAMAccountName=adam)
Tue Aug 15 12:38:27 2017 : Info: [ldap] No default NMAS login sequence
Tue Aug 15 12:38:27 2017 : Info: [ldap] looking for check items in
directory...
Tue Aug 15 12:38:27 2017 : Info: [ldap] looking for reply items in
directory...
Tue Aug 15 12:38:27 2017 : Debug: WARNING: No "known good" password was
found in LDAP.  Are you sure that the user is configured correctly?
Tue Aug 15 12:38:27 2017 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Tue Aug 15 12:38:27 2017 : Info: ++[ldap] = ok
Tue Aug 15 12:38:27 2017 : Info: ++[expiration] = noop
Tue Aug 15 12:38:27 2017 : Info: ++[logintime] = noop
Tue Aug 15 12:38:27 2017 : Info: [pap] WARNING! No "known good" password
found for the user.  Authentication may fail because of this.
Tue Aug 15 12:38:27 2017 : Info: ++[pap] = noop
Tue Aug 15 12:38:27 2017 : Info: +} # group authorize = ok
Tue Aug 15 12:38:27 2017 : Info: *ERROR: No authenticate method (Auth-Type)
found for the request: Rejecting the user*
Tue Aug 15 12:38:27 2017 : Info: Failed to authenticate the user.
Tue Aug 15 12:38:27 2017 : Info: Using Post-Auth-Type REJECT
Tue Aug 15 12:38:27 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Tue Aug 15 12:38:27 2017 : Info: +group REJECT {
Tue Aug 15 12:38:27 2017 : Info: [attr_filter.access_reject]    expand:
%{User-Name} -> adam
Tue Aug 15 12:38:27 2017 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Tue Aug 15 12:38:27 2017 : Info: ++[attr_filter.access_reject] = updated
Tue Aug 15 12:38:27 2017 : Info: +} # group REJECT = updated
Tue Aug 15 12:38:27 2017 : Info: Delaying reject of request 0 for 1 seconds
Tue Aug 15 12:38:27 2017 : Debug: Going to the next request
Tue Aug 15 12:38:27 2017 : Debug: Waking up in 0.9 seconds.
Tue Aug 15 12:38:28 2017 : Info: Sending delayed reject for request 0
Sending Access-Reject of id 109 to 127.0.0.1 port 47637
Tue Aug 15 12:38:28 2017 : Debug: Waking up in 4.9 seconds.
Tue Aug 15 12:38:33 2017 : Info: Cleaning up request 0 ID 109 with
timestamp +8
Tue Aug 15 12:38:33 2017 : Info: Ready to process requests


Special thanks !!!

ADAM





2017-08-15 10:02 GMT-03:00 Alan DeKok <aland at deployingradius.com>:

> On Aug 15, 2017, at 2:49 PM, Adam Cage <adamcage27 at gmail.com> wrote:
> >
> > Dear Matthew and Alan, I take your advice and I will use my current
> > succesful Freeradius platform for AUTHENTICATION (samba, winbind,
> > ntlm_auth, mschapv2....according to Alan Dekok guide) and I will try to
> use
> > LDAP for AUTHORIZATION as you said.
> >
> > I'm listing my current Debian packages installed in my Freeradius server,
> > and I see freeradius-ldap is not present:
> >
> > freeradius                     2.2.5+dfsg-0.2
>
>   That version is YEARS out of date.
>
>   Please install a recent version of the server.   Packages for most
> common OS's are on http://packages.networkradius.com/
>
> > When I go to /etc/freeradius/modules I can see the ldap file, so is it
> > necessary to install freeradius-ldap or not??? Because maybe it's
> > sufficient to edit my current /etc/freeradius/modules/ldap file, I can't
> > understand the sense of having freeradius-ldap package.
>
>   The freeradius-ldap package has the rlm_ldap library.  The main package
> has the configuration files.
>
>   Think of it this way: if freereadius-ldap wasn't needed to do LDAP...
> then why would it exist?
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>


More information about the Freeradius-Users mailing list