Freeradius 3.x with LDAP authentication
Alan DeKok
aland at deployingradius.com
Wed Aug 16 18:28:19 CEST 2017
On Aug 16, 2017, at 4:05 PM, Adam Cage <adamcage27 at gmail.com> wrote:
>
> Dear Alan and people, I'm near the solution of my problem but I'm still
> having a problem.
>
> Following the Alan Dekok tutorial about Authentication with Active
> Directory with ntlm_auth and mschap, everything work OK. In this case, I
> have no LDAP support at all, no authorization, just authentication.
That's fine. The guide deals with one issue at a time.
If you can get AD authentication working, then adding LDAP authorization is about 10 minutes.
> But the problem comes when I setup the LDAP support to Authorization when
> checking if user is or not in a given group with the Ldap-Group attribute.
Put those checks into the virtual server, not in the "users" file.
What LDAP group checks are you doing?
This kind of thing will work:
authorize {
...
if (LDAP-Group != admins) {
reject
}
...
}
> As I said previously, after configured ldap module and
> /etc/sites-available/default and inner-tunnel with LDAP for authorization,
To do *what*? Be specific.
In most case, if you can write the requirements down in simple English, you can translate those to "unlang" policy rules pretty directly.
> --nt-response=0fc92070b60d3a3a33846bee2708298a4f1b18c9b70e4f38
> Wed Aug 16 10:51:56 2017 : Debug: *Exec output: No trusted SAM account *
> (0xc000018b)
> Wed Aug 16 10:51:56 2017 : Debug: *Exec plaintext: No trusted SAM account*
> (0xc000018b)
That's an error produced by AD, not FreeRADIUS.
> Can you tell me why mschap auth is ok without LDAP support and it's wrong
> with LDAP support???
Since you didn't say what you did for LDAP authorization, I have no idea what's going wrong.
But from the error message above, it *is* clear that the user isn't allowed to use AD authentication. That is an issue entirely separate from LDAP authorization.
Alan DeKok.
More information about the Freeradius-Users
mailing list