default authentication via windows active directory LDAP instead of /users

 Konstantin Knaab-Hinrichs paradonym at googlemail.com
Wed Mar 8 08:28:16 CET 2017 

Here's the "freeradius -X" (somehow it isn't radiusd -X on my side) output
when executing
"radtest $USER $PASS 127.0.0.1 0 testing123"

I replaced sensitive data with names like $USER or $DOMAINCONTROLLERIP. The
domaincontroller also works as an LDAP.

>
> Listening on authentication address * port 1812
> Listening on accounting address * port 1813
> Listening on authentication address 127.0.0.1 port 18120 as server
> inner-tunnel
> Listening on proxy address * port 1814
> Ready to process requests.
> rad_recv: Access-Request packet from host 127.0.0.1 port 54450, id=184,
> length=86
>         User-Name = "$USER"
>         User-Password = "$PASS"
>         NAS-IP-Address = 127.0.1.1
>         NAS-Port = 0
>         Message-Authenticator = 0xe0d8a8de27b928c14388759eebc06aaf
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> ++[chap] = noop
> ++[mschap] = noop
> ++[digest] = noop
> [suffix] No '@' in User-Name = "$USER", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] = noop
>   [ldap] Entering ldap_groupcmp()
> [files]         expand: dc=$DOMAIN,dc=local -> dc=$DOMAIN,dc=local
> [files]         expand: %{Stripped-User-Name} ->
> [files]         ... expanding second conditional
> [files]         expand: %{User-Name} -> $USER
> [files]         expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
> (uid=$USER)
>   [ldap] ldap_get_conn: Checking Id: 0
>   [ldap] ldap_get_conn: Got Id: 0
>   [ldap] attempting LDAP reconnection
>   [ldap] (re)connect to $DOMAINCONTROLLERIP:389, authentication 0
>   [ldap] bind as / to $DOMAINCONTROLLERIP:389
>   [ldap] waiting for bind result ...
>   [ldap] Bind was successful
>   [ldap] performing search in dc=$DOMAIN,dc=local, with filter (uid=$USER)
> WARNING: Please set 'chase_referrals=yes' and 'rebind=yes'
> WARNING: See the ldap module configuration for details
>   [ldap] ldap_search() failed: Operations error
> rlm_ldap::ldap_groupcmp: search failed
>   [ldap] ldap_release_conn: Release Id: 0
> ++[files] = noop
> [ldap] performing user authorization for $USER
> [ldap]  expand: %{Stripped-User-Name} ->
> [ldap]  ... expanding second conditional
> [ldap]  expand: %{User-Name} -> $USER
> [ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=$USER)
> [ldap]  expand: dc=$DOMAIN,dc=local -> dc=$DOMAIN,dc=local
>   [ldap] ldap_get_conn: Checking Id: 0
>   [ldap] ldap_get_conn: Got Id: 0
>   [ldap] attempting LDAP reconnection
>   [ldap] closing existing LDAP connection
>   [ldap] (re)connect to $DOMAINCONTROLLERIP:389, authentication 0
>   [ldap] bind as / to $DOMAINCONTROLLERIP:389
>   [ldap] waiting for bind result ...
>   [ldap] Bind was successful
>   [ldap] performing search in dc=$DOMAIN,dc=local, with filter (uid=$USER)
> WARNING: Please set 'chase_referrals=yes' and 'rebind=yes'
> WARNING: See the ldap module configuration for details
>   [ldap] ldap_search() failed: Operations error
> [ldap] search failed
>   [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] = fail
> +} # group authorize = fail
> Invalid user: [$USER] (from client localhost port 0)
> Using Post-Auth-Type REJECT
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group REJECT {
> [attr_filter.access_reject]     expand: %{User-Name} -> $USER
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] = updated
> +} # group REJECT = updated
> Delaying reject of request 0 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 0
> Sending Access-Reject of id 184 to 127.0.0.1 port 54450
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 184 with timestamp +76
> Ready to process requests.


As I read the log part

>   [ldap] ldap_search() failed: Operations error
> [ldap] search failed
>   [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] = fail
> +} # group authorize = fail
> Invalid user: [$USER] (from client localhost port 0)


I think the LDAP doesn't replies with an accepted user?  I think "[ldap]
Bind was successful" means that the server is reachable and replies at
least to a connection handshake

More information about the Freeradius-Users mailing list