default authentication via windows active directory LDAP instead of /users
Konstantin Knaab-Hinrichs
paradonym at googlemail.com
Wed Mar 8 10:03:26 CET 2017
Just because there is a log missing an @ in the user string I tried the
modern way "radtest $USER@$DOMAIN.local ..."
rad_recv: Access-Request packet from host 127.0.0.1 port 54456, id=72,
>> length=102
>
> User-Name = "$USER@$DOMAIN.local"
>
> User-Password = "$PASS"
>
> NAS-IP-Address = 127.0.1.1
>
> NAS-Port = 0
>
> Message-Authenticator = 0x571ceeee8066a0c6a5982deb5a6161b3
>
> # Executing section authorize from file
>> /etc/freeradius/sites-enabled/default
>
> +group authorize {
>
> ++[preprocess] = ok
>
> ++[chap] = noop
>
> ++[mschap] = noop
>
> ++[digest] = noop
>
> [suffix] Looking up realm "$DOMAIN.local" for User-Name = "$USER@
>> $DOMAIN.local"
>
> [suffix] No such realm "$DOMAIN.local"
>
> ++[suffix] = noop
>
> [eap] No EAP-Message, not doing EAP
>
> ++[eap] = noop
>
> [ldap] Entering ldap_groupcmp()
>
> [files] expand: dc=$DOMAIN,dc=local -> dc=$DOMAIN,dc=local
>
> [files] expand: %{Stripped-User-Name} ->
>
> [files] ... expanding second conditional
>
> [files] expand: %{User-Name} -> $USER@$DOMAIN.local
>
> [files] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
>> (uid=$USER@$DOMAIN.local)
>
> [ldap] ldap_get_conn: Checking Id: 0
>
> [ldap] ldap_get_conn: Got Id: 0
>
> [ldap] attempting LDAP reconnection
>
> [ldap] closing existing LDAP connection
>
> [ldap] (re)connect to $DOMAINCONTROLLERIP:389, authentication 0
>
> [ldap] bind as / to $DOMAINCONTROLLERIP:389
>
> [ldap] waiting for bind result ...
>
> [ldap] Bind was successful
>
> [ldap] performing search in dc=$DOMAIN,dc=local, with filter (uid=$USER@
>> $DOMAIN.local)
>
> WARNING: Please set 'chase_referrals=yes' and 'rebind=yes'
>
> WARNING: See the ldap module configuration for details
>
> [ldap] ldap_search() failed: Operations error
>
> rlm_ldap::ldap_groupcmp: search failed
>
> [ldap] ldap_release_conn: Release Id: 0
>
> ++[files] = noop
>
> [ldap] performing user authorization for $USER@$DOMAIN.local
>
> [ldap] expand: %{Stripped-User-Name} ->
>
> [ldap] ... expanding second conditional
>
> [ldap] expand: %{User-Name} -> $USER@$DOMAIN.local
>
> [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=$USER@
>> $DOMAIN.local)
>
> [ldap] expand: dc=$DOMAIN,dc=local -> dc=$DOMAIN,dc=local
>
> [ldap] ldap_get_conn: Checking Id: 0
>
> [ldap] ldap_get_conn: Got Id: 0
>
> [ldap] attempting LDAP reconnection
>
> [ldap] closing existing LDAP connection
>
> [ldap] (re)connect to $DOMAINCONTROLLERIP:389, authentication 0
>
> [ldap] bind as / to $DOMAINCONTROLLERIP:389
>
> [ldap] waiting for bind result ...
>
> [ldap] Bind was successful
>
> [ldap] performing search in dc=$DOMAIN,dc=local, with filter (uid=$USER@
>> $DOMAIN.local)
>
> WARNING: Please set 'chase_referrals=yes' and 'rebind=yes'
>
> WARNING: See the ldap module configuration for details
>
> [ldap] ldap_search() failed: Operations error
>
> [ldap] search failed
>
> [ldap] ldap_release_conn: Release Id: 0
>
> ++[ldap] = fail
>
> +} # group authorize = fail
>
> Invalid user: [$USER@$DOMAIN.local] (from client localhost port 0)
>
> Using Post-Auth-Type REJECT
>
> # Executing group from file /etc/freeradius/sites-enabled/default
>
> +group REJECT {
>
> [attr_filter.access_reject] expand: %{User-Name} -> $USER@
>> $DOMAIN.local
>
> attr_filter: Matched entry DEFAULT at line 11
>
> ++[attr_filter.access_reject] = updated
>
> +} # group REJECT = updated
>
> Delaying reject of request 1 for 1 seconds
>
> Going to the next request
>
> Waking up in 0.9 seconds.
>
> Sending delayed reject for request 1
>
> Sending Access-Reject of id 72 to 127.0.0.1 port 54456
>
> Waking up in 4.9 seconds.
>
> Cleaning up request 1 ID 72 with timestamp +5685
>
> Ready to process requests.
>
>
>
the reject message is coming much faster. I'm unsure if this is because of
configuration issues or a reject of the ldap query.
More information about the Freeradius-Users
mailing list