Porting ldap module configuration from 2.2.9 to 3.0.15

Fajar A. Nugraha list at fajar.net
Wed Sep 20 07:59:33 CEST 2017 

On Wed, Sep 20, 2017 at 12:11 PM, Olivier <Olivier.Nicole at cs.ait.ac.th>
wrote:

> "Fajar A. Nugraha" <list at fajar.net> writes:
>
> > The last part shouldn't be there, since you should've had an entry that
> > adds Ldap-UserDN.
> >
> > It should print something like this
> > (0)   authorize {
> > (0) files: EXPAND uid=%{User-Name},ou=people,dc=company,dc=com
> > (0) files:    --> uid=testuser,ou=people,dc=company,dc=com
> > (0) files: users: Matched entry DEFAULT at line 1
> > ...
> > (0)     [files] = ok
> >
> > Did you edit the correct file? The default (in ubuntu)
> > is /etc/freeradius/users (or /etc/raddb/users in most other distros),
> which
> > is a symlink to mods-config/files/authorize
>
> I found my mistake. When setting the chroot, I copied all raddb with
> cp(1) and the symlinks got overwritten by plain files. raddb/users was
> not a symlink anymore.
>
> Now I get the correct result for authorize/files. I removed any
> reference to ldap in the authorize section of sites-enable/default.
>
> Now I get the error "ERROR: No Auth-Type found: rejecting the user via
> Post-Auth-Type = Reject"
>
>

Here's what works for me, tested on fresh openldap user (with only one
user, the 'admin' user) on ubuntu:

- top of /etc/freeradius/users

admin Ldap-UserDN := "cn=%{User-Name},dc=ldap1,dc=s,dc=1elf,dc=net",
Auth-Type := LDAP
   Fall-Through = yes

Adjust to your DN, obviously. If all your users are LDAP users, you should
be able to replace 'admin' with 'DEFAULT'


- /etc/freeradius/sites-enabled/default:

comment-out '-ldap' from authorize section. You don't need it if you ONLY
use LDAP for authentication with LDAP bind.

uncomment these lines from authenticate section (also read the comments
before these lines to understand what they do):
        Auth-Type LDAP {
                ldap
        }



Relevant part of my debug log using 'radtest'
...
(0) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(0)   authorize {
...
(0) files: EXPAND cn=%{User-Name},dc=ldap1,dc=s,dc=1elf,dc=net
(0) files:    --> cn=admin,dc=ldap1,dc=s,dc=1elf,dc=net
(0) files: users: Matched entry admin at line 1
(0)     [files] = ok
...
(0)   } # authorize = ok
(0) Found Auth-Type = LDAP
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0)   Auth-Type LDAP {
...
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: Login attempt by "admin"
(0) ldap: Using user DN from request "cn=admin,dc=ldap1,dc=s,dc=1elf,dc=net"
(0) ldap: Waiting for bind result...
(0) ldap: Bind successful
(0) ldap: Bind as user "cn=admin,dc=ldap1,dc=s,dc=1elf,dc=net" was
successful
...
(0)     [ldap] = ok
(0)   } # Auth-Type LDAP = ok
...
(0) Sent Access-Accept Id 122 from 127.0.0.1:1812 to 127.0.0.1:46573 length
0


-- 
Fajar

More information about the Freeradius-Users mailing list