guide on configuring freeradius 3 LDAP

Douglas C Ward douglas at ugutech.com
Thu Jan 18 21:54:26 CET 2018 

in the mods-available/ldap file, there is this section…

        #  Note: set_auth_type was removed in v3.x.x
        #  Equivalent functionality can be achieved by adding the following
        #  stanza to the authorize {} section of your virtual server.
        #
        #    ldap
        #    if ((ok || updated) && User-Password) {
        #        update {
        #            control:Auth-Type := ldap
        #        }
        #    }

… where is the “authorize {}” section of my virtual server?

—Douglas


> On Jan 18, 2018, at 2:41 PM, Douglas C Ward <douglas at ugutech.com> wrote:
> 
> I just tried things, and ran into…
> 
> (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
> (0) Failed to authenticate the user
> (0) Using Post-Auth-Type Reject
> (0) # Executing group from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/default
> (0)   Post-Auth-Type REJECT {
> (0) attr_filter.access_reject: EXPAND %{User-Name}
> (0) attr_filter.access_reject:    --> dward at iacollaborative.com
> (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (0)     [attr_filter.access_reject] = updated
> (0)     [eap] = noop
> (0)     policy remove_reply_message_if_eap {
> (0)       if (&reply:EAP-Message && &reply:Reply-Message) {
> (0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> (0)       else {
> (0)         [noop] = noop
> (0)       } # else = noop
> (0)     } # policy remove_reply_message_if_eap = noop
> (0)   } # Post-Auth-Type REJECT = updated
> 
> … so I assumed there was something in the default file. I saw in there…
> 
> #       Auth-Type LDAP {
> #               ldap
> #       }
> 
> so I uncommented that, restarted the server in debug, and got this error…
> 
> radiusd: #### Loading Virtual Servers ####
> server { # from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/radiusd.conf
> } # server
> server default { # from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/default
> # Loading authenticate {...}
> /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/default[513]: Failed to find "pam" as a module or policy.
> /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/default[513]: Please verify that the configuration exists in /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/mods-enabled/pam.
> /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/default[476]: Errors parsing authenticate section. 
> 
> … so I assume there’s some further config I’m missing.
> 
> —Douglas
> 
>> On Jan 18, 2018, at 2:10 PM, Douglas Ward <douglas at ugutech.com> wrote:
>> 
>> Thanks Alan, I’ll give that a go. I had gotten the impression that there were additional files to configure beyond the mods-available/ldap . Ill report back.
>> 
>> -- Douglas
>> 
>> 
>>> On Jan 18, 2018, at 1:29 PM, Alan DeKok <aland at deployingradius.com> wrote:
>>> 
>>>> On Jan 18, 2018, at 1:18 PM, Douglas C Ward <douglas at ugutech.com> wrote:
>>>> I just joined the list recently, in hopes to get some help in configuring LDAP on my FreeRADIUS server. I have found a lot of documentation for FreeRADIUS v2, dating from 2011 and 2014, etc. But no clear step-by-step to enable LDAP for v3. My server is version 3.0.15. I have worked through the initial setup on the http://wiki.freeradius.org/guide/Getting-Started <http://wiki.freeradius.org/guide/Getting-Started> and was able to connect with “Access-Accept”. But now I want to connect an LDAP server (specifically, a VLDAP server from OneLogin). I have all their docs, and have all the base DN and Bind DN info. But the documentation at http://wiki.freeradius.org/modules/Rlm_ldap <http://wiki.freeradius.org/modules/Rlm_ldap> seem to “start in the middle” for me. It says you "can"…
>>>> 
>>>> "To enable LDAP in your FreeRADIUS server, you can:
>>>> 
>>>> • instantiate an ldap module - which sets up the server name, the base DN, etc
>>>> • authenticate using an ldap module instance - which makes the FreeRADIUS server verify the user's identity in the LDAP directory, usually involving some form of checking the validity of the password
>>>> • authorize using an ldap module instance - which makes the FreeRADIUS server verify the user's level of authorization in the LDAP directory, usually involving verifying group membership or similar"
>>>> 
>>>> … but I don’t have enough experience to evaluate those options, or know how to do any of them. So I am looking for a simple  “how to enable LDAP on FreeRADIUS 3” that I can follow to get things working, and learn from there. Thank you.
>>> 
>>> Edit raddb/mods-available/ldap.  Configure it.
>>> 
>>> i.e. *read* the comments.  They tell you what the options do, and how they work.  Fill in the configuration as necessary.
>>> 
>>> Start the server in debug mode.  Send it a test packet using "radtest".  Use a name/password that's in LDAP.
>>> 
>>> If it gets Access-Accept, you're good!
>>> 
>>> If not, *read* the debug output to see what it's doing.  If you don't understand it, post it here.
>>> 
>>> It really is that simple.  The "radtest" example *should* work if the LDAP module (a) talks to the LDAP server, and (b) is configured to search the right part of the LDAP tree.
>>> 
>>> The default configuration is designed to work with minimal edits.  So do minimal edits, and it will work.
>>> 
>>> Alan DeKok.
>>> 
>>> 
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list