Help with ldap integration into Active directory

Alan DeKok aland at deployingradius.com
Mon Aug 5 14:02:56 CEST 2019 

On Aug 5, 2019, at 3:16 AM, Josh McMillan <joshm at opusv.com.au> wrote:
> I’m new to free radius so forgive the ignorance as I try and articulate the set up im trying to achieve here.
> 
> Currently I have a free radius server running off a centos server:
> ·         Running Freeradius FreeRADIUS Version 3.0.13
> ·         Centos version CentOS Linux release 7.6.1810 (Core)

  OK.

> 
> The overall design idea at the moment is clients will connect via l2tp vpn with a preshared key against a vyos then get challenged for AD credentials which are then passed to the Freeradius server.
> -The goal is then to use ldap to query active directory – locked down to a specific security group
> - Then use samba / ntlm_auth to handle the actual username/ password authentication.

  Detailed instructions are on my web site:  http://deployingradius.com

> - Most of this has been up until I started trying to refine the ldap search  and move the authentication part away from ldap which when I ran radiusd –X I could see in the output that ldap was still being used past the query stage.

  What does that mean?  FreeRADIUS doesn't magically "use" a module.  It calls a module when the configuration tells it to.

> - Since modifying those folders im for ever chasing loops in the /etc/raddb/mods-enabled/ldap file for things 'rlm_group': /usr/lib64/freeradius/rlm_group.so: cannot open shared object file: No such file or directory’
> - Unfortunately I don’t have a complete grasp oh how all these protocols interact / leverage off each other to do specific jobs and im at the point now that if I continue I will bugger up the config and have to start again.

  You edited the configuration, and broke it.  Don't do that.

  The debug out says:

/etc/raddb/mods-enabled/ldap[238] ...

  So... what's on line 238?  The server prints filenames and line numbers for a reason.

  What's happening is that you added some text like:

group {
	...
}

  to the "ldap" module configuration.  This is wrong.  You can't just add random text to the configuration files and expect that it does what you want.  The configuration files explain very clearly what is allowed, and how it works.

  For background to RADIUS and FreeRADIUS, see: https://networkradius.com/doc/FreeRADIUS-Technical-Guide.pdf

  Alan DeKok.

More information about the Freeradius-Users mailing list