Freeradius - how to reply "memberof" active directory information for Strongswan

Alan DeKok aland at deployingradius.com
Wed Sep 25 19:20:14 CEST 2019


On Sep 25, 2019, at 11:13 AM, Sébastien Genesta <genesta.sebastien at gmail.com> wrote:
> 
> So I come back to you because I'm encountering an issue with LDAP
> authentication on Strongswan.
> 
> below my /etc/freeradius/3.0/sites-enabled/default

  Please don't post configuration pieces to the list.  It's not necessary.  ALL of the documentation says "don't post configuration files to the list".

> When I try to connect from Strongswan following debug message is returned:
...
> (1) ldap: WARNING: You have set "Auth-Type := LDAP" somewhere
> (1) ldap: WARNING: *********************************************
> (1) ldap: WARNING: * THAT CONFIGURATION IS WRONG.  DELETE IT.
> (1) ldap: WARNING: * YOU ARE PREVENTING THE SERVER FROM WORKING
> (1) ldap: WARNING: *********************************************
> (1) ldap: ERROR: Attribute "User-Password" is required for authentication

  That seems pretty clear.  You edited the default configuration and broke it.  Don't do that.

> According to  "WARNING: You have set "Auth-Type := LDAP" somewhere", i've
> tried to remove it but radtest fails (ERROR: No Auth-Type found: rejecting
> the user via Post-Auth-Type = Reject)

  Because you *also* removed "eap" from the "authorize" section.

  Your first step when installing the server should NOT be to butcher the configuration files.  The default configuration works.  All of the documentation says BE CAREFUL WITH EDITING THE FILES.  It really can't be any clearer.

  Go back to using the default configuration.  Then, follow the documentation for configuring LDAP.  It *will* work.

  Alan DeKok.




More information about the Freeradius-Users mailing list