Use Active Directory Group to authorize a users on Freeradius 3.0.x

Igor Sousa igorvolt at gmail.com
Fri Feb 21 23:40:54 CET 2020 

Hello everybody,

I have had some problems about to authorize users based on Active Directory
(Samba 4 DCs) groups.

I have followed
http://deployingradius.com/documents/configuration/active_directory.html to
configure ntlm_auth and it works perfectly.

As I need restrict access to some AD groups, I need to configure ldap
module. I've alright configured ldap module, but it has been pure Openldap
(uid stores username and usePassword stores password). Then, to set up ldap
module to access AD ldap, I've read comments on mods-available/ldap  and I
have set up "server", "identity", "password" and "base_dn" on the
mods-enabled/ldap. I have also set up

to use the attribute stores username on AD
user {
...
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
...
}

and

group {
...
filter = '(objectClass=group)'
...
name_attribute = cn

membership_filter =
"(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"

membership_attribute = 'memberOf'
...
}

When I have tried to run radiusd -X, it has shown a error message about
bind tried to ldap server:

rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots
used
rlm_ldap (ldap): Connecting to ldap://dc01.mydomain.com:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind with cn=Administrator,cn=Users,dc=mydomain,dc=com to
ldap://dc01.mydomain.com:389 failed: Strong(er) authentication required
rlm_ldap (ldap): Server said: BindSimple: Transport encryption required..
rlm_ldap (ldap): Opening connection failed (0)
rlm_ldap (ldap): Removing connection pool
/etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap"

I've suspected about SASL due I haven't been notify that LDAP use STARTTLS
or SSL over TLS. Then I've commented identity and password and radiusd -X

rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots
used
rlm_ldap (ldap): Connecting to ldap://dc01.mydomain.com:389
rlm_ldap (ldap): Starting SASL mech(s): GSSAPI
SASL/GSSAPI authentication started
rlm_ldap (ldap): Bind with (anonymous) to ldap://dc01.mydomain.com:389
failed: Local error
rlm_ldap (ldap): Opening connection failed (0)
rlm_ldap (ldap): Removing connection pool
/etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap"

I run kinit Administrator before run the ldapsearch below and hasn't shown
any ERROR.

Please, can someone help me about my problem?

[root at centos8 ~]# ldapsearch -LLL -h dc01.mydomain.com -b
"ou=drc,dc=mydomain,dc=com" sAMAccountName
SASL/GSS-SPNEGO authentication started

SASL username: Administrator at MYDOMAIN.COM

SASL SSF: 256

SASL data security layer installed.

--
Igor Sousa

More information about the Freeradius-Users mailing list