Use Active Directory Group to authorize a users on Freeradius 3.0.x

Igor Sousa igorvolt at gmail.com
Sat Feb 22 19:46:38 CET 2020


I don't see any problem about ldap serach bind. The
DN:cn=Administrator,cn=Users,dc=mydomain,dc=com, just as the name says, is
the administrator user of mydomain.com and can search any other
Organisation Unit of mydomain.com. All my users, except Administrator, are
in the ou=drc,dc=mydomain,dc=com. Samba 4 domain works perfectly in
Windows/Linux as in other system my company has.


When I have tried to run radiusx -X with identity set in ldap module, the
radiusd -X has informed

rlm_ldap (ldap): Bind with cn=Administrator,cn=Users,dc=mydomain,dc=com to
ldap://dc01.mydomain.com:389 failed: Strong(er) authentication required
rlm_ldap (ldap): Server said: BindSimple: Transport encryption required.


The employee who implemented Samba DC on my company has notified me he
hasn't set ldap to run over ssl or start tls. Due it, I have tried to use
SASL. It has worked fine when I have tried run a simple search using
ldapsearch after kinit like this

[root at centos8 ~]# kinit -a Administrator
[root at centos8 ~]# ldapsearch -LLL -h dc01.mydomain.com -b
"ou=drc,dc=mydomain,dc=com" sAMAccountName
SASL/GSS-SPNEGO authentication started

SASL username: Administrator at MYDOMAIN.COM

SASL SSF: 256

SASL data security layer installed.

<all users on ou=drc was shown>


But it hasn't worked with freeradius ldap module.

rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots
used
rlm_ldap (ldap): Connecting to ldap://dc01.mydomain.com:389
rlm_ldap (ldap): Starting SASL mech(s): GSSAPI
SASL/GSSAPI authentication started
rlm_ldap (ldap): Bind with (anonymous) to ldap://dc01.mydomain.com:389 failed:
Local error
rlm_ldap (ldap): Opening connection failed (0)
rlm_ldap (ldap): Removing connection pool
/etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap"


PS: I've used freeradius from centos 8 repo, 3.0.16 version, and the host
centos8 is a domain member on mydomain.com.

--
Igor Sousa


Em sáb., 22 de fev. de 2020 às 13:17, <uj2.hahn at posteo.de> escreveu:

> > rlm_ldap (ldap): Bind with *cn=Administrator,cn=Users,dc=mydomain,dc=com*
>
> This doesn't match your ldap search binding:
> > "ou=drc,dc=mydomain,dc=com"
>
> May be this is the issue? Please double check your ldap settings!
> Regards
> Uwe
>
> On 21.02.2020 23:40, Igor Sousa wrote:
> > Hello everybody,
> >
> > I have had some problems about to authorize users based on Active
> Directory
> > (Samba 4 DCs) groups.
> >
> > I have followed
> > http://deployingradius.com/documents/configuration/active_directory.html
> to
> > configure ntlm_auth and it works perfectly.
> >
> > As I need restrict access to some AD groups, I need to configure ldap
> > module. I've alright configured ldap module, but it has been pure
> Openldap
> > (uid stores username and usePassword stores password). Then, to set up
> ldap
> > module to access AD ldap, I've read comments on mods-available/ldap  and
> I
> > have set up "server", "identity", "password" and "base_dn" on the
> > mods-enabled/ldap. I have also set up
> >
> > to use the attribute stores username on AD
> > user {
> > ...
> > filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
> > ...
> > }
> >
> > and
> >
> > group {
> > ...
> > filter = '(objectClass=group)'
> > ...
> > name_attribute = cn
> >
> > membership_filter =
> >
> "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
> >
> > membership_attribute = 'memberOf'
> > ...
> > }
> >
> > When I have tried to run radiusd -X, it has shown a error message about
> > bind tried to ldap server:
> >
> > rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots
> > used
> > rlm_ldap (ldap): Connecting to ldap://dc01.mydomain.com:389
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Bind with cn=Administrator,cn=Users,dc=mydomain,dc=com
> to
> > ldap://dc01.mydomain.com:389 failed: Strong(er) authentication required
> > rlm_ldap (ldap): Server said: BindSimple: Transport encryption required..
> > rlm_ldap (ldap): Opening connection failed (0)
> > rlm_ldap (ldap): Removing connection pool
> > /etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap"
> >
> > I've suspected about SASL due I haven't been notify that LDAP use
> STARTTLS
> > or SSL over TLS. Then I've commented identity and password and radiusd -X
> >
> > rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots
> > used
> > rlm_ldap (ldap): Connecting to ldap://dc01.mydomain.com:389
> > rlm_ldap (ldap): Starting SASL mech(s): GSSAPI
> > SASL/GSSAPI authentication started
> > rlm_ldap (ldap): Bind with (anonymous) to ldap://dc01.mydomain.com:389
> > failed: Local error
> > rlm_ldap (ldap): Opening connection failed (0)
> > rlm_ldap (ldap): Removing connection pool
> > /etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap"
> >
> > I run kinit Administrator before run the ldapsearch below and hasn't
> shown
> > any ERROR.
> >
> > Please, can someone help me about my problem?
> >
> > [root at centos8 ~]# ldapsearch -LLL -h dc01.mydomain.com -b
> > "ou=drc,dc=mydomain,dc=com" sAMAccountName
> > SASL/GSS-SPNEGO authentication started
> >
> > SASL username: Administrator at MYDOMAIN.COM
> >
> > SASL SSF: 256
> >
> > SASL data security layer installed.
> >
> > --
> > Igor Sousa
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list