Use Active Directory Group to authorize a users on Freeradius 3.0.x

L.P.H. van Belle belle at bazuin.nl
Mon Feb 24 09:00:19 CET 2020


Hai Igor, 

Samba messages:  Strong(er) authentication required 

Thats it. 

man smb.conf 
    ntlm auth (G) 

And set : ntlm auth = mschapv2-and-ntlmv2-only 
For the AD-Dc's and member's where needed. 

bind with (anonymous) to ldap://dc01.mydomain.com:389 failed:
Local error, you need to setup a separated user to do these ldap binds.

And last, did you setup certicates for the server and services?  
If not i suggest do that and use the ldaps ports, MS is perpairing for that also so be ahead of it. 

See if above is sufficient to fix it, but im sure this is your problem. 


Greetz, 

Louis
 

> -----Oorspronkelijk bericht-----
> Van: Freeradius-Users 
> [mailto:freeradius-users-bounces+belle=bazuin.nl at lists.freerad
ius.org] Namens Igor Sousa
> Verzonden: zaterdag 22 februari 2020 19:47
> Aan: FreeRadius users mailing list
> Onderwerp: Re: Use Active Directory Group to authorize a 
> users on Freeradius 3.0.x
> 
> I don't see any problem about ldap serach bind. The
> DN:cn=Administrator,cn=Users,dc=mydomain,dc=com, just as the 
> name says, is
> the administrator user of mydomain.com and can search any other
> Organisation Unit of mydomain.com. All my users, except 
> Administrator, are
> in the ou=drc,dc=mydomain,dc=com. Samba 4 domain works perfectly in
> Windows/Linux as in other system my company has.
> 
> 
> When I have tried to run radiusx -X with identity set in ldap 
> module, the
> radiusd -X has informed
> 
> rlm_ldap (ldap): Bind with 
> cn=Administrator,cn=Users,dc=mydomain,dc=com to
> ldap://dc01.mydomain.com:389 failed: Strong(er) 
> authentication required
> rlm_ldap (ldap): Server said: BindSimple: Transport 
> encryption required.
> 
> 
> The employee who implemented Samba DC on my company has notified me he
> hasn't set ldap to run over ssl or start tls. Due it, I have 
> tried to use
> SASL. It has worked fine when I have tried run a simple search using
> ldapsearch after kinit like this
> 
> [root at centos8 ~]# kinit -a Administrator
> [root at centos8 ~]# ldapsearch -LLL -h dc01.mydomain.com -b
> "ou=drc,dc=mydomain,dc=com" sAMAccountName
> SASL/GSS-SPNEGO authentication started
> 
> SASL username: Administrator at MYDOMAIN.COM
> 
> SASL SSF: 256
> 
> SASL data security layer installed.
> 
> <all users on ou=drc was shown>
> 
> 
> But it hasn't worked with freeradius ldap module.
> 
> rlm_ldap (ldap): Opening additional connection (0), 1 of 32 
> pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://dc01.mydomain.com:389
> rlm_ldap (ldap): Starting SASL mech(s): GSSAPI
> SASL/GSSAPI authentication started
> rlm_ldap (ldap): Bind with (anonymous) to 
> ldap://dc01.mydomain.com:389 failed:
> Local error
> rlm_ldap (ldap): Opening connection failed (0)
> rlm_ldap (ldap): Removing connection pool
> /etc/raddb/mods-enabled/ldap[8]: Instantiation failed for 
> module "ldap"
> 
> 
> PS: I've used freeradius from centos 8 repo, 3.0.16 version, 
> and the host
> centos8 is a domain member on mydomain.com.
> 
> --
> Igor Sousa
> 
> 
> Em sáb., 22 de fev. de 2020 às 13:17, <uj2.hahn at posteo.de> escreveu:
> 
> > > rlm_ldap (ldap): Bind with 
> *cn=Administrator,cn=Users,dc=mydomain,dc=com*
> >
> > This doesn't match your ldap search binding:
> > > "ou=drc,dc=mydomain,dc=com"
> >
> > May be this is the issue? Please double check your ldap settings!
> > Regards
> > Uwe
> >
> > On 21.02.2020 23:40, Igor Sousa wrote:
> > > Hello everybody,
> > >
> > > I have had some problems about to authorize users based on Active
> > Directory
> > > (Samba 4 DCs) groups.
> > >
> > > I have followed
> > > 
> http://deployingradius.com/documents/configuration/active_dire
> ctory.html
> > to
> > > configure ntlm_auth and it works perfectly.
> > >
> > > As I need restrict access to some AD groups, I need to 
> configure ldap
> > > module. I've alright configured ldap module, but it has been pure
> > Openldap
> > > (uid stores username and usePassword stores password). 
> Then, to set up
> > ldap
> > > module to access AD ldap, I've read comments on 
> mods-available/ldap  and
> > I
> > > have set up "server", "identity", "password" and "base_dn" on the
> > > mods-enabled/ldap. I have also set up
> > >
> > > to use the attribute stores username on AD
> > > user {
> > > ...
> > > filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
> > > ...
> > > }
> > >
> > > and
> > >
> > > group {
> > > ...
> > > filter = '(objectClass=group)'
> > > ...
> > > name_attribute = cn
> > >
> > > membership_filter =
> > >
> > 
> "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User
> -Name}:-%{User-Name}}))"
> > >
> > > membership_attribute = 'memberOf'
> > > ...
> > > }
> > >
> > > When I have tried to run radiusd -X, it has shown a error 
> message about
> > > bind tried to ldap server:
> > >
> > > rlm_ldap (ldap): Opening additional connection (0), 1 of 
> 32 pending slots
> > > used
> > > rlm_ldap (ldap): Connecting to ldap://dc01.mydomain.com:389
> > > rlm_ldap (ldap): Waiting for bind result...
> > > rlm_ldap (ldap): Bind with 
> cn=Administrator,cn=Users,dc=mydomain,dc=com
> > to
> > > ldap://dc01.mydomain.com:389 failed: Strong(er) 
> authentication required
> > > rlm_ldap (ldap): Server said: BindSimple: Transport 
> encryption required..
> > > rlm_ldap (ldap): Opening connection failed (0)
> > > rlm_ldap (ldap): Removing connection pool
> > > /etc/raddb/mods-enabled/ldap[8]: Instantiation failed for 
> module "ldap"
> > >
> > > I've suspected about SASL due I haven't been notify that LDAP use
> > STARTTLS
> > > or SSL over TLS. Then I've commented identity and 
> password and radiusd -X
> > >
> > > rlm_ldap (ldap): Opening additional connection (0), 1 of 
> 32 pending slots
> > > used
> > > rlm_ldap (ldap): Connecting to ldap://dc01.mydomain.com:389
> > > rlm_ldap (ldap): Starting SASL mech(s): GSSAPI
> > > SASL/GSSAPI authentication started
> > > rlm_ldap (ldap): Bind with (anonymous) to 
> ldap://dc01.mydomain.com:389
> > > failed: Local error
> > > rlm_ldap (ldap): Opening connection failed (0)
> > > rlm_ldap (ldap): Removing connection pool
> > > /etc/raddb/mods-enabled/ldap[8]: Instantiation failed for 
> module "ldap"
> > >
> > > I run kinit Administrator before run the ldapsearch below 
> and hasn't
> > shown
> > > any ERROR.
> > >
> > > Please, can someone help me about my problem?
> > >
> > > [root at centos8 ~]# ldapsearch -LLL -h dc01.mydomain.com -b
> > > "ou=drc,dc=mydomain,dc=com" sAMAccountName
> > > SASL/GSS-SPNEGO authentication started
> > >
> > > SASL username: Administrator at MYDOMAIN.COM
> > >
> > > SASL SSF: 256
> > >
> > > SASL data security layer installed.
> > >
> > > --
> > > Igor Sousa
> > > -
> > > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 




More information about the Freeradius-Users mailing list